Less than a week ago, LastPass announced that they now support two new alternative methods of two-factor authentication in addition to Google Authenticator, or more precisely TOTP (RFC 6238). Even though I don't necessarily want to use them, it reminded me how much I found the Google Authenticator app on iOS to be buggy, and so I started looking around for alternatives.
By doing so, I learned two additional things that made me want to migrate out of Google Authenticator as quickly as possible. First, people mentioned that it is broken on iOS 7 beta. Considering the app wasn't updated by Google for years, I imagined that Google Authenticator was simply abandoned and I would have to switch to a supported app as soon as possible.
Also, I learned that Google Authenticator stores the private "keys" in the iOS keychain. Practically, this means that the only way the keys can be backed up is by using encrypted backups with iTunes, which is not the default. If you use unencrypted or iCloud backups and if you lose your phone, then you will not be able to restore your keys. Luckily, I regularly build encrypted backups in iTunes, but still the whole process is scary for a novice user.
So, I moved to Authy. It supports their own two-factor protocol and TOTP. The setup requires an SMS confirmation, likely for their own protocol, but once this is done it makes it possible to enable encrypted online backups of your keys. Also, they have a nice Mac program that lets you send the tokens from the iPhone to your Mac, ready to be copy-pasted. Even without that, at least the iOS app allows copying tokens to the clipboard. Now, surely there are other free iOS TOTP apps out there, though this one is very good and secure for novice users.
And what luck I had. Today, Google released an update to Google Authenticator for iOS, and they botched it. Badly. By doing the worst thing possible: Deleting all private keys. I can't imagine in what horrible situation I would have been in if the keys for the 6 services I placed in it completely vanished. Worse, some web sites that enable TOTP have no recovery method whatsoever, meaning that users would be completely locked out of their accounts.
What's the lesson? Never put all your eggs in one basket, and if you really have to do so, seek out alternatives and have backup plans in case of failure.
Published on September 4, 2013 at 21:23 EDT
Older post: My Web Site, Now With HTML5
Newer post: The User Interface Designer is Running the Asylum