top | item 45266906

(no title)

cbdumas | 5 months ago

> The attacker already had access to ... my Google Authenticator codes, because Google had cloud-synced my codes.

This was such an obvious mis-feature I can't believe they actually rolled it out. For those using Google Authenticator you can and should disable cloud sync of your TOTP codes.

discuss

Flimm|5 months ago

I can understand it. Ordinary users were getting locked out of their accounts when losing their phones. Some of those stories hit HN.

Don't disable cloud sync unless you have a backup of all your TPTP secret keys. It's dangerous to advise people to disable cloud sync without mentioning backups. Being locked out of thousands of dollars in your crypto account is as damaging as losing that crypto to hackers.

cbdumas|5 months ago

In that case wouldn't you be better off just disabling 2FA? The problem with the cloud sync is that users like the one in the article think they have 2FA but in fact if their Google account is compromised all their accounts using Google Authenticator TOTP second factors are also compromised.