by calvin on 9/4/13, 5:33 AM with 168 comments
DO NOT UPGRADE Google Authenticator or you'll have a really bad day.
People on Twitter are starting to complain: https://twitter.com/search?q=google%20authenticator&src=typd
by gmac on 9/4/13, 8:25 AM
"If you are an AWS customer who uses Google Authenticator for iOS as a multi-factor authentication device to secure your AWS account via AWS MFA (http://aws.amazon.com/mfa/), please read on. We are writing to inform you that Google has recently released an update to the Google Authenticator App in the iOS Store. We've received reports indicating this update is inadvertently deleting all MFA tokens from the smartphone; this could prevent you from authenticating to your AWS account.
At this point, it is our recommendation that you do not update your Google Authenticator App if you're using an iOS Device. If you have already updated your Google Authenticator app and are no longer able to login successfully you can request assistance from our AWS Customer Service team at:
https://portal.aws.amazon.com/gp/aws/html-forms-controller/c...
We have posted this as an announcement to our AWS Developer Forums at https://forums.aws.amazon.com/ann.jspa?annID=2091 and will be posting updates if new information becomes available."
by guiambros on 9/4/13, 6:16 AM
Thankfully, backing up is entirely optional, and turned off by default. While they claim backups are encrypted with PBKDF2 [3], I still would never ever use something that sends my tokens to a remote server, as it'd defeat the purpose of 2FA in the first place.
Still, I can see the use for casual users that care enough to have 2FA, but not that much to worry about tokens being stolen and decrypted from Authy..
Past discussions on HN here [2], [3], [4].
[1] https://www.authy.com/thefuture [2] https://news.ycombinator.com/item?id=6133648 [3] https://news.ycombinator.com/item?id=4916983 [4] https://news.ycombinator.com/item?id=4330050
by cheald on 9/4/13, 2:56 PM
I keep backup codes for each of my 2FA services in a Truecrypt container, which is mirrored on Dropbox. Additionally, I keep a copy printed out and kept in a fire safe. Phone backups for personal accounts have my wife's phone on record, and I try to keep printed copies of the QR codes I used to set up the account.
About a year ago, my phone was shattered while on the road, and while I was able to regain access to those accounts due to existing login sessions on my home computer, I'd have been sunk without them. Make sure you have a plan for what you do if your phone authenticator becomes unavailable.
by nl on 9/4/13, 1:21 PM
If there is one team you'd expect not to lose a signing key I would have thought it would be that one!
Everyone makes mistakes, but it's pretty scary to hear this happening too.
[1] http://www.androidpolice.com/2012/03/22/psa-googles-authenti...
by orand on 9/4/13, 6:00 AM
Google Auth 2.0 redefines two-factor auth: something you know + something you DON'T have. Their entire purpose in life is this second part and they completely and absolutely botched it. I can't believe this passed testing at both Google and Apple. There wasn't even a warning in the release notes.
by clarkm on 9/4/13, 5:57 AM
by mahyarm on 9/4/13, 6:17 AM
otpauth://totp/KeyNameHere?secret=SECRECTKEYSTRINGHERE
You can save it in some passworded zip archive somewhere or print it out. If you print them I suggest printing them with QR codes to aid in recovery speed. You can easily generate QR codes by putting the text URLs into a QR code generator. If you just have a QR code, use a general QR code scanning app to extract the string.
Also the new google authenticator version has a %100 repo crash bug when you scan two QR codes in a row on iOS 7 phones.
by imkevinxu on 9/4/13, 7:33 AM
1) Go to this page https://accounts.google.com/b/0/SmsAuthSettings
2) Click "Move to a different phone"
3) Re-setup your Google Authenticator
Note: the 10 printed one-time access codes and all the application-specific passwords will still work after this "reset". But you still need to reset your other accounts that use the Google Authenticator
by bdcravens on 9/4/13, 7:39 AM
I suspect that Google may have an update that restores accounts. I know when I've restored my phone, losing all apps, when I reinstalled an app months later, the settings were still there. Obviously the settings are stored in a file somewhere, so my hope is that this is how Authenticator works, and this buggy release just failed to properly open that file. Of course, not everyone can wait and have to reset like I did.
