Google Authenticator Updated: Slower, Mandatory Click to Reveal
The Google Authenticator app got updated today. As a frequent user with lots of accounts I've noticed that the app is now significantly slower: It takes several seconds to start the application and to generate the next iteration of pins. The "click to reveal pin" is just jarring to use and doesn't add any additional security in my opinion. Wondering if anybody else on HN shares this frustration.
27 comments
[ 27.1 ms ] story [ 1283 ms ] threadThe minimalistic and fast interface was why I liked Google authenticator in the first place. Feels like it's moving in the wrong direction just to service someone's promotion checklist.
If anyone at Google can connect with the person/team responsible, please tell them it was perfect the way it was and to just roll it back!
It sounds like it has been rewritten in flutter. The same thing happened to the Google Pay app.
It's already:
Type in password expecting a smooth login > Process that the new empty text box means you have to check your MFA source > Realise you have to find your phone > Find the authenticator app > Look through the (mine is long) list of registered accounts > If there are duplicates (e.g. AWS Account X, AWS Account Y) then select the right one > See if the timer is nearly 0 and if you'd like to risk using the code displayed > Enter code
I think it's pretty valuable - you automatically get the benefit of your pw manager recognizing the domain and only logging you in/copying the code if the domain matches what's in the password manager.
It most definitely defeats the purpose. Whether it's worth doing depends on how much you value your time and how secure you think the rest of your setup is (ie. if it's super secure the marginal security might not be worth the additional time).
Why?
If your password manager password is compromised, you're pretty screwed no matter how you slice it. For most people that use a password manager, I would guess that exposing their main password is an unlikely scenario. Loss/theft of a phone seems much more likely, and in that scenario, you're exactly as screwed as you would be if you had all of your 2fa codes in your password manager.
While it is absolutely a debatable security practice, don't forget modern password managers (1Password, Bitwarden, KeePassXC, maybe others) support TOTP natively
You can export all of your tokens off with a couple clicks.
I like the fact that my passwords are in KeePass and my tokens are in an entirely different app (Google Authenticator).
It's a shame that it does not support them.
Aegis Auth - https://play.google.com/store/apps/details?id=com.beemdevelo...
andOTP - https://play.google.com/store/apps/details?id=org.shadowice....
For a while, Google Authenticator was abandonware (despite them still recommending it for 2FA!), and didn't have any options for backup/restore. They have always been the worst 2FA app in terms of features and bugs, not surprised that they're getting even worse with time.