Is Google phasing out Authenticator/TOTP?
I use TOTP for every site that supports two-factor authentication. When setting up 2FA for a new google account, I can choose: SMS/call, security key or google prompt. I don't have a security key, I would prefer not to log into google with my work account on my phone, and I would prefer not to be susceptible to sim swapping. Is TOTP less safe than SMS/call?
Interestingly google's own Authenticator TOTP app still exists, but apparently you can't use it to set up 2FA for a google account anymore: https://play.google.com/store/apps/details?id=com.google.and...
SMS is not reliable for 2FA, it's trivial for a determined party to sniff SMS messages. TOTP is the best way for typical users to do 2FA, as most people wont have a Yubikey or anything like that. Google Prompt is the equivalent of iCloud's cross-device prompt where you must allow the action from another device that's already logged in to the account.
The Google Authenticator app isn't the only app that can be used to generate TOTP tokens, even though many sites directly refer to it. Anywhere that you are given a QR code to scan you can use any TOTP app you'd like. I use Authy personally because it allows me to back up my TOTP tokens behind a master password and access to my phone number, so in the event my phone is lost or replaced I'm able to restore 2FA access by going through the process to configure Authy again and re-enter my master password from another password manager.
You can set up 2FA through one of the other options first. After that, TOTP should be available as an option as well. After setting TOTP up, you can remove the other one.
They're probably hiding the TOTP option because the backup story for Google Authenticator is really poor. If you lose your device, you lose access to all of the accounts you had set up 2FA for with Google Authenticator. Of course, there are other TOTP apps that are better in this regard, but Google is unlikely to promote those because then they'd lose some control over the authentication flow.
I replaced long ago the Google Authenticator by Aegis on Android.
You can actually do backup of your keys (encrypted).
Also they reverse engineered the steam Authenticator, so one less app to have on my phone.
Off topic, but I moved from Google Auth to Aegis[0] recently and Aegis is so much better in every possible way.
[0] https://getaegis.app/
I haven't seen anything indicating TOTP is being phased out, but there are several reasons Google may be driving people to Security Keys (aka Webauthn, FIDO, u2f):
* TOTP (and SMS codes) can be forwarded, so you can be phished/duped into entering credentials on a spoof website. FIDO prevents this.
* TOTP (and SMS) may be grabbed from your phone by malware. This is harder with FIDO as it requires a physical button press.
* TOTP requires substantial user knowledge to use correctly. FIDO also has usability issues (have to keep your key with you, endless USB-A vs USB-C issues) but maybe they believe its better.
I usually point people to Authy. Nice app and alternatives are available of course. But more importantly they provide nice guides on how to set up 2FA for various websites. Including Google/gmail: https://authy.com/guides/googleandgmail/
Even so, non technical people get very confused by this stuff. As the CTO, I enforce 2FA for all of our stuff. But it continues to be a support headache when we have new people joining.
I'd love for this to be solved in a more user friendly & standardized way. So, I can understand why Google moved away from TOTP as the main way to do 2FA. It probably caused a lot of support overhead for them.
Hardware tokens have the same issue. Nice for techies but too hard to deal with for normal people.
Tangentially related but I made sure to store all of my TOTP codes in a secure, offline location so that I can quickly migrate my 2fa app to a new phone by generating QR codes.
Google has been mainly prompting me on other devices rather than asking for my TOTP code, however.
I'm irrationally quick to hate on anything Microsoft touches, but for TOTP their Authenticator app is very good. It holds my google TOTP, amongst others.
Allows you to import and export to csv; ios app also has automated icloud backup if you're so inclined.
I'm sorry but what makes you think Authenticator can not be used while getting 2FA in use with your google account? That link does not show anything like that to me. And I used it to set it up about 2 months ago.
I don't think they are phasing out Authenticator - I still use it. However for your Google account they say:
>We recommend you sign in with Google prompts. It's easier to tap a prompt than enter a verification code.
I find it interesting that the 2FA methods it gives you are non-anonymous: SMS has a phone number, security key has a hardware ID, and Google Prompt has your IMEI/phone ID (and maybe number?) too.
TOTP is falling out of fashion because the underlying crypto component is just a plaintext secret that is distributed over the Internet and stored unhashed in a database, probably right next to the password hashes. There's a real argument too be made that it's not a real second factor but instead more like 1.5FA.
I always store the secret key for TOTP before I use the QR code. I have a command line app I wrote that can generate OTP codes using the same secret key, so as a back up I can always generate codes with my desktop or phone.
Last I've had to do this (last November): for Google itself, you need to set up SMS 2FA, and then you can add an additional TOTP device and remove the SMS 2FA. A bit annoying, but worked for me for my work account.
We issue security keys to staff who don't want to use a personal phone for work.
(I.e. they have the option: use their personal phone, or carry this Yubikey.)
you can add a security key (real or emulated one) then add TOTP and after remove the security key
I configured a gMail account for 2FA yesterday with Google Authenticator. Had no problems.