Google Authenticator Updated: Slower, Mandatory Click to Reveal

30 points by jcfrei ↗ HN
The Google Authenticator app got updated today. As a frequent user with lots of accounts I've noticed that the app is now significantly slower: It takes several seconds to start the application and to generate the next iteration of pins. The "click to reveal pin" is just jarring to use and doesn't add any additional security in my opinion. Wondering if anybody else on HN shares this frustration.

27 comments

[ 27.1 ms ] story [ 1283 ms ] thread
Wow, yeah it's much worse. It feels noticably sluggish and that's really frustrating. Like watching your favorite desktop app get turned into an Electron monstrosity.

The minimalistic and fast interface was why I liked Google authenticator in the first place. Feels like it's moving in the wrong direction just to service someone's promotion checklist.

If anyone at Google can connect with the person/team responsible, please tell them it was perfect the way it was and to just roll it back!

For me it was always missing icons and a filter/search on top.
> feels noticably sluggish and that's really frustrating. Like watching your favorite desktop app get turned into an Electron monstrosity.

It sounds like it has been rewritten in flutter. The same thing happened to the Google Pay app.

Basically, another functional Google product made worse by Google's ridiculous promotions process.
Why increase the cognitive workload to login with MFA?

It's already:

Type in password expecting a smooth login > Process that the new empty text box means you have to check your MFA source > Realise you have to find your phone > Find the authenticator app > Look through the (mine is long) list of registered accounts > If there are duplicates (e.g. AWS Account X, AWS Account Y) then select the right one > See if the timer is nearly 0 and if you'd like to risk using the code displayed > Enter code

I haven't migrated my 2fa to it yet, but bitwarden seems to have 2FA baked in so it can be automated. I can't tell if that's worth doing or if it defeats the purpose
It's fantastic. After you fill your password, the 2FA code is automatically copied to your clipboard. Logging into a two factor form for me is basically Cmd + Shift + L (fill login), enter, Cmd + V (paste 2fa code), enter.

I think it's pretty valuable - you automatically get the benefit of your pw manager recognizing the domain and only logging you in/copying the code if the domain matches what's in the password manager.

>bitwarden seems to have 2FA baked in so it can be automated. I can't tell if that's worth doing or if it defeats the purpose

It most definitely defeats the purpose. Whether it's worth doing depends on how much you value your time and how secure you think the rest of your setup is (ie. if it's super secure the marginal security might not be worth the additional time).

> It most definitely defeats the purpose.

Why?

If your password manager password is compromised, you're pretty screwed no matter how you slice it. For most people that use a password manager, I would guess that exposing their main password is an unlikely scenario. Loss/theft of a phone seems much more likely, and in that scenario, you're exactly as screwed as you would be if you had all of your 2fa codes in your password manager.

Only if compromised. I prefer storing my sensitive data there, and also protect it with 2FA to make sure my extra long and unique passphrase is not the weakest link.
Authy is a great alternative. It also requires tapping each label to see the code but it's pretty fast and responsive.
I disagree. Authy binds your 2FA to sms, which is well documented to be the worse than no 2fa at all.
Good, maybe it'll finally drive people off of it over to one which survives your phone going into the proverbial drink

While it is absolutely a debatable security practice, don't forget modern password managers (1Password, Bitwarden, KeePassXC, maybe others) support TOTP natively

You know for some thats a feature right?

You can export all of your tokens off with a couple clicks.

I like the fact that my passwords are in KeePass and my tokens are in an entirely different app (Google Authenticator).

So do I, which is why I use Authy.
The problem is that you need a camera on another device to export it, they explicitly disable screenshots while the export QR code is up which I need to use in order to copy it over to my keepass.
Open source alternatives like Aegis let you export an encrypted backup and import it on any other phone.
I don't see the update yet. Haven't it provided ways to add a more advanced OPT yet? E.g. more digits, different hashing algorithm, different interval, ...?

It's a shame that it does not support them.

I can't stand how Google recommends this, as a dark pattern that their TOTP app is special and that users have to use it for 2FA for Google. There are so many better TOTP apps out there (like Authy or Aegis).

For a while, Google Authenticator was abandonware (despite them still recommending it for 2FA!), and didn't have any options for backup/restore. They have always been the worst 2FA app in terms of features and bugs, not surprised that they're getting even worse with time.

OTP Auth is a good iOS alternative.
Thanks, just marked it to stop automatic updates!
Oh...sad i didn't saw this early. Already updated here and this reveal "feature" is the worst usability experience they could push to an app like that. I use this daily to login to multiple services and will migrate to something more like the old version asap.
Really annoying, I don't understand why someone would think it increases security. Now I have to make another click every time I need to use 2FA. Time for a new app.
Totally agree on the click to reveal pin feature. But mine came up right away.