Reminder: Google Authenticator not supported

News updates about the Prohashing pool
User avatar
Steve Sokolowski
Posts: 2138
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA
Contact:

Reminder: Google Authenticator not supported

Postby Steve Sokolowski » Tue Nov 07, 2017 11:24 am

Hi,

Despite our instructions to use Authy for two-factor authentication, a number of customers have been using Google Authenticator to store their authentication private keys.

The reason we recommend Authy is because it prompts the user for a password at installation time, and the password is used to encrypt the keys and store them on Authy's servers. That way, it is simple to recover the keys after reinstalling Authy by entering the password. There has never been a case of a lost two-factor authentication code reported to us when Authy was used.

Google Authenticator doesn't appear to provide a backup feature, at least by default, so many customers have submitted support tickets after they change phones without manually backing up their keys. This is a reminder that we don't provide support for Google Authenticator, so you'll have to either manually back up your keys, or submit a support ticket to Google for assistance to determine your recovery options.

With two-factor authentication, if you lose your keys, then your account is permanently lost.

Thanks,

-Steve
Mrrt
Posts: 28
Joined: Sun Oct 02, 2016 11:50 pm

Re: Reminder: Google Authenticator not supported

Postby Mrrt » Tue Nov 07, 2017 2:14 pm

Authy being tied to your phone number is insecure.

No one with any security sense would ever use Authy over Google Authenticator for this reason.

We really shouldn't be promoting poor key management in this industry.
User avatar
Eyedol-X
Posts: 48
Joined: Sun Nov 06, 2016 1:45 pm

Re: Reminder: Google Authenticator not supported

Postby Eyedol-X » Tue Nov 07, 2017 6:20 pm

I think the simple solution here is to include the plain text key with the QR code at the time of configuration and a note that the user is responsible for backing up their key. This way you're not pushing liability on another service such as Authy if there is ever an issue with the key.
User avatar
AppleMiner
Posts: 352
Joined: Sat Sep 30, 2017 1:44 pm

Re: Reminder: Google Authenticator not supported

Postby AppleMiner » Tue Nov 07, 2017 6:29 pm

Yep I ended up disabling all the 2FAs that didnt have a recovery key I could print the QR code for and backup in my firebox in the safe in case I lost the main device. was a good excuse to move some coins around and close off some accounts and exchanges I hadnt used in a while also.
User avatar
Eyedol-X
Posts: 48
Joined: Sun Nov 06, 2016 1:45 pm

Re: Reminder: Google Authenticator not supported

Postby Eyedol-X » Wed Nov 08, 2017 10:05 am

Just an FYI for all:

You can use a QR code reader to translate the QR code graphic into a link and from there you can get your "secret" key to back that up.
User avatar
GregoryGHarding
Posts: 487
Joined: Sun Apr 16, 2017 3:01 pm
Contact:

Re: Reminder: Google Authenticator not supported

Postby GregoryGHarding » Wed Nov 08, 2017 6:35 pm

you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure
--------------------------------->Join the Prohashing Slack Group Here<--------------------------------
Mrrt
Posts: 28
Joined: Sun Oct 02, 2016 11:50 pm

Re: Reminder: Google Authenticator not supported

Postby Mrrt » Thu Nov 09, 2017 4:49 pm

GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure


Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
User avatar
GregoryGHarding
Posts: 487
Joined: Sun Apr 16, 2017 3:01 pm
Contact:

Re: Reminder: Google Authenticator not supported

Postby GregoryGHarding » Thu Nov 09, 2017 5:20 pm

Mrrt wrote:
GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure


Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

do you even know what youre talking about? authy does not send any SMS based 2FA keys.
--------------------------------->Join the Prohashing Slack Group Here<--------------------------------
Mrrt
Posts: 28
Joined: Sun Oct 02, 2016 11:50 pm

Re: Reminder: Google Authenticator not supported

Postby Mrrt » Sat Nov 11, 2017 10:53 am

GregoryGHarding wrote:
Mrrt wrote:
GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure


Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

do you even know what youre talking about? authy does not send any SMS based 2FA keys.


I used to use Authy and at that time you could recover all of your 2FA keys to a device by receiving SMS confirmation.
Haven't used it since I realized that (having gone through the process) and I will certainly never use their service again.

Do YOU know what YOU'RE talking about?
User avatar
GregoryGHarding
Posts: 487
Joined: Sun Apr 16, 2017 3:01 pm
Contact:

Re: Reminder: Google Authenticator not supported

Postby GregoryGHarding » Sat Nov 11, 2017 12:36 pm

Mrrt wrote:
GregoryGHarding wrote:
Mrrt wrote:
Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/

do you even know what youre talking about? authy does not send any SMS based 2FA keys.


I used to use Authy and at that time you could recover all of your 2FA keys to a device by receiving SMS confirmation.
Haven't used it since I realized that (having gone through the process) and I will certainly never use their service again.

Do YOU know what YOU'RE talking about?

as i said.. you cannot do ANYTHING with sms confirmation without another master password thats linked to your account
--------------------------------->Join the Prohashing Slack Group Here<--------------------------------

Return to “News”

Who is online

Users browsing this forum: No registered users and 3 guests