New Update Google Authenticator adds Cloud Sync for your 2FA Codes

[piquiteco]

I tried that with my recent S23 Ultra. The problem is when the authenticator app makes a 6-digt code it cannot be copied out from the Secure Folder

The Secure Folder has clipboard protection, which is an isolated environment, you can't copy anything from there for security reasons, but you can copy from the normal environment to the secure folder. For you to copy the tokens from the app authenticator you must enable in settings of the secure folder, allow the use of clipboard between the 2 environments, after that, it will work whatever you copy and vice versa. I don't recommend leaving this feature enabled, it may expose your sensitive data that is on the clipboard from the secure folder, some malicious app may steal it. I recommend disabling the clipboard from the secure folder when you are done using it. As @Trident said the safe folder is great but too cumbersome to use all the time.

 

[Jonny Quest]

Which phone is it? Does stock Android eg: Google Pixel have app lock feature built-in? Many custom Android OS by various vendors had it for many years but don't remember having in stock Android unless it was added in the last couple of Android versions.

In my Google search, I didn't see anything that looked easy or made sense for my S22e Android 13, except for @piquiteco mentioned about Secure Folder, so I installed Norton App Lock. I now also see that @HarborFront found the problem with trying to use Secure folder.

 

[Jonny Quest]

You can backup Google Authenticator normally and it is very simple, you just mirror your phone on your computer or notebook, then go export accounts and select the account you want to export or select all accounts if you prefer. Google Authenticator will show you the QRCODES from the seeds of your accounts that generate the tokens, then you make a screenshot of these QRCODE by your computer or notebook and save in .PNG or .JPEG format. If you have Windows you can use the Capture Tool to make the capture of these QRCODE, then save in a safe place, store on a USB flash drive, external hd, memory card as a backup and voila! If one day you lose your phone you can install Google Authenticator on your device and now scan the QRCODEs directly from your computer screen or go to import and scan the QRCODEs that you have previously saved with Google Authenticator on your flash drive or other location. The interesting thing is that the QRCODE generated by Google Authenticator can be read by other authenticators such as Aegis, 2FAS and others. Therefore, you will not be stuck in the Google Authenticator.

Nice, creative idea

 

[piquiteco]

Nice, creative idea

Yes, even more interestingly, you can use an open-source application to mirror your device and you don't need to install any app or root the phone. Your device remains untouched. Share this tip with your friends, don't let them be blocked by 2FA.

 

[piquiteco]

@Jonny Quest i was not going to forget to mention the application and share with my friends it calls scrcpy pronounced "screen copy" and also no need to install any APP/APK runs directly on your SSD/HDD type portable, small and light, compatible with Linux, Windows, macOS.

Spoiler

 

[HarborFront]

In my Google search, I didn't see anything that looked easy or made sense for my S22e Android 13, except for @piquiteco mentioned about Secure Folder, so I installed Norton App Lock. I now also see that @HarborFront found the problem with trying to use Secure folder.

Norton App Lock has trackers. Use

Lock App - Smart App Locker. It has NO trackers.

Lock App - Smart App Locker APK for Android Download

Lock App - Smart App Locker 4.0 APK download for Android. Lock your favorite apps

apkpure.com

 

[SeriousHoax]

In my Google search, I didn't see anything that looked easy or made sense for my S22e Android 13, except for @piquiteco mentioned about Secure Folder, so I installed Norton App Lock. I now also see that @HarborFront found the problem with trying to use Secure folder.

I see, thanks. So the information about app locker being a default Android feature is clearly wrong.
But there are some capable third-party apps that can do the job. I'll have a look at the discussed one if I require it.

 

[Gandalf_The_Grey]

Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices.

TL;DR: Don't turn it on.

The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.

We analyzed the network traffic when the app syncs the secrets, and it turns out the traffic is not end-to-end encrypted. As shown in the screenshots, this means that Google can see the secrets, likely even while they’re stored on their servers. There is no option to add a passphrase to protect the secrets, to make them accessible only by the user.

Why is this bad?

Every 2FA QR code contains a secret, or a seed, that’s used to generate the one-time codes. If someone else knows the secret, they can generate the same one-time codes and defeat 2FA protections. So, if there’s ever a data breach or if someone obtains access to your Google Account, all of your 2FA secrets would be compromised.

Also, 2FA QR codes typically contain other information such as account name and the name of the service (e.g. Twitter, Amazon, etc). Since Google can see all this data, it knows which online services you use, and could potentially use this information for personalized ads.

