2FA Google authentication

[8m_zk]

Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

[OcTradism]

You can get secret code and import it into any 2FA app. It works universally.

Authentication: Types, Risks/ Attacks, Advice. The clarification from o_e_l_e_o  is perfect.

if most of service currently just have Google 2FA on their services?. So far, I'm just seeing it on service i use no other 2FA options except SMS/email  verification.

I'm not entirely sure what you mean here, perhaps because I do not use any Google products so I'm not aware of what their 2FA options are. If a site such as a crypto exchange says "Scan this code with your Google Authenticator App", then you should be able to use any 2FA app. I have certainly done this in the past and it works fine.

If the service only offers SMS or email verification for 2FA, then you obviously can't use an app - you can only use what the site offers. Both of these are not great choices, but you can make it slightly better by using a different email address with a different password to the one you use to log in to the account, or by using a burner phone with a number you do not use for anything else and which you never use to access the services in question.

You can choose open source 2FA apps to use.

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis or AndOTP
iOS - Tofu or Authenticator

[BrewMaster]

it depends on the reason why you are using 2FA (through Google Authenticator). for example for an account that you must have and there is no other ways around it (like your exchange account) it is an excellent additional security and you must have it. but for your wallet account (of custodial type), you should rethink using that wallet because your money is already not-safe since you don't control it, adding the 2FA will secure your account not your money.

Then Google will have my security code, right?

as far as i know the software does not broadcast anything unless you explicitly create a backup of your keys. so Google won't know your codes.

[Abdussamad]

the shared secret is also not the same as your bitcoin private keys or seed. it is only used to generate one time passwords for authentication purposes.

[mysterious1998]

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.

[coupable]

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.

All of your logins protected by 2FA google authenticator have each a backup code that can be used in another device. And if you are looking for a more secure option, try Authy ; it's a nice alternative for google authenticator and can be secured by a single code backup which can be used to recover the app with all the accounts within if your device gets compromised or you accidentally erase the app.
About 2FA google authenticator, i didn't face problems using it but i remember hearing that it has been somehow compromised and some hackers succeeded to login users accounts using it. Not sure about this info so maybe someone could correct it .

[Charles-Tim]

About 2FA google authenticator, i didn't face problems using it but i remember hearing that it has been somehow compromised and some hackers succeeded to login users accounts using it. Not sure about this info so maybe someone could correct it .

I still remember of a news I read on cointelegraph this year about google 2fa being compromised. It is not the fault of the app itself, the hackers used tricks to make victims download a trojan horse that was installed on the devices. If someone can not handle anything about malware, how can he use bitcoin wallet successfully or using 2fa app successfully.

Although, I am not a fan to any google products, because google are privacy invaders. Also I can not use Authy, although it is much simple to use by synchronizing the backup on cloud, of which I do not believe in such. I prefer to keep my backups offline which is the safest.

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.

If because you lose your code is the reason you do not recommend any 2fa, you are then wrong. The best you can do is to make a backup of the 2fa backup code and safely store it somewhere safe from attackers and damages and yet also still accessible to you.  Authy can the best for you then, but I can not recommend it due to what I mentioned above about synchronizing with online cloud which makes backup recovery easier. 

The best 2fa I have known and that I can recommend are Aegis, authenticator and andOTP.

[masulum]

You can get secret code and import it into any 2FA app. It works universally.

Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.

[HCP]

Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.

Yeah, it's a common misconception that "Google Authenticator" is a "Google Only" service... you're not the first (and won't be the last) person to get confused by that. I certainly was when I first started using Google Authenticator several years ago. The sites that have implemented the 2FA service are partly to blame by calling it "Google 2FA" etc...

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error. Authy, Aegis and Authenticator (Plus) (and others) have all been able to come up with solutions, I'm not sure why Google can't?

[tin.crypto0714]

Hi tech guys,
Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

Yes, it's essential. 2FA will help you secure your account including your crypto on hackers. I'm Actually using it and my account is secured.

[NeuroticFish]

Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.

[8m_zk]

Yeah, that's what I meant if I don't back up the seed for the authenticator. Thanks for the information, I'll check the alternatives to Google 2FA

Please help me with my question concerning 2FA. Do you think it's essential security measure, does it work very well? Then Google will have my security code, right?
I'm just afraid to do smth wrong like lose password or QR-code or smth and lose my crypto.

