Google Authenticator

Don’t use Google Authenticator for 2FA

Exchanges, Security

When you open an account with an exchange you will be prompted to enable two factor authentication (2FA) and they usually suggest that you use Google Authenticator. 2FA increases the security of your account because logging in requires the user to have two things – your password and a magic number generated by your phone. If a hacker gets your password (perhaps by compromising your PC) it does not help them because they don’t have your phone.

You should always use two factor authentication but Google Authenticator is bound to your phone and if you lose your phone or reset it, you will lose ALL the Google Authenticator accounts. Some but not all exchanges prompt you to write down a key that will enable user support to reactivate your account if this happens.

I had assumed that Google backed up the accounts in the cloud but they do not. If you lose the phone you lose the accounts. What idiot designed this system…

Alternatives to Google Authenticator

Only enable 2FA using SMS (OK)

If you lose your phone you can get a new SIM with the same number and regain access to your accounts

Pros

  • Most providers are quite good at mailing out replacement SIMS
  • Some providers will provide web access to your SMS messages

Cons

  • You will have to wait for a new SIM
  • If you have SMS messages appearing in a web application there is a risk that a hacker might see them.

Use Authy (preferred)

Authy is 100% compatible with Google Authenticator and offers a backup capability. It owned and operated by Twilio who are well-respected service provider.

Pros

  • Authy will backup your account allowing simple restore.
  • Authy provides clients for desktop computers as well as phones giving you immediate redundancy.
  • You can disable any device from any other device. So for example if your phone is stolen you can disable it from Chrome on your desktop computer.

Cons

  • You have to trust Authy’s code and assume that they manage your tokens properly.

Authy have a blog post about their advantages over Google Authenticator here. Please note that I  think it is necessary to enable “multi-device” to permit the full backup and restore function.

Use FIDO compatible hardware token (best)

Even though 2FA solutions on a phone are reasonably secure you are still running trusted software on an untrusted device. The best solution is to provide 2FA using a dedicated hardware device that cannot be compromised by an attacker.

The FIDO alliance have a specification for a hardware token that can be plugged into a USB port to provide 2FA. The Trezor hardware wallet claims to be FIDO compatible and this standard is supported by some exchanges.

Author

James Bayley

Ex-physicist, professional project manager and cryptocurrency enthusiast.

Related Articles

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Disclaimer

This site provides educational material only and nothing herein constitutes investment advice. You must conduct your own due diligence before buying any cryptocurrency related product and should consider taking professional advice.

Privacy Policy

Warning

Cryptocurrency investment is very risky and you may loose all your money. Risks include but are not limited to, theft, fraud, exchange failures, and technical errors leading to partial or total loss of funds. Never invest money you cannot afford to lose.

Terms and Conditions

(C) 2017 Cryptocurrency.guru

Back to Top