FIDO Alliance is a standard body, like the W3C, the IETF, ECMA, ISO. It's the specifications ("standard") published by what the FIDO Alliance and the W3C wrote. *** WebAuthN: Web Authentication Number + 1. and they all do the calculation to tell the digits my accounts are blocked because i cannot use 2FA. and I do not have the one time print codes so i am a little in a tough situation. The google authenticator app codes did not get restored with it though. ** They're the same: Google Authenticatore, or Microsoft's, or Ubiquiti's, or Synology's, or Dashlane's, or. My iphone fell in the water but luckliy i had a spare of the same exact model so i restored an icloud backup to it. * the "secret" key making the sequence of digits to be predictable over time. You iPhone, macBook can be WebAuthN, like a YubiKey or something else that's FIDO2.įIDO did it differently. It's essentially a "ceremony" where the relying party (the site you sign into) sends something to a server type of thing, and do checks if everything is signed and that it's consistent and valid challenge. HOTP is behind what allows to send a notification to Microsoft Authenticator to prompt you.įIDO2 and WebAuthN (***) are the newest things. HOTP and FIDO are the first implementation. The attacker can try brute force for the rest of eternity trying breaking the vault password.įIDO, FIDO2, HOTP, TOTP. The Multi-factor is on the password manager's server side. The attackers now owns those physical bits. LastPass had been saying in their PR that the vaults are still protected by it, is blatant lie. A leak where you store something shouldn't allow to access, they'll need both.įurthermore, If the vault is leaked, Multi-factor protection isn't there anymore. You could store some in iCloud/Chrome but not all together. You'll have to weight what you store where based on the importance of the secrets (password, TOTP secret, recovery codes list, recovery secret, passphrase, etc.). If your password vault gets leaked, will it contain everything? Including our society's "security questions" answers? (□). And your phone and computer, or tablet can read the secret on that key. Yubico Authenticator is cool because the key stores the TOTP secrets. Google Authenticator first launched in 2010, and the appwhich stores and generates two-factor authentication (2FA) codeslacked backups and multi-device support for years.
![google authenticator backup codes reddit google authenticator backup codes reddit](https://i.ytimg.com/vi/zEXdyIm5SyU/maxresdefault.jpg)
Apple doesn't let you use only one security key for this reason. As TOTP secrets, you might want two security keys. That's why a physical security key (YubiKey. Just that if your vault gets leaked (like what happened with LastPass), all that's left is when the main password of the time of the leak, to be strong enough. Using Bitwarden's TOTP secret alongside the password isn't bad per se. It's as important as the password.īut those MFA secrets. The letters and digits (probably 0-1a-f Hexadecimal string representation), it's important to not let it sit somewhere. The TOTP secret is what's: Google Authenticator (**) keeps for you. the QR code thing (*)) where you store the password.īeing on Google Authenticator (**) isn't where your password is stored. That would be the argument to tell you not to store the TOTP secret (i.e. The idea of "second factor" is that the 2nd answer isn't at the same as the 1st. I may be expanding too much (I'm atypical, writing also helps me sort thoughts), I felt like sharing what I've learned here. I had to change all my passwords after all, better do it right. But before switching to Bitwarden I made research to sort to make sure I don't confuse things. I assume you lost access to the 2FA for the main account. This is generally a good practice because it prevents most other people from logging in as you if they somehow guess your password. Just makes sure you have a different 2FA method for your Google account so you don't lose both the app and access to your Google account at the same time.Disclaimer: I'm not an expert. The google authenticator generates the one-time code to use after entering your username/password when 2FA is enabled.
![google authenticator backup codes reddit google authenticator backup codes reddit](https://mobilityarena.com/wp-content/uploads/2021/07/fix-Google-Authenticator-Code-not-working-1200x700.jpg)
Google Authenticator doesn't quite do that and can still run on only one device but at least if you are a long term user of this app and don't want to switch then you have some peace of mind now. Alternatives like Authy not only let you backup the codes but also sync them across multiple devices. Simply by installing the app on a different device, you can get back all your codes.Ĭloud backup has been at the top of the request list for this now 13 year old app. This means even if you uninstall the app or lose access to the device it is installed on, you don't lose all your 2FA codes.
![google authenticator backup codes reddit google authenticator backup codes reddit](https://new.sewanee.edu/files/resources/backupcodes2.jpg)
The cloud backup feature works pretty much as you would expect the app will backup your two-factor authentication codes to your Google account. In the latest version rolling out to Android and iOS, Google has finally added this feature that makes it both more secure and more convenient. The venerable Google Authenticator app is finally getting the one feature people have been asking for years: cloud backup.