Surprisingly, Google data exports do not include the 2FA secrets that are stored in the user's Google Account. We downloaded all the data associated with the Google account we used, and we found no traces of the 2FA secrets.

The bottom line: although syncing 2FA secrets across devices is convenient, it comes at the expense of your privacy. Fortunately, Google Authenticator still offers the option to use the app without signing in or syncing secrets. We recommend using the app without the new syncing feature for now.

 

[CyberTech]

*laughs in Aegis, Microsoft & Raivo OTP*

 

[piquiteco]

*laughs in Aegis, Microsoft & Raivo OTP*

You disappeared from MT CyberTech? haven't seen you around here for a while? different time zone? maybe... Hope you are well, my friend!

 

[CyberTech]

You disappeared from MT CyberTech? haven't seen you around here for a while? different time zone? maybe... Hope you are well, my friend!

My job and life :/ no not different time zone, i visit here sometimes without logging into the forums thanks for asking.

 

[piquiteco]

My job and life :/ no not different time zone, i visit here sometimes without logging into the forums thanks for asking.

You are welcome, good to know that you are doing well.

 

[Gandalf_The_Grey]

Google has admitted that E2E encryption is lacking in its current rollout of sync functionality in Authenticator. It says that this is due to its desire to add a highly requested functionality that adds convenience earlier and implement E2E encryption later, which is ironic since it's already been several years since customers have been requesting sync.

In a statement to CNET, Google noted that:

End-to-End Encryption (E2EE) is a powerful feature that provides extra protections, but at the cost of enabling users to get locked out of their own data without recovery. To ensure that we're offering a full set of options for users, we have also begun rolling out optional E2EE in some of our products, and we plan to offer E2EE for Google Authenticator in the future.

As it stands, Mysk has advised Google Authenticator customers not to use the sync functionality until E2E encryption is added. However, Google has not given a timeline either so there's no knowing when it will arrive.

Sync in Google Authenticator does not have E2E encryption yet, so use it at your own risk

Although Google Authenticator customers are rejoicing over the addition of sync functionality to the app, security researchers have noted that it does not have end-to-end encryption yet.

www.neowin.net

 

[CyberTech]

Updates


Google Authenticator users, thoughts on this?

 

[piquiteco]

Google Authenticator users, thoughts on this?

For sure they do not think, the most important thing for users and what they want is their secrets and seeds backed up in the cloud and not lose more, you think they are worried about encryption? of course not, I do not sync my Google Authenticator token in the cloud, I prefer to use offline. Now for those who understand security for sure will not use google cloud backup, unless google implements an encryption. But those who already had Google Authenticator installed on their phones and saw this backup option already activated this backup feature on the spot lol, just knowing that they will hardly lose their tokens they didn't think twice. Even if I was a casual user, and I didn't care about security and didn't read security news I would have already activated Google Authenticator's cloud backup the moment the option appeared to me.

 

[HarborFront]

The Secure Folder has clipboard protection, which is an isolated environment, you can't copy anything from there for security reasons, but you can copy from the normal environment to the secure folder. For you to copy the tokens from the app authenticator you must enable in settings of the secure folder, allow the use of clipboard between the 2 environments, after that, it will work whatever you copy and vice versa. I don't recommend leaving this feature enabled, it may expose your sensitive data that is on the clipboard from the secure folder, some malicious app may steal it. I recommend disabling the clipboard from the secure folder when you are done using it. As @Trident said the safe folder is great but too cumbersome to use all the time.

I just re-setup and re-test Secure Folder.

One issue with Samsung Secure Folder is whenever I opened BW inside it and launch say MWT it opens in either Chrome or Samsung Internet browser. Even if I set say Kiwi Browser as default it'll still open its Default-for-work Chrome or Samsung Internet Browser (see bottom of 2nd picture)

 

[piquiteco]

I just re-setup and re-test Secure Folder.

One issue with Samsung Secure Folder is whenever I opened BW inside it and launch say MWT it opens in either Chrome or Samsung Internet browser. Even if I set say Kiwi Browser as default it'll still open its Default-for-work Chrome or Samsung Internet Browser (see bottom of 2nd picture)

I had not seen your post, in the secure folder samsung does not allow you to set any third-party browser other than the Samsung Internet browser as default. I also do not recommend that you do not install any browser in your secure folder. Because it is an isolated environment it is recommended to use only Samsung Internet browser or google chrome and nothing else. The secure folder is only used for applications that use sensitive data like banking applications, password managers, authenticators, you get it?