top | item 45267498

(no title)

Flimm | 5 months ago

I can understand it. Ordinary users were getting locked out of their accounts when losing their phones. Some of those stories hit HN.

Don't disable cloud sync unless you have a backup of all your TPTP secret keys. It's dangerous to advise people to disable cloud sync without mentioning backups. Being locked out of thousands of dollars in your crypto account is as damaging as losing that crypto to hackers.

discuss

cbdumas|5 months ago

In that case wouldn't you be better off just disabling 2FA? The problem with the cloud sync is that users like the one in the article think they have 2FA but in fact if their Google account is compromised all their accounts using Google Authenticator TOTP second factors are also compromised.

hocuspocus|5 months ago

It's the same thing with Apple Passwords.

TOTP isn't that great, you should definitely use a hardware and/or pass key for important and financial services. That said your cloud synced Google Authenticator can be behind a Google account with strong 2FA (i.e. not SMS nor TOTP), then it's mostly fine.

The lesson here is really not to ever share codes you receive by SMS, and preferably disable phone as recovery and second factor.