Backing Up Google Authenticator 2FA Codes? Use This Instead!
Google recently announced that their 2fa authenticator app, which is called Google Authenticator, will now give you the option to backup your one time codes into the cloud. But recent news has made me recommend NOT using this new feature since potentially, Google could see the secret codes when they get uploaded.
If you’ve paused at this point and are asking “wait, what is 2FA?!” you’re in luck! I’ve got a playlist on my channel just about 2 factor authentication and how it’s used, what the different protocols are, and how to choose the best 2FA option for you and your lifestyle.
Since passkeys and passwordless logins are still not widely used, we have to rely on using usernames and passwords, plus 2FA codes or hardware keys to log into most of our accounts. So why would you choose a less secure option for logging in if a more secure option is available?
My all time favorite that I’ve recommended for many years has been the YubiKey. These hardware keys made by Yubico are reliable, can be used for multiple accounts (you don’t need to buy one for each and every account you have online), and it’s a one time cost. I’m partnering with Yubico on this video to share some alternative to cloud 2fa backups with Google Authenticator, and I love their keys, I highly recommend them. I’ve bought many of them through the years and love what their company does for consumer security. I have a coupon code you can use for $5 off a key - use the code SHANNONMORSE during checkout. So I’m glad to work with Yubico since it’s a brand that I’ve been a fan of for such a long time. Huge thanks to Yubico for continuing to sponsor my channel and for being an advocate for reasonable and convenient security.
Google’s authenticator app has been around for a long time, since 2010 (!), but the problem with a 2FA app is… if you rely on it for your codes, and maybe your phone gets damaged, stolen, or lost… what do you do? If you can’t open the app (and maybe you don’t have any backup codes on you), how do you get into an online account that requires said code? Google finally answered this problem by adding cloud backups of your OTPs or your one time codes.
This means you can now enable a feature within the Google Authenticator that lets all your codes get stored in your Google Account. You can then get access to your codes on any devices where you are signed into that same Google Account.
This sounds awesome but as soon as this feature was announced, researchers figured out that the data wasn’t being end to end encrypted while it was uploaded to Google servers, and that means google or anyone else with access could “see” the backup codes.
Google responded and said they will add end to end encryption in a future version of Google Authenticator but at time of recording, that’s not available yet.
So I’m going to recommend some reliable and reasonable alternatives that you can use instead of Google Authenticator. Since those cloud backups aren’t e2ee, you should be relying on a more secure option for 2FA if you need to depend on backups.
Now, a side note: there are going to be plenty of folks who Google Authenticator will work perfectly for. Maybe you don’t want to send 2FA codes to a cloud backup because you never lose your phone and you have all of your account recovery codes printed out and safely stored somewhere. Maybe your rarely upgrade your phone, so you almost never have to go through the process of setting up Google Authenticator on a new phone. You have to make sure you have some alternate way to log in if you use a 2fa App, because if your phone gets damaged, lost or stolen, you’ll get locked out of your accounts without having a backup. That’s because 2FA apps generate those codes on your local device, they aren’t sent from anywhere like they are if you just use text messages for 2FA codes.
If that works for your lifestyle, and you’ve prepared yourself with an alternate way to log in, that’s really good security. But we also need to go into this with the understanding that everyone has different levels of security needs so if you switch your phone a lot, you may need cloud backups. If you have accounts that are targeted in attacks or want something that’s less likely to be lost or stolen, then maybe a hardware key will serve you better. Threat modeling is so important so we can’t tell people security has to be this one absolutionist way, and that’s why I’ve taken a really pragmatic approach to my recommendations.
So I have two alternatives for you. I’m not going to recommend switching to SMS or text messages for 2FA - since those codes are sent over the air to your phone, that means they could be intercepted, or someone could clone your phone number and receive those codes on their own phone. Using an app is better - but you have to make sure you protect your 2FA authenticator app account and you protect those codes and never share them. You also have to be very careful about what sites you type those codes into - because criminals can make realistic looking login pages and steal your username, password, and 2fa code while you’re typing them into a fake site - which they could then copy and paste into the real site and log into your accounts. This attack is known as spoofing.