No, Google should not have your security code. Actually if you lose your phone and didn't back up properly the seed for the authenticator (when you created/set up the 2FA) you'll probably lose it.
This being said there are better alternatives than Google Authenticator, which do the same job but also allows you keep a safe copy somewhere.

It works well, but you may have surprises in the future, because the generated code is based on timestamp. And if your phone, the auth app or the website where you try to enter don't have the time set well, the code will not be accepted. (Usually a sync of your phone fixes this).

About losing crypto. If you use the 2FA on the same phone as you access the web services, you weaken the security by a great deal and if the phone is lost, stolen or compromised you may lose funds also with 2FA.


Imho the main rule is to keep the funds you don't need "now" safely offline on a wallet you and only you control. This means no web wallet, no big money on exchanges, no cloud, desktop or e-mail backup of the seed/private keys (use paper, steel, whatever). And/or make use of hardware wallet.

[8m_zk]

Thank you for your reply, I'll be checking alternatives you mentioned to Google 2FA

Yes I know it now, you can ceck my last comments. Here, my misunderstanding is because the service just mentioned G2FA only, so i think if it only works for google 2FA only.

Yeah, it's a common misconception that "Google Authenticator" is a "Google Only" service... you're not the first (and won't be the last) person to get confused by that. I certainly was when I first started using Google Authenticator several years ago. The sites that have implemented the 2FA service are partly to blame by calling it "Google 2FA" etc...

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error. Authy, Aegis and Authenticator (Plus) (and others) have all been able to come up with solutions, I'm not sure why Google can't?

[8m_zk]

yes, that's exactly what I'm afraid of and it definitley sucks when it happens, I will be checking the alternatives that many helpful fellows recommended

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved and i then i realized that i am unable to access my google account even my phone number was registered in gmail . I've lost all my data and trust me It sucks.

[Chikito]

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved

That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.

[masulum]

That is your fault, smart boy didn't save the backup code on the same phone.

Just because someone doing bad or makes a mistake, it doesn't mean he/she not a smart person. thousand people learning new knowledge everyday. From the case, people will learn to be a better person. Now he makes a mistake storing key in the same device, because he is new about this.

[suzanne5223]

I Don't recommend to use 2FA google authenticator as its's almost impossible to recover your account once you lost your codes. I've lost my device in which my codes were saved

That is your fault, smart boy didn't save the backup code on the same phone. Backup code is just number, you can easily write it on paper and keep it far away from your phone. Or if you lazy to write the code, first time set up Google Authenticator, simply make a screenshot of the barcode and print it.

In an occasion where security is top priority, the backup code should only be screenshot and print only through an airgap computer or write it down instead. However, there have been an occasion where attacker are able to bypass google authenticator and I will advise the OP to you use open source and decentralized authenticator like Aegis.

[Pmalek]

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error.

I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 

[NeuroticFish]

And Google really should implement a "proper" (encrypted) backup solution for Google Authenticator. Relying on users to safely store the individual "secrets" themselves is messy and prone to error.

I agree with the suggestion to introduce encrypted backups, but not with the second part of your statement. At least we Bitcoiners should be well accustomed with storing weird strings (private keys) or a bunch of word combinations (the seed). I have a written copy of each of my 2FA codes that I use for exchanges and other services. It came in handy a few years ago when my old phone suddenly died. 

I've done the same during the years. But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.
And in such cases proper software that can do proper backup it's not "a solution for the lazy", it's actually the better solution.

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user 

[Pmalek]

But also during the years I had (1 or 2) weird surprises: no seed was provided so I can save, only the QR code.

I know what you mean. I noticed this on an exchange I was forced to use occasionally many years ago. 

I've migrated away from Google Authenticator (many months ago) and I am since then a happy Aegis user 

Google Authenticator now allows users to create and download a backup of their codes. Were you able to import this backup into Aegis or did you add the 2FA codes manually? Also, can Aegis be used all over the place same as Google Authenticator or does it come with some limitations? I am considering using Aegis myself, so it might be good to know.