undefined | Better HN

0 pointslaurentl6y ago0 comments

I had a fright last time I changed phones. After restoring my backup onto the new phone, I was about to wipe the old one; I did a final pass through my apps just in case... and saw that Google Authenticator configuration did not carry over to the new phone (which makes sens from a security perspective but is a PITA to manage). I had to re-enroll my device with all the services on which I use MFA.

After this episode I made damn sure I had recovery codes stored in a safe place.

0 comments

Silhouette6y ago

When a family member had a phone stolen not long ago, the only major functionality on it that they couldn't quickly and securely disable was the Google stuff.

The procedures for doing so seemed to be unnecessarily complicated and difficult to find when starting, ironically, from a Google search on another device.

Worse, the security policies seemed to be fundamentally flawed, because they kept insisting on some form of authentication based on a trusted device when the purpose of the transaction was to notify them that the trusted device had been stolen.

There has been an unhealthy trend recently of assuming that everyone has a mobile phone and that communications to that phone/number are a good method of authentication, without adequate thought to what happens if the physical device and/or the associated phone number are compromised, or to whether protocols like SMS are really suitable for this sort of application. And some of the really important things, like banks and government services and email providers (which are in practice a gateway to everything else you do online) are often among the worst offenders. I don't know what to do about this, but certainly raising awareness of this kind of problem would be a good start.

drivebycomment6y ago

> Worse, the security policies seemed to be fundamentally flawed, because they kept insisting on some form of authentication based on a trusted device when the purpose of the transaction was to notify them that the trusted device had been stolen.

Are you suggesting any random person without any authentication proof to be able to just sign people out of their devices ? That would be a broken security.

Silhouette6y ago

I'm suggesting that a security policy should actually be practical. There are any number of viable ways to handle this. Requiring someone to possess the device they are reporting stolen is not one of them.

fencepost6y ago

You can also have more than one device set up for TOTP - phone, previous phone or tablet, desktop using WinAuth or similar. Authy and the password managers will also track those seed values, though it's best to store them separately from your actual password storage.

Another thing that will not migrate phone to phone is Signal conversations if you're inclined to keep those.

laurentlOP6y ago

Yes, I lost my Signal conversation history as well and had to be re-added to all group conversations (another PITA).

How do you store seed values in password managers? More specifically: how do you export them from Coogle Authenticator? (I’ve not found that option). And how do you import them again?

fencepost6y ago

I'm unaware of any options to export, that would be a security issue.

To store the seed values, simply store the text provided for use if you can't use the qr code.

1 more reply

jopsen6y ago

Print the QR codes, put them inside a plastic bottle and bury them 6 feet down in your parents backyard under the cover of darkness.

-- the more elaborate, the more cool you feel doing it :)

kkreamer6y ago

Use Authy, which does carry over.

j / k navigate · click thread line to collapse

0 comments

Silhouette6y ago

When a family member had a phone stolen not long ago, the only major functionality on it that they couldn't quickly and securely disable was the Google stuff.

The procedures for doing so seemed to be unnecessarily complicated and difficult to find when starting, ironically, from a Google search on another device.

drivebycomment6y ago

Are you suggesting any random person without any authentication proof to be able to just sign people out of their devices ? That would be a broken security.

Silhouette6y ago

fencepost6y ago

Another thing that will not migrate phone to phone is Signal conversations if you're inclined to keep those.

laurentlOP6y ago

Yes, I lost my Signal conversation history as well and had to be re-added to all group conversations (another PITA).

How do you store seed values in password managers? More specifically: how do you export them from Coogle Authenticator? (I’ve not found that option). And how do you import them again?

fencepost6y ago

I'm unaware of any options to export, that would be a security issue.

To store the seed values, simply store the text provided for use if you can't use the qr code.

1 more reply

jopsen6y ago

Print the QR codes, put them inside a plastic bottle and bury them 6 feet down in your parents backyard under the cover of darkness.

-- the more elaborate, the more cool you feel doing it :)

kkreamer6y ago

Use Authy, which does carry over.

j / k navigate · click thread line to collapse