The first thing you should do is check your online accounts to see what 2FA options they make available. Some only allow for SMS texted codes (which is still better than nothing), others will allow you to get codes via an app, and others will let you use a hardware key. Picking the best options (I say options because you can totally use more than one of these) will depend on your own accounts and lifestyle. This site called https://2fa.directory/us/ is a great reference point and can also help you figure out what kind of security you should use.
The best recommendation I make is using a YubiKey. If a site you use has the option to use 2FA hardware keys, then use this option. First, a flashdrive lookin’ thing isn’t going to be as likely to be lost or stolen, especially if you leave it at home, in a safe, or on your keychain with your house keys. Many sites allow you to set up more than one YubiKey, so you can have a backup one stored somewhere safe just in case your primary key does get damaged or lost. They do protect you better from that spoofing attack, too, since YubiKeys use several different protocols or methods to verify your login. If a site implements them with this special protocol called FIDO2, then you never see a code, and an attacker wouldn’t be able to steal a code - because the code doesn’t exist. The YubiKey creates a special secret “handshake” with the website you set it up on so both the website and the YubiKey agree to let you in when you use it. If the attacker tries to point you at a spoofing site and you plug in a YubiKey, the YubiKey is gonna prompt you and say “hey, this site doesn’t match what I was expecting so I can’t work”. Since the YubiKey didn’t receive the right signal from the fake site, the attacker hits a brick wall and won’t be able to log into the site.
They would literally need your username, your password, and your physical key to get into said site - and this is what makes it so secure - because while nothing is perfect in this world, its a lot less likely that someone who steals a little YubiKey would also have your username and password on hand, and it’s also less likely that someone would have access to a YubiKey plus those two credentials long enough to make use of it before you’d notice it missing. And if you do lose your key, it’s real easy to log into websites and revoke the missing key, especially if you took my advice and have a secondary key stored safely somewhere that could then be used as your primary key.
But maybe a site you use doesn’t accept hardware keys. Like banks. And maybe you don’t want to depend on an app that doesn’t backup your codes to the cloud. There are several apps that do offer cloud backups securely or offer multi-device code generation. The one I recommend to most folks is Authy, because it is free and available on iphones and android. It’s convenient. Even though Twilio, Authy’s parent company, had a security breach back in 2022, they’re still my recommendation because you can take some precautions even with your codes backed up. For example, you can lock the app with a pin code, so if someone unlocks your phone, they’d still need a separate code or your fingerprint to unlock the app itself. If you’ve linked your Authy account on multiple phones, you can go into your settings and revoke any phones that shouldn’t have access anymore. And if you do set up an Authy app to give you codes on multiple devices (like maybe you have a work phone and a personal phone), then you can keep those two devices set up, but then disable a setting called “allow multi device” which means no new devices can be added to your account until you manually turn that setting back on (like when you upgrade to a new phone).
So you do have options. I often see people ask me why should I get a hardware key if I can just use Authy? And I have a few reasons: If you don’t already have a second phone: it’s cheaper to buy two yubikeys than it is to buy an extra phone to keep stored as a backup, especially since smartphone batteries die and if you ever resold that phone, you’d need to remember to erase it and revoke that device on all your online accounts.
And properly implemented hardware key compatibility on websites means it can prevent phishing of those codes since no 6 digit code gets typed in.
So should you use the Google Authenticator app? Sure! I’ve used it! It’s a great app for 2FA codes. But don’t use the cloud backup option at this time, since it’s not end to end encrypted. Keep those codes secret, keep them safe, and better yet, upgrade to either an app that uses E2EE, or even better upgrade to a 2FA option that doesn’t even require codes.
Luckily we do have options to make 2FA convenient and easy for everyone so when we do find out about these security vulnerabilities, we can adjust our lifestyles to better protect ourselves.
If you have questions about 2FA or need a deeper discussion on it, I have this playlist ready for you. Or check out this video that youtube thinks you’ll enjoy. Bye, yall!