by noveltyaccount on 9/4/13, 6:10 AM
by chime on 9/4/13, 6:03 AM
by veidr on 9/4/13, 6:20 AM
I use two factor auth but not this app, so I am not sure why people are going to have such a bad day...
by bound008 on 9/4/13, 6:15 AM
by devx on 9/4/13, 6:51 AM
by ibejoeb on 9/4/13, 7:05 AM
Play Store -> Search "Authenticator" -> Select "Google Authenticator" -> Press "Menu" -> Deselect "Auto-update"
by acheron on 9/4/13, 10:24 AM
I was still signed into Google so that was easy enough to generate a new key, but I believe I'm going to have to use my backup number to get into Dropbox.
by robin_reala on 9/4/13, 10:04 AM
by markwakeford on 9/4/13, 5:45 AM
by DigitalSea on 9/4/13, 11:09 AM
by castis on 9/4/13, 6:12 AM
by calvin on 9/4/13, 5:57 AM
by drewschrauf on 9/4/13, 6:29 AM
by michaelrbock on 9/4/13, 5:45 AM
by gfodor on 9/4/13, 10:47 AM
by thrownawaaay on 9/4/13, 6:37 AM
by dknecht on 9/4/13, 5:58 AM
by MiguelHudnandez on 9/4/13, 4:45 PM
I am considering wiping my phone and restoring it from a previous backup with the old copy of the app.
Edit: I was still logged in from my browser, and was able to activate the new version without entering a code from the deceased version of the app.
From this, it seems theft of your cookies could let an attacker completely take over your account and two-factor device if they know your account password and you have chosen to trust the victim computer.
by PLejeck on 9/4/13, 6:05 AM
by web007 on 9/4/13, 9:15 AM
ProTip: rename your auth entry to something like "Gmail foo@example" to avoid this problem, whether malicious or accidental.
by gbraad on 9/4/13, 5:45 PM
by bruceboughton on 9/4/13, 6:07 AM
by hrjet on 9/4/13, 12:07 PM
I guess Google support might get too many reset requests to show due diligence in verifying authenticity of the requests.
by darklajid on 9/4/13, 7:13 AM
On Android that's possible (if you have root....) by accessing the key database (sqlite in that case). I did that to duplicate the keys from my handset to my tablet.
by tjbiddle on 9/4/13, 6:22 AM
by bluesmoon on 9/4/13, 6:23 AM
by markstanislav on 9/4/13, 2:10 PM
by PLejeck on 9/4/13, 5:54 AM
Edit: oddly iOS 7 hasn't autoinstalled this yet.
by tlrobinson on 9/4/13, 7:29 AM
by Achshar on 9/4/13, 12:41 PM
by 0x0 on 9/4/13, 7:49 AM
by pshc on 9/4/13, 6:00 AM
by div on 9/4/13, 10:27 AM
by nick_urban on 9/5/13, 3:26 PM
by arange on 9/4/13, 8:55 AM
by olive_ on 9/4/13, 11:17 AM
by mcleod on 9/4/13, 5:08 PM
by cominatchu on 9/4/13, 5:01 PM
by jbrooksuk on 9/4/13, 8:47 AM
by andreif on 9/4/13, 9:21 AM
by victorlin on 9/4/13, 8:14 AM
by namaserajesh on 9/4/13, 10:29 AM
by icecreampain on 9/4/13, 6:56 AM
At my last place of work I built an SMS system to be used as the second factor in the intranet login. I _could_ have used a 3rd party 2FA, but the most _logical_ reason to have our own system was ... well.. we didn't want to rely on anyone except ourselves.
Didn't take me long and the most difficult part was finding enough USB-connected phones to be used as SMS senders.
Guess what? The system still works today, why Google is broken.
by corresation on 9/4/13, 12:53 PM