Google adds account sync for Authenticator, without E2EE You may have heard news this week that Google is finally updating its authenticator app to add Google account synchronization. Before you rush to ensure your two-factor secrets are safe in the event you lose your device, take heed: The sync process isn't end-to-end encrypted. The lack of synchronization encryption was pointed …
Can you export your 2fa codes from Google Authenticator in a format that is compatible with other autheticator apps with this new update? I don't see any sync option in the version i have on my phone and the play store isn't saying there is any app update to install so i can't see for myself.
Previously to export your 2fa accounts it would generate a QR code but those were only able to be imported back into Google Auth keeping you in the Google ecosystem and you couldn't even screenshot them easily to use 3rd party tools to get the info from those Google generated QR codes to a format that you could then use to import them to another authenticator app.
I now use the open source https://gitlab.gnome.org/World/Authenticator app on my PC as my main authenticator app when setting up 2fa as that give you multiple formats for backing up your 2fa secrets as well as generates QR codes that can be imported into most authenticator apps.
"we're always focused on the safety and security of Google users and the newest update to Google Authenticator was no exception."
=> We're always focused on ensuring that we can slurp a copy of your security details, as well as any of the other data that you are foolish enough to pass through any of our services and devices. This update was no exception to this very particular focus.
Brand said Google encrypts data in transit and at rest across its products.
=> Would it be far too cynical to read that as "the data is encrypted while in transit to Google, but is then decrypted on arrival (and a copy stored), before being transferred to its storage location in an encrypted form (but we have the decryption keys)"?
the last time G required my "2FA" device for my GMail account. G's culture was built on the open flow of information, and they clearly just don't get stopping the flow.
The entire idea of using an app as your second form of auth strikes me as bizarre in the first place. Just don't.
The entire idea of using an app as your second form of auth strikes me as bizarre in the first place
Why? The "what you have" is your phone on which that app runs and where its seed is stored. The "what you know" is the password you have to provide to login in addition to the 2FA.
If someone steals your phone then they have the "what you have" part but in order to access your 2FA they need to be able to break into your phone. Obviously biometrics like Face ID are not foolproof but it is against a casual thief, and your thief needs to act quickly before you (who presumably knows your phone has been stolen) can remotely wipe your phone or its biometric login times out and the bar is now raised much higher.
All this assumes some third party doesn't do something unforgivably stupid, like cloud enable your 2FA so you can get the second factor without requiring the "what you have", of course!
"Users of Salesforce Community – a cloud-based tool that lets businesses spin up quick customer-facing websites –"
In my professional opinion: quick my fucking arse.
Trying to do anything, even the most basic things, salesforce is a nightmare.
I guess it was some copy and paste from some marketing material?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
