Wednesday, September 4, 2013

Google Authenticator 2.0

Jordan Merrick:

Lots of people on Twitter and HN reporting that the latest update to Google Authenticator, Google’s app for dealing with two-factor authentication, removes any account you’ve set up.

Google has now pulled the iOS app.


If they had released this two weeks later, iOS 7’s auto-update feature would have bricked everyone’s accounts.

Google Auth 2.0 redefines two-factor auth: something you know + something you DON’T have. Their entire purpose in life is this second part and they completely and absolutely botched it. I can’t believe this passed testing at both Google and Apple.

Do people really think that the App Store reviewers do this sort of testing? The other iOS-related problem is that, even if you still have an old copy of the app, there’s no way to restore the data for it without overwriting your newer data in other apps.


When I add sites to Authenticator, I take a screenshot of the QR code and tuck it away in an encrypted document

I had thought the codes were time-dependent, but apparently not. Perhaps I should be saving them in 1Password.

Update (2013-09-10): Google Authenticator 2.0.1 is now available and fixes the bug.

2 Comments RSS · Twitter

The Codes are time-dependent, the QR code to identify and link your account isn't.

[...] Link. Pulled. If it truly deleted credentials this would deserve a full autopsy. [...]

Leave a Comment