Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My fear is that your phone is also the primary MFA device, so losing that could mean you can't log into your account anymore (and therefore can't restore the cloud backup)…


Google offers to back up Authenticator, should you choose to do so.


Sorry, I should be clearer: to login to Google on a new device, you typically need to accept a prompt on an old device. But if your old device is dead, that's not possible. Authenticator does TOTP and things, which is typically not adequate for logging in (even though it _should_ be).


I'm not using Google Authenticator or anything like that but when my old phone dropped somewhere at the bottom of a river all my banking apps, which do 2FA, had a way to let me start again on my new phone. Services that don't assist their users in a disaster recover scenario are severely lacking.


Yes they are, and yet they exist.


The prompt on an old device is just one of the MFA options you can use. You can also use a security key (e.g. Yubikey, Solokey, etc.).


Which defeats the purpose of MFA, since your Google account becomes your only factor.


This was my worst fear but I had opted-in to backup Authenticator with Google. Opting in to backup your data with Google is seamless and it also restores stuff like SMS messages.

But I suppose this is one more thing the anti-trust case against Google should probably be looking into. Should Google be allowed this deep integration with their cloud services?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: