Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just checked and Google authenticator seems to be synced to my account, which is a huge SPOF and not what I want. It's possible that I did this without realising, but does anyone know of a way to revert authenticator to local-only? I don't see anything obvious.


> It's possible that I did this without realising

IIRC on my platform, when they added the feature they turned it on by default, as an auto-installed update.

And if you're logged into the gmail app on the same device that also logs you into authenticator.

You didn't do anything wrong.


FWIW, I still remember recoiling in horror when I was asked whether I wanted to sync my Google Authenticator stuff.


I remember getting prompted for it on iOS when they added it. I still have it turned off.


Better option is to not use Google's TOTP app. Use something else


You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.


> You can't revert, they keys are sent, they have them. They can't un have them. You'll need to rotate your MFA.

Not true. See https://news.ycombinator.com/item?id=42471459


You've missed the point entirely. The point is not that you can't recover the codes. The point is that if you are concerned about uploading codes due to the security implications (which most people on here are) then you need to do more than just disabling uploading, you also have to go rotate all the secrets that were uploaded.


I understood the point, thanks. But I'm concerned about the scenario in the article, where someone did a device recovery and got access to the cloud synced auth codes.

I don't particularly like that my codes were apparently synced to Google's cloud without my being aware, or the ux that prevented me from noticing. But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes

(And in fact I verified this by installing the authenticator on a tablet before turning off sync on my phone. The codes vanished from the tablet.)

In principle, yes I should rotate all the secrets. Because google may have borked their data retention, or is just outright lying and keeping my secrets. In practice, though, for my personal account, I'm content that nothing has been compromised.


> But I'm pretty confident that, having disabled the cloud sync, Google no longer has my codes

Based on just your intuition. Since you don't have access to the backend specs or code, assuming this isn't a responsible security practice. It is a shortcut you can choose to take personally but should never take with any professional credentials.

I'm going to point out that you responded "Not true." instead of adding a caveat about how you personally choose to ignore security best practices for personal accounts.


> I'm going to point out that you responded "Not true."

I could have been clearer, but that was in response to the asserion of "you can't revert".


> does anyone know of a way to revert authenticator to local-only?

To answer my own question: tap the profile pic (top right on Android) and choose the Use Without an Account option. Removes codes from cloud storage and any _other_ devices. Mentioned in TFA.


I am literally mind f** by the wording “Use Authenticator without an Account”. This is one of the most tortured and cryptic phrases I have seen. Government legalese is more straightforward than Google.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: