It would seem that the "secrets roach motel" model was the most secure and sane option for Authenticator. In that way, it mimicks the Yubikey or other hardware TOTP keys, where the secrets go in but they can't come out.
Everyone with a Yubikey knows that the secrets aren't coming out and they will need a backup. It would be foolhardy to rely on a Yubikey alone, when the risk model obviously entails loss or theft of the device itself. That's what paper codes are for.
It would seem that the QR export, and now this account sync, is Google weakening security as a concession to intense end-user pressure.
Yeah, it sucks to lose all your TOTP secrets at once; that's why you form a contingency plan and stow your paper backup or maintain a spare device.
You are of course completely correct, but this is a letting perfect be the enemy of good situation. I lost my phone overseas (my backup code was at home) and losing access to everything was so annoying I turned 2FA off on my google account for years.
Yes. When TOTP debuted, it was aimed at and designed by security engineers. Keeping secrets on-device was and is correct for serious uses.
Google Authenticator is a victim of its own popularity. Fortunately, the field moved on, and we now have WebAuthn and Passkeys for non-exportable private authentication keys.
Sadly, WebAuthn is also becoming a victim in the same way (at least on iOS).
The expectation is that WebAuthn private keys are stored in the secure enclave, which would be a comparable security guarantee to YubiKeys and other hardware devices.
"Passkeys" are now forcibly synced via iCloud, you can't use WebAuthn on iOS without enabling iCloud Keychain.
Huh, thanks, I wrongly assumed that Passkeys inherited WebAuthn’s attestations for hardware-backed keys. I guess organizations will need to ban Passkeys internally.
Everyone with a Yubikey knows that the secrets aren't coming out and they will need a backup. It would be foolhardy to rely on a Yubikey alone, when the risk model obviously entails loss or theft of the device itself. That's what paper codes are for.
It would seem that the QR export, and now this account sync, is Google weakening security as a concession to intense end-user pressure.
Yeah, it sucks to lose all your TOTP secrets at once; that's why you form a contingency plan and stow your paper backup or maintain a spare device.