Google Updates Authenticator and loses all your data

Google Authenticator just updated on the Apple App Store today … and the update proceeded to loose all my stored authentication tokens.

There are many 'definitions' of what 2FA means

too expletive awful

is one that springs to mind today.

And the big irony. Google tells me its Cyber Sercurity month. No doubt this update is promoting better security.

If you are looking at destroying people's trust in 2FA, Google has just shown how to do it.

If I can recover a previous version of one of my devices I can transfer the logins over … otherwise it is recovery processes for each and every one of the services that I previously had secured by 2FA. Of course that is kind of missing the point.

It should be pointed out that this is not the first time that Google Authenticator has lost peoples data (every few years it seems to happen), but as we get more and more 2FA tokens and as it is harder to figure out which ones that you have / need, this is becoming more and more of a problem when it happens.

The big question is what excuse will the developers come up with for what is basically an unforgivable fault.

To honour Cyber Security month a constructive summary:
  • If you are going to use Google Authenticator:
    • Keep a list of all the 2FA tokens you have in it and know your recovery procedures
    • If you have multiple devices with the same tokens on it (not how 2FA is supposed to work, but it does make it more convenient, so much so that Google now has a convenient export function); update one device, check it still works, then the next one. If things go wrong you can always use that convenient export function to undo the issue
  • Think strongly about using something else that backups up your data in an encrypted form1:
    • Obsidian for iOS and Mac is a stylish tool that does this.
    • Authy is the popular Android / iOS cross platform solution
Finally don't let this issue put you off 2FA tokens. While nothing is perfect, this problem could probably have been avoided. And although security rarely increases convenience (when it does people forget that they added security and think they added convenience), the need to put better locks on our data and services is still increasing and passwords are generally an easy target.

1 Both tools are subject to lock in as neither exports its data (unlike Google Authenticator), but Obsidian will read data from Google Authenticator