How to circumvent the flaw in Google Authenticator

I recently became aware of ‘two-factor authentication‘ (2FA). This is a means by which one can add another level of protection to online accounts. There are several apps that provide this service: I opted for the Google Authenticator (GA), as it was already installed on my own phone. But then, after looking into it some more, I realised that there was a potential problem: if my phone were to become lost, broken, or stolen, or if the app were to cease to function, I could potentially be locked out of the services on which I’d enabled 2FA — since it’s not possible to back up the codes in GA.

One solution to this conundrum would be to use an authenticator like Authy, which does provide back-ups. However, it backs up to ‘The Cloud’ — and I don’t (yet) trust that. (What if the Cloud back-up were to be compromised?)

After much investigation and cogitation, I found a solution. Unfortunately, it’s one that requires a bit of preparation.

Note: if you’ve already installed Google Authenticator, you’ll need to visit all the accounts on which you’ve enabled 2FA, and disable it on all of these before you proceed!

The problem is that the ‘QR codes‘ that are generated whenever one sets up 2FA in a service account are one-time-only: as soon as you navigate away from the page that shows the QR code, the code is lost forever. This may well be by design, as the codes should remain secret.

The solution is simple: before navigating away from that page, take a screenshot of the code and save it somewhere. Unfortunately, for some reason I’ve yet to fathom, the PrtSc button on my keyboard no longer works. But on Windows systems, there’s an alternative: the ‘Snipping Tool‘ application, which facilitates partial screen capture. And since all we need to do is to copy the QR code, that’s perfect:

Capture the QR code for each account on which 2FA is set up, paste each one into a document, save the document somewhere safe: and, bingo! If the phone is lost or broken, or if the app fails for some reason and needs to be reinstalled: simply re-scan the QR codes into the new installation of Google Authenticator, and you’re all set to go again :)

A couple of caveats:

  • You may want to consider encrypting the file(s) containing your QR codes, perhaps using a tool like Gpg4win.
  • If your phone is stolen, it may be worth considering setting up new codes in GA anyway, as the originals would be compromised. They’re no good without the passwords to the accounts, but better safe than sorry.

About pendantry

Phlyarologist (part-time) and pendant. Campaigner for action against anthropogenic global warming (AGW) and injustice in all its forms. Humanist, atheist, notoftenpist. Wannabe poet, writer and astronaut.
This entry was posted in Communication, Computers and Internet, Education, Strategy and tagged , , , , , . Bookmark the permalink.

1 Response to How to circumvent the flaw in Google Authenticator

  1. Interesting. It is a dilemma. I use 2FA on my amazon account

    Liked by 1 person

I'd love to hear what your views are!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.