The one-time codes that Google’s Authenticator app generates to secure your accounts no longer have to live in one place. Instead, they can sync to your Google account.
This update announced Monday(Opens in a new window) by Google closes a feature gap between Authenticator and such competing authenticator apps as Twilio’s Authy (as well as many password-manager services) that have long provided cloud synchronization.
All of these apps stop a password from being the last line of defense for an account by generating quickly expiring, single-use codes as defined in the Time-Based One-Time Password (TOTP) standard(Opens in a new window). When you type in these numbers on a site’s login page, the site compares the code you typed with one it just generated based on a shared cryptographic formula created when you enabled TOTP verification. If they match, you’re in.
Google Authenticator was among the earliest mass-market TOTP apps, having debuted in 2010(Opens in a new window), but for its first few years it did not support phone-to-phone transfer of saved codes. You had to set them up anew for each account on a new device, a chore that Google security chief Stephan Somogyi admitted to me in 2017 was “a complete, total and unmitigated pain(Opens in a new window).”
Google later added a more pleasant code-transfer system(Opens in a new window) in which the copy of Authenticator on your old phone generates a QR code(Opens in a new window) that you scan with Authenticator on your new device. But that doesn’t work with a lost or stolen phone, while the new account-synchronization feature ensures your codes stay with you, unless you opt to use Authenticator without an account.
(Credit: PCMag/Google)
To set it up, update the Google Authenticator app and you’ll be prompted to link a Google account. You can then, for example, download Google Authenticator for iPad, log in with the same Google account and get codes on the iPad as well as the iPhone.
In the bargain, Google Authenticator’s app icon has changed from a stylized gray “G” to an asterisk in Google’s brand colors(Opens in a new window) of blue, red, yellow, and green.
Recommended by Our Editors
Having your TOTP codes sync to your Google account also elevates the potential damage from having your Google account compromised. If you’re going to use this, you should lock down your account with a USB security key, the most secure sort of two-factor authentication available. Those keys, available from Yubico and other vendors for $25 and up, also verify your identity based on shared cryptographic secrets. And because they won’t even attempt that exchange with the wrong domain name, they’re immune to phishing.
Passwordless authentication, in which you confirm your login on a computer by unlocking your phone via biometric authentication (to confirm that it’s you) while in close proximity to that machine (as verified by Bluetooth to prove that you’re actually there), can do away with the entire need for two-factor authentication. But although Apple, Google, and Microsoft made an unusual joint endorsement of the passwordless spec last spring, the industry is only getting started in supporting this standard.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0