Bitcoin Forum

Google just released a new version of Google Authenticator for the iPhone.  DO NOT UPGRADE, all your keys will be lost, and you will be locked out of all your exchanges etc.


Moderators: Please cross-post this to Important Announcements, it will hit a lot of Bitcoin users!


EDIT: See also http://www.reddit.com/r/Bitcoin/comments/1lp17r/i_just_updated_the_iphone_google_authenticator/


EDIT 2:  A newer version has been released by Google, solving the problem.  It turns out the keys were not lost, just hidden, so the new version actually restores them!

www.cryptocoinsnews.com/2013/09/04/warning-do-not-upgrade-google-authenticator-iphone-you-will-loose-your-keys/

+1. This is very real, and will cause huge amounts of trouble to bitcoiners. Shout it from the rooftops.

There are many people reporting it on online. Bitfunder has also added it to their webpage: "Error: Google has updated their authenticator app. DO NO UPGRADE THE APP. Many users have reported that the upgrade has erased their stored codes needed to login. If you wish to update you will need to disable 2-factor on your account first so you can re-activate it after the app update."

If you're reading this thread in the next couple of days, please bump it if it hasn't been in the last hour or so.

i have had the same experience. Switched to Authy.

Fool me once, shame on you.

How to recover:


I recovered from this mistake.  This should work on both jailbroken and unmodified iPhones, and will not loose your jailbreak if done correctly (point 5):

1) Swear at Google (OK, most of you have probably already done that)

2) Delete the Google Authenticator app from your Phone.

3) If iTunes sync automatically with your phone, you probably want to turn that off first.  Also, if you sync over WiFi it may already be too late - I really do not know.

4) Connect your phone to iTunes.  Enable the panel on the left.  It shows "LIBRARY", "STORE", "SHARED" etc and also the name of the phone.  On newer iTunes it is disabled by default, choose View / Show Sidebar.

5) Right-click on your iPhone, choose "Restore from Backup".  DO NOT use the normal restore button on the main window, as that will also restore the firmware and wipe and restore everythin (it will take ages resyncing, and any jailbreak will be gone).

6) After restoring, iTunes will resync your phone and reinstall Google Authenticator.  If you did not sync or backup since upgrading the app, the old version INCLUDING KEYS will be back.

7) If jailbroken, install Update Hider and hide the update to GA (I have not done this yet myself, but it should work).

Hmm - if it's possible to recover from that, that means someone else has your keys. Isn't that a security risk?

It's the encrypted backup of your phone either on your machine or on iCloud

Cool - but what if someone manages to steal your password? Is it protected with two factor authentication?  ;)

hopefully it's protected by Apple not allowing your phone's keys to load while connected to a computer. of course, Apple would never put its customers at risk 8)

I think the keys remain in the keychain on the phone.  I do not use an encrypted backup of my iPhone (perhaps I should), and as I understand it that means that restoring on a different device means that the GA keys are lost.  But restoring on the same device works well.  It looks like the keys are backed up but with some hardware key encrypting them.  I would like to know the details!

I dont use it anyway but thanks

Bump don't use it but this would suck if it happened to you.

The v2 GA app is not available in iTunes anymore.

Another recovery solution: if you have backed up v1 version of GA, you can install it over the new one using iFunBox. Looks like the tokens (keys) do stay inside the GA v2 app.

I just did that (installed Google Authenticator v1.1.4.757 over new v2 using iFunBox) and i got all the keys back.

Hope it helps...

Oops, just did...

I hate the red "1" sign on the top right, so I always upgrade everything as soon as it's available.

Just successfully recovered the old version in iTunes. Here is how I did it:

First of first, go to iTunes ASAP, locate your most updated iPhone backup and make a copy before you try any recover trick.

1. delete the new version of authenticator on your iPhone
2. disable auto sync in iTunes
3. Connect your iPhone via USB
4. Click your iPhone, then go to "application" tab
5. On the left side, scroll down, you gonna see the old version of authenticator, install it.

So close... ;)

thanks for sharing!

Any way to install old version from icloud?

If you have not sync'ed to icloud since upgrading, you can probably delete the app, and then restore from icloud. 

It worked, thanks a lot!!  :D :D :D

Phew, I have feeling really f****

Yep, worked for me.  Phew.

Did that and still didn't work. When I deleted the new GA app (or when you delete any app) it asks if you want to delete all the data that comes with it. In order to delete any app you have to say yes, is that why it probably didn't work? I know I've backed up my iPhone within the last few months so it doesn't make sense to me why it's not there.

Ok, so I unfortunately sync'ed my phone since updating the app. The last time my phone was backed up was 2 months ago. My keys were added after the last back-up. Am I screwed?!

