Years ago, using SMS as a two-step (2FA, Two-Factor Authentication) authentication system seemed ideal. Comfortable, easy to use and absolutely convenient. And then came the security problems: it was possible to hack the system, which increased the need to resort to other alternatives.

Authentication applications started to attract attention in this way. Google Authenticator, Microsoft Authenticator or Authy are among the best known and are definitely a more secure and reliable alternative to SMS. Yet they are not perfect and Shown by Google Authenticator.

Authenticator backups are finally coming

Because? Because this week Google announced something interesting: The Google Authenticator app has been updated twice. First of all, the logo has changed, it has a much more colorful format and a design suitable for other applications and services.

Second, and much more importantly, Google has finally make a backup of our codes “One-time” (also known as one-time passwords or OTPs) to our Google account.

Although it may seem like a small change, it was actually something that was highly requested by users. Google itself acknowledged this in its official statement:

One of the main feedback we have received from users over the years has been the loss or theft of sophistication of devices with Google Authenticator installed. Because Authenticator one-time codes are stored on only one device, loss of that device meant users lost their ability to sign in to any service they had set up 2FA with Authenticator.

That’s it. Using Authenticator on their device and losing (or breaking) their cell phone he knows well the nightmare it entails. If you didn’t save the QR code generated during the export – and you had to be very proactive – you’re lost. There was another option: transfer to an old cell phone, which you will keep in case the worst happens later. A real calamity where the sufferers lament.

This option eventually solves the problem. Google explains how to enable it on the updated support website, just sign in your Google account on Google Authenticator.

by making the codes syncs with your account and they can be reset on any device you use with that Google account. They even add that “you can manually transfer your codes to another device even if you’re not signed in to a Google account.” If you take advantage of this option, yes you should do it correctly as described on 9to5Google.

“If Google Authenticator is installed on more than one device, be careful when updating to the new version and turning on sync. During syncing, Google will not recognize the same codes or combine them automatically. As a result, you may encounter many duplicates. .

To avoid this, first set up sync on your primary device, then uninstall all other instances of the Google Authenticator app. That way, when you reinstall the updated app on your secondary devices, it will only sync from your primary device and not show duplicates.”

But all is not rosy in Google Authenticator

The change was certainly welcomed, and it’s interesting that it took a whole 13 years for Google to add it (Authenticator rolled out in 2010) while other alternatives like Authy already have it. Here this last option has one more interesting advantage: a way to allow or block the use of multiple devices to use a single account, which adds extra security.

We don’t know if Google will eventually roll out this improvement, but it’s missing something that cybersecurity experts quickly noticed: Authenticator data synchronization. done in plain text, without encryptionsomething among others Mysk cyber security experts commented.

Exactly this raises a security issue that, fortunately, Google is aware of. Christiaan Brand, one of the administrators of the service, commented on Twitter how they work on end-to-end encryption (E2EE, End-to-End Encryption).

Still, Brand added that implementing E2EE “comes at the expense of preventing users from accessing their own data without recovery.” This encryption has no estimated arrival date, which leaves users with two options: use it as is without end-to-end encryption, or use Google Authenticator as is without signing in to their Google account. APPLICATION.

According to me The first one is more recommended. because this solution definitely removes one of the big limitations of Google Authenticator. Alternatives like Microsoft Authenticator or Authy are certainly worth considering, but we’ve already discussed an even better option: security tokens like Yubikey, physical devices that make it even more difficult for cyber attackers to gain access to our systems and data.

This will of course cause more inconvenience to users, but until the passwordless future that technologies like passwords promise us comes, we will continue to live with these little and big inconveniences of our digital daily life.

on Xataka | Google Mandatory Two-Factor Authentication (2FA) is a Great Idea: Why Should Others Do the Same?