Reminder: Google Authenticator not supported

News updates about the Prohashing pool
Forum rules
The News forum is only for updates about the Prohashing pool.

Replies to posts in this forum should be related to the news being announced. If you need support on another issue, please post in the forum related to that topic or seek one of the official support options listed in the top right corner of the forums page or on prohashing.com/about.

For the full list of PROHASHING forums rules, please visit https://prohashing.com/help/prohashing- ... rms-forums.
User avatar
Steve Sokolowski
Posts: 4585
Joined: Wed Aug 27, 2014 3:27 pm
Location: State College, PA

Reminder: Google Authenticator not supported

Post by Steve Sokolowski » Tue Nov 07, 2017 11:24 am

Hi,

Despite our instructions to use Authy for two-factor authentication, a number of customers have been using Google Authenticator to store their authentication private keys.

The reason we recommend Authy is because it prompts the user for a password at installation time, and the password is used to encrypt the keys and store them on Authy's servers. That way, it is simple to recover the keys after reinstalling Authy by entering the password. There has never been a case of a lost two-factor authentication code reported to us when Authy was used.

Google Authenticator doesn't appear to provide a backup feature, at least by default, so many customers have submitted support tickets after they change phones without manually backing up their keys. This is a reminder that we don't provide support for Google Authenticator, so you'll have to either manually back up your keys, or submit a support ticket to Google for assistance to determine your recovery options.

With two-factor authentication, if you lose your keys, then your account is permanently lost.

Thanks,

-Steve
Mrrt
Posts: 27
Joined: Sun Oct 02, 2016 11:50 pm

Re: Reminder: Google Authenticator not supported

Post by Mrrt » Tue Nov 07, 2017 2:14 pm

Authy being tied to your phone number is insecure.

No one with any security sense would ever use Authy over Google Authenticator for this reason.

We really shouldn't be promoting poor key management in this industry.
User avatar
Eyedol-X
Posts: 103
Joined: Sun Nov 06, 2016 1:45 pm

Re: Reminder: Google Authenticator not supported

Post by Eyedol-X » Tue Nov 07, 2017 6:20 pm

I think the simple solution here is to include the plain text key with the QR code at the time of configuration and a note that the user is responsible for backing up their key. This way you're not pushing liability on another service such as Authy if there is ever an issue with the key.
User avatar
AppleMiner
Posts: 736
Joined: Sat Sep 30, 2017 1:44 pm

Re: Reminder: Google Authenticator not supported

Post by AppleMiner » Tue Nov 07, 2017 6:29 pm

Yep I ended up disabling all the 2FAs that didnt have a recovery key I could print the QR code for and backup in my firebox in the safe in case I lost the main device. was a good excuse to move some coins around and close off some accounts and exchanges I hadnt used in a while also.
User avatar
Eyedol-X
Posts: 103
Joined: Sun Nov 06, 2016 1:45 pm

Re: Reminder: Google Authenticator not supported

Post by Eyedol-X » Wed Nov 08, 2017 10:05 am

Just an FYI for all:

You can use a QR code reader to translate the QR code graphic into a link and from there you can get your "secret" key to back that up.
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: Reminder: Google Authenticator not supported

Post by GregoryGHarding » Wed Nov 08, 2017 6:35 pm

you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure
Mrrt
Posts: 27
Joined: Sun Oct 02, 2016 11:50 pm

Re: Reminder: Google Authenticator not supported

Post by Mrrt » Thu Nov 09, 2017 4:49 pm

GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure
Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: Reminder: Google Authenticator not supported

Post by GregoryGHarding » Thu Nov 09, 2017 5:20 pm

Mrrt wrote:
GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure
Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
do you even know what youre talking about? authy does not send any SMS based 2FA keys.
Mrrt
Posts: 27
Joined: Sun Oct 02, 2016 11:50 pm

Re: Reminder: Google Authenticator not supported

Post by Mrrt » Sat Nov 11, 2017 10:53 am

GregoryGHarding wrote:
Mrrt wrote:
GregoryGHarding wrote:you realise dispite them texting your phone, you still need another password to decrypt the keys, so no, its not insecure
Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
do you even know what youre talking about? authy does not send any SMS based 2FA keys.
I used to use Authy and at that time you could recover all of your 2FA keys to a device by receiving SMS confirmation.
Haven't used it since I realized that (having gone through the process) and I will certainly never use their service again.

Do YOU know what YOU'RE talking about?
GregoryGHarding
Posts: 646
Joined: Sun Apr 16, 2017 3:01 pm

Re: Reminder: Google Authenticator not supported

Post by GregoryGHarding » Sat Nov 11, 2017 12:36 pm

Mrrt wrote:
GregoryGHarding wrote:
Mrrt wrote:
Do you live under a rock, Greg?
This precise insecurity has wrought havoc all year.
https://techcrunch.com/2017/09/18/ss7-c ... ulnerable/

https://www.reddit.com/r/Bitcoin/commen ... _a_hacker/
do you even know what youre talking about? authy does not send any SMS based 2FA keys.
I used to use Authy and at that time you could recover all of your 2FA keys to a device by receiving SMS confirmation.
Haven't used it since I realized that (having gone through the process) and I will certainly never use their service again.

Do YOU know what YOU'RE talking about?
as i said.. you cannot do ANYTHING with sms confirmation without another master password thats linked to your account
Post Reply