It should be OK to delete the app's data - it should be restored when restoring from backup.  However, most people have automatic backups enabled, either over WiFi or when you connect the cable.  If a backup has occurred since you upgraded GA it is almost certainly too late.

Thanks for making this known! I almost certainly would have updated. Catastrophe avoided!

Let's assume that one has 2-factor set up for Bitstamp.  At the time it was set up, the QR code used to authenticate was saved and printed out.

Suppose I just throw my phone into a fire, switch carriers, phone numbers, etc..., and download a new Google Authenticator to my new phone.

Now, will my previously saved QR printout work?  Or is there something unique about each Google Authenticator app that should be backed up as well.

I thought the secret code/QR code would recover any "lost" google auth issues.

So as long as I have a backup of the QR code used to generate a working Google Authenticator token... it really doesn't matter what Google does, I can always get some copy of Authenticator from somewhere at some time and I can simply rescan and log in to Bitstamp or Mt. Gox, or whatever...

Is this a correct assessment?

It should certainly work.  What you have done is what we should all do!  Save the QR code or write down the secret key (around 20 characters, easily done).  That will also save you if you loose the phone.

Kill me pls.

So this is fine on android?

It's always a good idea to also backup secret key in case something happens to your phone, right?

I have all of them in a text file and zipped with 7z and passphrase.

I was able to restore back to v1 GA, but in case it wouldn't work, i would just enter secret keys again in v2 GA and "life is good" again.

I hope you guys make "GA secret key" backups too.

It is working fine for me.  I have the latest version for android 2.49

This is what I was getting at.  If every phone is different and all the GA's out there are different... then it isn't enough to merely backup the QR codes used to generate site specific tokens.  One must also have the token that GA uses in the first place, no?

Where does one find this?

Ok google have put up a support page here:

https://support.google.com/accounts/answer/3376859

And they suggest restoring from iCloud backup if you back up to it.  I tried the following and it worked for me:


The above was taken from here:

https://support.apple.com/kb/ph12521

Hope this helps!

Yes it is. In fact you should have a paper backup (just print the QR code) of ALL your Google Auth tokens.

I guess I should have a Post-It note with all my passwords pasted to my monitor too.

I have no clue about pretty much anything this thread is about, but I do have one crucial piece of advice that may help out:

If you've accidentally already synced your phone after updating, check your Recycle Bin (if on Windows).  My experience with iTunes is that if it was syncing a newer version from the phone to the PC, the older version was merely recycled rather than deleted entirely.  Delete the "new" version's *.ipa file from "My Music \ iTunes \ Mobile Applications", restore the old version from the Recycle Bin, and send that version back to the phone.

Nope.  None of it worked.  Even after deleting and doing an app-specific restore, installing the old version of GA, the keys are still gone, apparently irretrievably.  The whole fucking point of 2-factor is to keep the other factor solely on one physical object.  I'd be a lot more pissed if I had real money involved.  Google shouldn't just do shit they apparently have no fucking clue how to do correctly.

Titanium Backup.  Android not affected.

What will you do in case you lose your phone? A paper backup for the Google Auth tokens is mandatory - you obviously do not stick it to your monitor, you store it in a secure place. If you are extra paranoid, you store it GPG-encrypted.

our phone can get lost, it can brick because of a failed update, etc. - Using Google Auth without a backup of the security token is plain and simply retarded. Your phone can get lost, it can brick because of a failed update, etc.

This happened to me also.  I was using Google Authenticator with an exchange.  I upgraded to a new phone knowing that it would reinstall and import the setup for the keygen for the exchange.  I wiped my old phone and sent it off for recycling.  New phone came, set it up, and Google Authenticator did not reinstall.  When I reinstalled it, it did not transfer the config for the exchange.  So I tried a manual sync with my Google account.  No luck, gone forever.  Took me 2 weeks to get back into that exchange.  Fuck you Google Authenticator.

Well it doesn't show up for me in the App Store as an available update, so that's good. Still using the old version.

Blegh, I upgraded before I saw this thread. Everything is gone. I had a lot of codes in there. What a jerkoff from google, someone ought to be fired for this.

I don't update authenticator anymore.

Sorry to insist, but those who use Google Auth without a backup (paper or otherwise) shouldn't be allowed to use anything regarding digital finance. Did you know that phones get lost, stolen, become bricks, fall and break, their memory can fail... Or maybe there's a buggy update that screws them over... Really, didn't you know that?

Seriously guys, I use google auth too, and first thing I do from the very first day I use it is to make backups of EVERY key, and BTW I scan the QR from the backup to be sure everything is OK. Do you even think and understand what you are doing before using something like that?

WTF does digital finance have to do with something I only use for a single poker account, where the removal of Authenticator basically takes a week?  I only use it with Seals With Clubs because I never terribly trusted it, because I don't keep substantial amounts of money there, and because it is easy enough to remove.

