from Hacker News

Warning: Google Authenticator upgrade loses all accounts

by calvin on 9/4/13, 5:33 AM with 168 comments

I upgraded Google Authenticator to the latest version this evening on my iPhone. It lost all my accounts.

DO NOT UPGRADE Google Authenticator or you'll have a really bad day.

People on Twitter are starting to complain: https://twitter.com/search?q=google%20authenticator&src=typd

  • by gmac on 9/4/13, 8:25 AM

    Too late for me, but a pleasingly fast and pro-active response from AWS (which rather shows Google up) just received by email:

    "If you are an AWS customer who uses Google Authenticator for iOS as a multi-factor authentication device to secure your AWS account via AWS MFA (http://aws.amazon.com/mfa/), please read on. We are writing to inform you that Google has recently released an update to the Google Authenticator App in the iOS Store. We've received reports indicating this update is inadvertently deleting all MFA tokens from the smartphone; this could prevent you from authenticating to your AWS account.

    At this point, it is our recommendation that you do not update your Google Authenticator App if you're using an iOS Device. If you have already updated your Google Authenticator app and are no longer able to login successfully you can request assistance from our AWS Customer Service team at:

    https://portal.aws.amazon.com/gp/aws/html-forms-controller/c...

    We have posted this as an announcement to our AWS Developer Forums at https://forums.aws.amazon.com/ann.jspa?annID=2091 and will be posting updates if new information becomes available."

  • by guiambros on 9/4/13, 6:16 AM

    Authy (YC W12, [1]) is a nice replacement for the GA app. Besides being more stable, it has also the "benefit" of allowing you to back up your keys, and recover in the case of a lost phone or deleted app.

    Thankfully, backing up is entirely optional, and turned off by default. While they claim backups are encrypted with PBKDF2 [3], I still would never ever use something that sends my tokens to a remote server, as it'd defeat the purpose of 2FA in the first place.

    Still, I can see the use for casual users that care enough to have 2FA, but not that much to worry about tokens being stolen and decrypted from Authy..

    Past discussions on HN here [2], [3], [4].

    [1] https://www.authy.com/thefuture [2] https://news.ycombinator.com/item?id=6133648 [3] https://news.ycombinator.com/item?id=4916983 [4] https://news.ycombinator.com/item?id=4330050

  • by cheald on 9/4/13, 2:56 PM

    Aside from the screwup here, this is a good chance to check backup mechanisms for your various 2FA accounts. If your phone is broken or stolen, do you have a recovery plan?

    I keep backup codes for each of my 2FA services in a Truecrypt container, which is mirrored on Dropbox. Additionally, I keep a copy printed out and kept in a fire safe. Phone backups for personal accounts have my wife's phone on record, and I try to keep printed copies of the QR codes I used to set up the account.

    About a year ago, my phone was shattered while on the road, and while I was able to regain access to those accounts due to existing login sessions on my home computer, I'd have been sunk without them. Make sure you have a plan for what you do if your phone authenticator becomes unavailable.

  • by nl on 9/4/13, 1:21 PM

    A while ago the Android version was replaced by a new app (instead of just an upgrade), allegedly because the team LOST THE SIGNING KEY FOR THE ORIGINAL APP[1].

    If there is one team you'd expect not to lose a signing key I would have thought it would be that one!

    Everyone makes mistakes, but it's pretty scary to hear this happening too.

    [1] http://www.androidpolice.com/2012/03/22/psa-googles-authenti...

  • by orand on 9/4/13, 6:00 AM

    If they had released this two weeks later, iOS 7's auto-update feature would have bricked everyone's accounts.

    Google Auth 2.0 redefines two-factor auth: something you know + something you DON'T have. Their entire purpose in life is this second part and they completely and absolutely botched it. I can't believe this passed testing at both Google and Apple. There wasn't even a warning in the release notes.

  • by clarkm on 9/4/13, 5:57 AM

    For those looking for Google Authenticator alternatives, I recommend either Duo Mobile from Duo Security or Authy. I ditched Google Authenticator a while ago and haven't missed it one bit -- having a single app manage my two-factor tokens / keys is much more convenient.
  • by mahyarm on 9/4/13, 6:17 AM

    This is why you keep backups of your TOTP authenticator keys. I was really put off by 2 factor until I figured a way to do a backup. Authenticator URLS look like this:

    otpauth://totp/KeyNameHere?secret=SECRECTKEYSTRINGHERE

    You can save it in some passworded zip archive somewhere or print it out. If you print them I suggest printing them with QR codes to aid in recovery speed. You can easily generate QR codes by putting the text URLs into a QR code generator. If you just have a QR code, use a general QR code scanning app to extract the string.

    Also the new google authenticator version has a %100 repo crash bug when you scan two QR codes in a row on iOS 7 phones.

