fsebugoutzone.org:9999

       Post AV5quMvXYPqTaPw6QS by kkeller@curling.social
 (DIR) More posts by kkeller@curling.social
 (DIR) Post #AV5qbKJp1mXTzjDJoG by lauren@mastodon.laurenweinstein.org
       2023-04-28T00:00:20Z
       
       0 likes, 0 repeats
       
       **** The Google Authenticator controversy ****I&#39;m getting a bunch of queries about the controversy regarding lack of end-to-end encryption in the new Google Authenticator cloud syncing feature.  Google&#39;s response to this so far has unfortunately been brief and does not explain the situation in a manner that most people are likely to understand.Within a few days I plan to write this issue up in a manner that most people *will* understand, and that&#39;s going to take some time.For now I&#39;ll say this. Using the cloud sync feature in Authenticator is reasonably safe, but does have problematic aspects in its current form. When it popped up in Authenticator for me a couple of days ago, I chose not to enable it by not logging Authenticator into a Google account, mainly because I have my own backup procedures for these codes -- but most people frankly do not.On balance, right at this moment, I would not recommend using this cloud sync Authenticator feature -- and I will explain in more detail in a more complete message. I will note however that Google is trying to do the right thing in providing a backup mechanism for these codes -- something that has long been needed in Authenticator. However, there is genuine risk in the current implementation, though in practice it most likely is quite small for most people.I&#39;ll try to explain this in more detail soon. Best, -L
       
 (DIR) Post #AV5quMvXYPqTaPw6QS by kkeller@curling.social
       2023-04-28T00:03:36Z
       
       0 likes, 0 repeats
       
       @lauren I switched to an open source OTP app precisely because it was difficult to impossible to back up your tokens.  (I currently use Aegis on Android.)
       
 (DIR) Post #AV5sQvlfeUdurdPVWy by spamvictim@infosec.exchange
       2023-04-28T00:20:48Z
       
       0 likes, 0 repeats
       
       @lauren Twilio is not usually my favorite company, but their Authy app works well, backs up codes from multiple devices in the cloud, and assuming what they say is true, the backups are encoded with a password only you know. (Forget the password., lose the backups.)https://authy.com/blog/how-the-authy-two-factor-backups-work/