A Genie Granted My Wish... Why I'm Uninstalling Google Authenticator
Apr 25, 2023
First order of business...
🐧🐧🐧🐧🐧 HAPPY WORLD PENGUIN DAY! 🐧🐧🐧🐧🐧
Back to the subject at hand
Okay... so almost exactly 7 months ago, I wrote a blog post titled "Google Authenticator Made Me Upset Enough to Make My Own" where I complained about how difficult it was to back-up TOTP 2-factor auth secrets stored on Google Authenticator. The link to that post can be found below.
Google Authenticator Made Me Upset Enough to Make My Own
A Genie granted my wish
There is a cliche with genies where they will grant wishes, but in a "Careful what you wish for, bucko" sort of way. For example, if there has been a drought in an area, one might wish for rain, but a genie may grant that wish by making it rain there nonstop for months on end, destroying the land and turning it into a lake. My wish was for Google Authenticator to make it easier to back-up TOTP secrets, and like a genie, Google granted my wish.
How did Google grant my wish? Well, a new update has come out for Google Authenticator with a few changes. First of, the app icon has changed to be a Google colored asterisk (a Google design trend I hate, because it's hard to differentiate between all of the Google apps, but I digress...) and Google will now sync the secrets to generate OTP 2-factor authentication codes to their servers using your Google account... Before this, the secrets to make the 2-factor codes work would only be stored on the user's device
A Google security blog post was written about this new Google Authenticator update, which is linked below.
Google Online Security Blog: Google Authenticator now supports Google Account synchronization
In the blog post is the following quote:
With this update we're rolling out a solution to this problem, making one time codes more durable by storing them safely in users' Google Account.
To try the new Authenticator with Google Account synchronization, simply update the app and follow the prompts.
It's understandable what they're trying to do for the average user. If my phone fell into a lake or river without the TOTP secrets backed up, I would be screwed when trying to log into the services that rely on those TOTP codes. It's not hard to get locked out of your accounts when you set up 2-factor authentication. With that said, I uninstalled Google Authenticator today because of the update.
When I opened the Google Authenticator app, a setup wizard of some sort popped up mentioning that I could sync my 2FA to my Google account. I have not bothered to risk checking if I could prevent Google from syncing the secrets to my account. I am not going to risk pressing something incorrectly and having Google sync the secrets, assuming there is even something I can press to tell Google to not sync the secrets...
I don't trust Google or other companies storing my cryptographic private keys or other security keys on a device/server other than one I control. I don't trust them for many of the same reasons I don't trust "key escrow". There's no way I would hand Google my desktop or server's SSH private keys, PGP private key, or the keys to decrypt my harddrives. Because of that, I will not trust storing the secrets to generate TOTP codes on Google's servers.
It's bad enough that Gmail is the single point of failure (hacking pivot point) for a HUGE chunk of people. If the Gmail account gets hacked, password reset emails can be sent to the Gmail email address to break into other accounts. 2FA helps mitigate that, but if they are being stored using the same username and password as the Gmail account, then we are back to a Google account being a single point of failure and hacking pivot point again.
It was nice of Google to create and provide a 2FA authentication app, even if it was an absolute pain to back-up codes without requiring a second smartphone. With that said, it was nice knowing you while I did, Google Authenticator. It's a shame you changed. Welp, that's one less app for my phone to deal with at least. I'm glad I wrote a TOTP code generator 7 months ago.