  • by imkevinxu on 9/4/13, 7:33 AM

    Quick solution for Google 2-step auth (do it QUICK so you don't lose access to your Gmail)

    1) Go to this page https://accounts.google.com/b/0/SmsAuthSettings

    2) Click "Move to a different phone"

    3) Re-setup your Google Authenticator

    Note: the 10 printed one-time access codes and all the application-specific passwords will still work after this "reset". But you still need to reset your other accounts that use the Google Authenticator

  • by bdcravens on 9/4/13, 7:39 AM

    I use Google Authenticator on the 2 AWS accounts I manage. Fortunately, at least on the first, the master account didn't have 2FA on it, so took about 60 seconds to reset it. (remove device, then readd) However, most wouldn't have the master account (the entire purpose of IAM).

    I suspect that Google may have an update that restores accounts. I know when I've restored my phone, losing all apps, when I reinstalled an app months later, the settings were still there. Obviously the settings are stored in a file somewhere, so my hope is that this is how Authenticator works, and this buggy release just failed to properly open that file. Of course, not everyone can wait and have to reset like I did.

  • by noveltyaccount on 9/4/13, 6:10 AM

    When I add sites to Authenticator, I take a screenshot of the QR code and tuck it away in an encrypted document (OneNote for the record, which uses uses AES to encrypt).
  • by chime on 9/4/13, 6:03 AM

    Every time I upgraded to a new iOS 7 beta, it wiped my Google Authenticator account tokens. It wasn't a big deal with Google or Dropbox because both allow me to move. But I can't log in to my CampBX account anymore. I tried Authy today after another comment here on HN and it's been working so far.
  • by veidr on 9/4/13, 6:20 AM

    What does it mean that it 'loses all accounts'?

    I use two factor auth but not this app, so I am not sure why people are going to have such a bad day...

  • by bound008 on 9/4/13, 6:15 AM

    This was a perfectly functional app except that it didn't look like google+. I would recommend switching to authy (YC) bc their Bluetooth 4.0 LE implementation is awesome: https://www.authy.com/thefuture#pairing
  • by devx on 9/4/13, 6:51 AM

    This is the sort of "nightmare scenario" I'm afraid of, and why I'm still not using 2FA. I'd rather risk having only a weaker password, than risking losing my accounts for good. You can't get back into your accounts if something like this happens, right?
  • by ibejoeb on 9/4/13, 7:05 AM

    To disable auto-update on recent Android:

    Play Store -> Search "Authenticator" -> Select "Google Authenticator" -> Press "Menu" -> Deselect "Auto-update"

  • by acheron on 9/4/13, 10:24 AM

    I saw Google Authenticator had an update this morning and thought "haha, wouldn't it be awful if it deleted the accounts when I updated!" Well, I guess I'm the goat [1].

    I was still signed into Google so that was easy enough to generate a new key, but I believe I'm going to have to use my backup number to get into Dropbox.

    [1] http://en.wikipedia.org/wiki/Duck!_Rabbit,_Duck%21

  • by robin_reala on 9/4/13, 10:04 AM

    The broken update has now been pulled.
  • by markwakeford on 9/4/13, 5:45 AM

    Use HDE OTP, its a better looking app anyway.
  • by DigitalSea on 9/4/13, 11:09 AM

    Do Google even test the stuff they put out? This is a pretty severe mistake to make for a company as big as Google. Do they not have teams dedicated to testing this stuff? The small design studio I work at does a better job QA'ing their websites than Google does QA'ing major product upgrades... Disgraceful.
  • by castis on 9/4/13, 6:12 AM

    Man, someone is going to have a really really bad day tomorrow.
  • by calvin on 9/4/13, 5:57 AM

    If you offer two-factor authentication for your website, be prepared for a surge in support requests today. When I talked to one of my providers on the phone, they stated they are already getting a surge in calls because of this app update.
  • by drewschrauf on 9/4/13, 6:29 AM

    I used my Pebble watch for TFA. You have to compile the app yourself but it's pretty easy. https://github.com/aaronpk/pebble-authenticator
  • by michaelrbock on 9/4/13, 5:45 AM

    Don't upgrade! I just had this unpleasant experience and warned everyone about 15 minutes ago: https://news.ycombinator.com/item?id=6325745
  • by gfodor on 9/4/13, 10:47 AM

    I'm not seeing the update in the App Store, nor the app itself. Must be pulled.
  • by thrownawaaay on 9/4/13, 6:37 AM

    What an absolutely awesome time for iTunes Connect to be down for maintenance.
  • by dknecht on 9/4/13, 5:58 AM

    The Authy app is great and supports Google, Dropbox, CloudFlare, Amazon…
  • by MiguelHudnandez on 9/4/13, 4:45 PM

    Shit. I am running the iOS 7 beta with automatic app updates, and I already have the new app.

    I am considering wiping my phone and restoring it from a previous backup with the old copy of the app.

    Edit: I was still logged in from my browser, and was able to activate the new version without entering a code from the deceased version of the app.

