Ditch Google Authenticator

Google Authenticator is a mobile app that generates 6-digit codes (TOTP) for accessing various services that use multi-factor authentication (such as Google). It’s not flawless; let’s discuss my points against it.

Google Authenticator stores secrets in plain text

Your OTP key is stored in an SQLite database, without any encryption. Well, no application but Google Authenticator itself can normally read it; there’s a “but”, though: one can never know what vendor can do. Also, it the phone is rooted, the database can be obtained by those who can escalate their privileges. If it’s not, a device might be affected by a vulnerability that allows to escalate privileges, such as CVE-2019-2215.

Google Authentication binds user to the OneAndOnly™ device

There’s no legal way to make a backup or restore application’s state from a backup. So, one has to be prepared to the fact that once their phone is lost, stolen, broken, etc, the ability to generate a one-time password goes away as soon as the phone does. Backup codes, such as ones that Google offers, are the only hope in this case if no alternatives to OTP from Google Authenticator were set. Regaining access to various services that Google Authenticator is used as the second factor to could be tedious: I had collected 15 OTP keys by the time I bought a new phone and started scratching my head what the migration plan was.

Just in case, here is a decent article on how to back up Google Authenticator. Spoiler alert: it spreads hopelessness because the chances are that by the time you read this, all the things has already gone wrong, and there’s virtually no way to fix them. Well, almost: good for you if you use Android and have enough skills to root the phone and use adb to get SQLite out of it. If not, pulling hairs out seems to be the only option, unfortunately.

So, what do I do?

  • Pay attention to the options for the second factor
  • Store OTP keys in a password manager. I use KeePass (KeePassXC for Linux and OSX; Keepass2Android for Android); 1Password also claims it does support TOTP.
    • KeePassXC developers note that OTP keys are safer when stored separately from passwords, ideally in a separate database with different keys and on different devices. Nevertheless, having OTP keys stored next to passwords is convenient and probably good enough for some cases: it’s definitely better than not having multi-factor authentication at all.

Benefit of the doubt

“Who the heck is that guy to throw shits at Google,” one might say. Part of me thinks the same. Given that most of the mobile phone vendors do not aim to steal customers’ data in the most shameless way and users avoid rooting their phones, Google Authenticator might be okay. Maybe the need to go over all the services and regain access when the device is lost is intentional! Just use backup codes or other alternative to get in, Luke. And so can be all the bloodiness of the ways of making a copy of Google Authenticator: if there’s only a single copy of OTP keys, the odds of leaking them are reduced to a reasonable minimum. However, there are 2 things that make me think different. First, the very existence of Microsoft Authenticator and Authy. Both MS Authenticator and Authy offer backup as a first-class feature, and more than that, the latter also features ability to use the same OTP key on multiple devices, for good or ill.

So, I ditched Google Authenticator. It’s up to you to decide what you do; I just hope that now you have enough insight to make an educated move. Just do the right thing before you lose your phone.

Feel free to leave a comment if you have anything to add.

P.S.: I found a great write-up on making multi-factor authentication right (also, there is a discussion of it at Hacker News, also highly recommended).

Alexander Kurilo
Systems Architect
comments powered by Disqus