Anything substantial stays in an offline wallet with both an electronic and paper backup in a secure location.

Anyone at Google who released an "upgraded" that universally trashes all keys is the one who should be barred from ever rolling out another product again.  Even a single test of this "upgrade" done before releasing it on a single device that previously had it would have made it blindingly obvious that it should not be released in its current form.

There are far better alternatives in any event, like Authy.

In my only previous experience with multi-factor stuff like this, it was to enter a workplace, where it was a physical dongle combined with a keypad entry.  And any other place I have had to use shit like this in the workplace (briefly), it was a firing offense to back it up in any way, on paper or in any other form.

They've released a new update. Its restore all my missing keys

I can confirm that the recent update (2.01) works fine and the keys are safe...  8)

I will try again... but I'm a little scary :P

Edit: I confirm now it is working :)

+1

Update 2.01 restored keys.

LOSE

Please edit title OP!

If OP updates he should also point out that they've fixed the issue now.

Done.

I can confirm that the new update fixes the problem, even if you've already restored from backup.  I would guess from this that whatever error Google made, it resulted in in inability to read stored keys rather than their destruction.

Google Authenticator (Android), my problem:  https://bitcointalk.org/index.php?topic=394188.0   

I have already upgraded my google authenticator on my iPhone hence I am trapped up in a big trouble. Can anyone tell me how to find my lost keys? I wish I would have seen this post before upgrading mine. Well I must recommend you all not to update as you could also be in trouble guys.

Keep a backup of the QR codes!

Why do you know an iPhone? The latest news from the NSA is that they control the data on all iPhones. So no matter how secure you feel the NSA has their hand in your back pocket at all times. :)

And this doesn't apply to Android why exactly?

Tin foil hats, man... Tin foil hats.

Though I'm not a huge fan, I own an iPhone and don't care if the NSA can spy. On an ethical standpoint, it sucks. But in the end, I don't do anything that would warrant them sneaking into my affairs.

Do you really think so disgruntled NSA worker would go get your Google Authenticator codes? If you think so, you might as well play the lottery I think.

So many people have this attitude it's unreal. Why would you want someone to actually spy on you? It's a form of stalking which is actually illegal. For example, if you were on the toilet and someone opened the ceiling up would you welcome them and ask them to come and shit sit and talk? It doesn't matter if you got nothing to hide it's the breach of you're privacy which is the real concern.

Depends who it was...  ;)

But in all seriousness, I do understand that it's wrong and that we shouldn't "put up" with it, but some people just make too big a deal out of it. Just because they can spy on you doesn't mean they do.

I do care, there is just so little I can do about it (outside the voting box every fourth year).  And is has no practical issues for me, I really doubt the NSA will steal my bitcoins, and I don't use them for anything they would be interested in.  But it does make me angry.  Very angry!.   And my own government seems to think it is OK the NSA (and who knows what other oh-so-friendly foreign agencies) spy on us.  >:(  >:(  >:(

The main practical problem is if NSA introduces security holes that other evil hackers abuse. 

The main real issue is that by embracing the methods of the totalitarian state, we are dismantling our democracy.  Replacing my iPhone with an Android will not help  ;)

I don't have nothing to hide, but definitely I do care. I had iPhone in the past (very first versions) but I will never again, I prefer to have an android phone fully rooted and modified so the spooks have a hard time gathering info about me.

I have been using Authy after finding out the hard way the issues that Google Authenticator has.  Especially being an android user, I flash my rom semi-regularly just to test new things out.

However, I've seen a few people mention having backups of the QR code.  That seems like a great idea, but it honestly would not have occurred to me before reading this thread. I think maybe the major players that use two-factor authentication *should* have some sort of message telling users that they should keep a backup somehow by printing the QR code or other means.

any way to use yubikeys as well as GA for 2FA to avoid these kinds of things?

Sorry for reopening this thread! If i make a normal backup with itunes, it will save my google authenticator codes?

I'm a android user,does update will create problem because the app is made by google

I meaning if i loose my iphone, i can restore from backup with all data?

I am a fan of Authy.  I have an old phone with Authy on it too, so if one is lost or stolen, I can still use the other. 

Yes, I think so. You might want to select something about backing up app data.  I haven't done it myself, but I have had many apps, with data backed up. 

Yes, make a screen shots of the QRC codes and back up the images offline every time you setup 2FA. 

That way, it's easy to add to a new devices when you replace or lose the previous one. 

BE CAREFUL:  It will save your GA codes encrypted in a way so they can be restored ON THE SAME PHONE ONLY.  If you lose your phone, you cannot restore as far as I know (although admittedly I have not tried).  Write down the secret keys as you install them in GA, you cannot do it later.