    From this, it seems theft of your cookies could let an attacker completely take over your account and two-factor device if they know your account password and you have chosen to trust the victim computer.

  • by PLejeck on 9/4/13, 6:05 AM

    I'm just gonna point out that the previous update was somewhere around 2 years ago, and it's just now getting retina, so we should be glad there's even this much.
  • by web007 on 9/4/13, 9:15 AM

    Unrelated to this particular snafu but still potentially problematic: if you have your Authenticator account named by its default name (foo@example.com) and you add another account with the same key, it will be blindly overwritten. I found this out the hard way after scanning my Meraki 2FA QR code that was tied to the same email that already had Google 2FA.

    ProTip: rename your auth entry to something like "Gmail foo@example" to avoid this problem, whether malicious or accidental.

  • by gbraad on 9/4/13, 5:45 PM

    Luckily got a AWS reminder. And a shameless plug... my own 2FA app on http://gauth.apps.gbraad.nl can be used everywhere you have a webbrowser, offline when your browser supports it and updates without problems when a new version is available. Besides, no updates were needed in months due to good QA. ;-)
  • by bruceboughton on 9/4/13, 6:07 AM

    Fuck you, Google. Fuck you.
  • by hrjet on 9/4/13, 12:07 PM

    What I worry about is a hacker feigning to be another user and claiming that they can't access their google account anymore because of a botched update.

    I guess Google support might get too many reset requests to show due diligence in verifying authenticity of the requests.

  • by darklajid on 9/4/13, 7:13 AM

    Not an iPhone user, but I wonder if you could access the key data manually and restore it afterwards?

    On Android that's possible (if you have root....) by accessing the key database (sqlite in that case). I did that to duplicate the keys from my handset to my tablet.

  • by tjbiddle on 9/4/13, 6:22 AM

    Just in time for Github to add 2FA.
  • by bluesmoon on 9/4/13, 6:23 AM

  • by markstanislav on 9/4/13, 2:10 PM

    Don't forget that Duo Security's mobile application supports Google Authenticator (and any other TOTP-enabled service). It also has already been working on iOS 7 for weeks.
  • by PLejeck on 9/4/13, 5:54 AM

    I actually just switched to Duo Mobile earlier today because of iOS 7 issues with Authenticator; this just cements my decision to switch.

    Edit: oddly iOS 7 hasn't autoinstalled this yet.

  • by tlrobinson on 9/4/13, 7:29 AM

    Related: will iOS 7 let you turn off the auto-update feature?
  • by Achshar on 9/4/13, 12:41 PM

    Does this affect android? my phone is off and I am not turning it on until I can somehow disable auto update from the play store from web.
  • by 0x0 on 9/4/13, 7:49 AM

    Happened to me as well, fortunately I disabled 2FA on my Dropbox account before the upgrade, thanks to this warning!
  • by pshc on 9/4/13, 6:00 AM

    Thanks for the heads-up all! Looking forward to actually being able to distinguish Authenticator accounts on iOS 7.
  • by div on 9/4/13, 10:27 AM

    iOS7 beta automatically updated my Google Authenticator. The 'updated app' indicator is taunting me.
  • by nick_urban on 9/5/13, 3:26 PM

    This is the most pressing and actionable information I have ever gleaned from a news site. Thank you!
  • by arange on 9/4/13, 8:55 AM

    this is especially bad for mtgox as it does not have backup codes or cellphone backup.
  • by olive_ on 9/4/13, 11:17 AM

    lesson learned : do not upgrade anything unless you read some feedback about it.
  • by mcleod on 9/4/13, 5:08 PM

    Is anyone else just happy that the assets will finally be high-res? :P
  • by cominatchu on 9/4/13, 5:01 PM

    I recommend using the Authy app instead, it's much better
  • by jbrooksuk on 9/4/13, 8:47 AM

    I'm just glad it works full screen on the iPhone 5.
  • by andreif on 9/4/13, 9:21 AM

    Some guys really needed retina support. Now you got it.
  • by victorlin on 9/4/13, 8:14 AM

    Damn it... This is stupid, I just upgraded too.
  • by namaserajesh on 9/4/13, 10:29 AM

    Thanks for letting us know.
  • by icecreampain on 9/4/13, 6:56 AM

    I cannot fathom why people still rely on Google for their core business needs.

    At my last place of work I built an SMS system to be used as the second factor in the intranet login. I _could_ have used a 3rd party 2FA, but the most _logical_ reason to have our own system was ... well.. we didn't want to rely on anyone except ourselves.

    Didn't take me long and the most difficult part was finding enough USB-connected phones to be used as SMS senders.

    Guess what? The system still works today, why Google is broken.

  • by corresation on 9/4/13, 12:53 PM

    Somewhat related, but when I setup two factor authentication I securely saved the initial TOTP tokens (using barcode scanner to extract it) for exactly this sort of situation (well in my case it was that I switched smartphones enough that having it tied to one was nonsensical).