undefined | Better HN

0 pointsburkaman2y ago0 comments

Google Authenticator was I believe the first available TOTP app, and is by far the most popular. It used to be open source and have no connection to your Google account. Many people installed it years ago when they first set up MFA, and have just been adding stuff to it ever since because it's easy and it works. Even for technical users who understand how TOTP works, there is no obvious reason it appears unsafe to put all your tokens in the app (until you read this article).

Look at the MFA help page for any website you use. One of the first sentences is probably something like "First you'll need to install a TOTP app on your phone, such as Google Authenticator or Authy..."

It really did used to be the best option. For example, see this comment from 10 years ago when Authy first launched:

> The Google Authenticator app is great. I recently got (TOTP) 2-factor auth for an IRC bot going with Google Authenticator; took about 5 minutes to code it up and set it up. It doesn't use any sort of 3rd party service, just the application running locally on my phone. TOTP/HOTP is dead simple and, with the open source Google Authenticator app, great for the end user.

- https://news.ycombinator.com/item?id=6137051

0 comments

fireflash382y ago

I think technically Blizzard Authenticator (even the app) was available before Google Authenticator, but obviously for extremely limited use.

glandium2y ago

Also, since it doesn't allow to extract the private keys, you're kind of stuck with it once you've started using it.

j / k navigate · click thread line to collapse

0 pointsburkaman2y ago0 comments

It really did used to be the best option. For example, see this comment from 10 years ago when Authy first launched:

- https://news.ycombinator.com/item?id=6137051