My short answer: no, you can't export the keys from Google Authenticator
that I'm aware of. You'll have to log in with your old otp and generate
new "tokens". Some ideas for moving forward though: the Authy app does
sync between devices and we've tested it, Google Authenticator, and
FreeOTP using the time-based TOTP codes on multiple devices concurrently
(they all have to snap the same QR code). I don't know if Authy will
work with counter-based HOTP if that's what you're using, but it was the
only one that would backup/sync across devices.
Another idea is to put the text version of the OTP key in your password
manager of choice on token generation. The Enpass password manager will
actually let you add the TOTP QR code into the account info with your
device's camera. You could re-enroll your devices later if need-be.
Before anyone yells at me: yes, I realize that putting the password and
the OTP generation key in the same place kind of defeats the purpose. If
someone breaks into your password manager though, you likely have a
bigger problem than your password and otp key being in the same record.
Use your best discretion on this. Yes, I'd do this for my Steam account.
No, I would not do it for work.
We run FreeIPA servers for 2fa. For the most part, Google Authenticator,
Authy, and the FreeOTP apps are all about the same with the only
exception being neither Authy or Authenticator worked with TOTP using
SHA256 at the time of testing, but SHA1 worked just fine. All three apps
generated the same codes in the same timeframes using SHA1. If you're
already using Authenticator, then the SHA256 compatibility thing won't
be an issue (just something to note for anyone facing this problem in
the future).
Happy 2FA'ing,
Thaddeus
On 7/28/17 12:41 PM, Matthew Eastman wrote:
On Fri, Jul 28, 2017 at 12:39 PM, <[email protected]> wrote:
Pretty much what I ran into with one clarifiation:
As far as I know, there's nothing preventing you from installing the app on
multiple devices and entering the same code into both separately. The
obvious drawback is you now have to maintain control of multiple device
constantly in order for the second factor to actually enhance security.
This is certainly true for TOTP codes, which are most prevalent,
though Google Authenticator also supports HOTP, in which case there's
a sequence number that won't be kept in sync between the devices.
Thanks,
On Fri, Jul 28, 2017 at 11:05:07AM -0500, Joe Fruchey wrote:
I use Google Authenticator. I don't think you can have multiple devices
active concurrently, nor can you export the keys. I think the proper way
to transfer to a new device is to decomm the old one by disabling 2FA,
then set it up again on the new device. One way to avoid this is to
print/save the QR code on the initial setup, but once it's gone, there's
no way to retrieve it.
On Fri, Jul 28, 2017 at 10:14 AM, <[1][email protected]>
wrote:
We recently were forced to start using 2FA for a service at work and,
as I agree with the practice (at least in principal), I started using
Google Authenticator for several other services, including sudo on a
couple of Linux boxes I have.
Now I'm facing a phone that desperately needs to be replaced but
authenticator codes locked into the software on that one device. I know
I can get new codes for all of my existing services and just set it up
fresh on a new device but I'm curious how that's "normally" handled. I
wouldn't necessarily have that option if I chucked my phone into a brick
wall as I have been sorely tempted to do on multiple occassions lately.
Do you backup your authenticator keys somewhere? If so, how?
Set it up on multiple devices under the assumption that at least will be
functional long enough to reset codes with the services?
Do you avoid 2FA specifically because of this issue?
Something else totally obvious that I just missed?
Thanks,
Bill
_______________________________________________
General mailing list
[2][email protected]
[3]http://brlug.net/mailman/listinfo/general_brlug.net
References
Visible links
1. mailto:[email protected]
2. mailto:[email protected]
3. http://brlug.net/mailman/listinfo/general_brlug.net
_______________________________________________
General mailing list
[email protected]
http://brlug.net/mailman/listinfo/general_brlug.net
_______________________________________________
General mailing list
[email protected]
http://brlug.net/mailman/listinfo/general_brlug.net
_______________________________________________
General mailing list
[email protected]
http://brlug.net/mailman/listinfo/general_brlug.net
_______________________________________________
General mailing list
[email protected]
http://brlug.net/mailman/listinfo/general_brlug.net
