2FA musings, and why not to use Google Authenticator

Recently, my Pixel 4 XL, a trusty companion of 3 years, totally died. It had been having charging issues for a few month, such that it would only take a charge if the cable was plugged in just right. Then all of a sudden, the screen turned off permanently, and no amount of charging (via cable or wireless) would allow it to revive.

Being without a smartphone—even if only for a day or two—makes one wonder how we ever survived without these devices. But this blog post is not really about phones, but instead about 2-factor authentication. You see, I had been using Google Authenticator for many TOTP codes. Unfortunately, Google Authenticator codes are on a single device only; Google doesn't back up these codes. While under normal circumstances, it would have been possible to transfer the app data to a new phone, with the old phone dead, I was out of luck.

If such a thing had happened to me a couple years earlier, the worst-case scenario would have been losing access to Google accounts, AWS accounts, crypto accounts, and some financial accounts (e.g., a 401k).

Fortunately, reality was not nearly this bad. In early 2022, I purchased a pair Yubikeys and converted the majority of eligible accounts to use them for 2FA. Thanks to the Yubikeys, I never lost access to Google or AWS accounts. And the 401k provider was able to reset my two-factor settings via a quick phone call. Some crypto accounts probably remain inaccessible to me now, but I haven't really used those sites since 2017, so it's no big deal.

In the end, crisis was mostly averted, but I've learned my lesson. While Google Authenticator is convenient and familiar, there are better options out there. I now use Authy, which backs up codes to the cloud and protects them using a password. If I'm ever in this situation again, I can log in on another device, enter in the password, and get access to everything again.

So the moral of this story, for those who want peace of mind against losing access to things, is to use a TOTP provider which has backups, and consider buying a pair of Yubikeys.

Update: 2023-07-15

Shortly after this article was posted, Google Authenticator was updated so that it can now be synced to one's Google account. This would have been beneficial in my situation above, and it will probably help prevent data loss in similar situations. For the time being, I'm content with Authy, but I'm happy that users of Google Authenticator will have better defaults moving forward.