The solution (which is too late to help you with now) is to take a photo of the QR code that is first showed to you when you originally set up 2FA. Keep that safe somewhere and you can always go back. For anyone who is freaked out by this and currently still has access to their google Authenticator app, I suggest exporting all your codes to a big QR code in the app and keep that safe (maybe print it out).

You can do this, or you can write down the secret (Click to get the text), and use oathtool to generate codes rather than google's auth.

I keep all my 2fa secrets in pass for this reason. Never lose access again!

But be careful. If you access the passwords and 2fa secrets via the same credentials you are back to one factor authentication if secret + pass store ever get compromised.

Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).

This can easily be done with pass.

Yeah... I do the same thing. 2FA secrets in my password vault.

I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.

So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.

It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.

It's misleading to say that storing your passwords and 2FA secrets in the same place defeats the purpose. There are several vectors here, right?

Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.

Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.

Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.

Off topic: remarkable that you've made your first comment from a near-decade-old account!

Long-time lurker, first-time caller.

> store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do

Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."

"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.

When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.

The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).

I think using a password manager is already 2FA.

Something you have: a password database on your PC.

Something you know: your master password.

TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).

> I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them?

Backing up my 2FA codes is one of the reasons that led me to create PortableSecret: https://news.ycombinator.com/item?id=34083366

Some people took issue with my comment regarding ‘not all secrets belong in your password manager’ but your comment is exactly what I meant.

My laptop, which contains all this secret information, is way, way more secure than my phone. There's the boot decrypt password, login password, then gpg password. My phone has ... A pin.

And besides, this is fine as an archived backup in case someone loses their phone. It just so happens it's faster for me to xsel the output of oathtool than it is to unlock my phone, open app, select account, and remember code, esp because I live in the terminal anyway.

Android phones are encrypted by default, but for encryption, they use the same PIN as your lock screen. There's some command you could run to replace it with a strong password while keeping screen lock PIN simple, but it didn't work for me last time I tried.

Surely the data is encrypted using a 128 bit key or better, and the key is stored on some secure enclave which rate limits PIN entries, is it not?

> Surely the data is encrypted using a 128 bit key or better

I think so, yeah.

> and the key is stored on some secure enclave which rate limits PIN entries, is it not?

That – I'm not so sure about. I didn't really think about it too much before you pointed it out, but it would make sense for the Android floks to have implemented it. I'll look into it a bit later!

How is a regular user supposed to think of all this in advance? It's ridiculous. Securely proving your identity in case of loss of proof of identity is hard enough with just passwords. With 2FA it's pretty much impossible.

I'm sure all of this will make sense to grandma, too.

(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)

It may not help grandma as much as someone who maintains some popular opensource library that you may happen to use or someone that puts parts of their savings into crypto.

Who is more likely to visit this page (and use tools like pass) is up for you to decide.

The point still stands. Storing passwords and 2fa secrets inside in the same box will weaken the 2 in 2fa.

(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)

Grandma can always print the 2fa seed or write down the alphanumeric value and store it not next to the sheet with her passwords – same principle (I think she won't use pass anyway as opposed to the person I was originally replying to which tells me they are most likely technically literate).

Grandmas usually don't set up two-factor authentication in the first place.

Google will leave grandmas no choice.

This is not entirely true.

https://security.stackexchange.com/a/194279 explains it better than I could.

I enrol any TOTP codes into 3 Yubikey's, and also keep the private key physically printed out.

Although, for Google, I'm using FIDO.

for the curious:

function 2fa(){

          local sec=$(pass show $1.secret)

          local code=$(oathtool -b --totp "$sec")

          echo $code | xsel -ib

          echo "Copied $code"

}

then call it as `2fa <account>`, and make sure you store each <account>'s secret as `pass insert <account>.secret -e`.

refs: https://www.cyberciti.biz/faq/use-oathtool-linux-command-lin...

You can do this, or you can just start using Microsoft Authenticator which will sync your Authenticator codes to your Microsoft account for when you reinstall the app elsewhere.

I just checked, and my MS Authenticator is backing up to... my Google account.

So, I thought I'd better change that... but it looks like you can't change your recovery account.

Why are 2FA apps so obtuse!

on iOS, MS Authenticator backups to iCloud. No way to retain the codes on an iOS->android migration (or the opposite).

MS Authenticator breaks if you have to do a factory reset on the phone.

this is also fine. I have a personal preference to never look at my phone while working, and I'm always in terminal anyway ...

Well I have a backup phone - where I would scan 2FA code with 2 phones.

Now it is not that necessary because google authenticator allows transfer of data.

But when authenticator had no such option I was quite terrified and came up with idea to get another phone just as a backup and scanning 2FA code with 2 phones always for all websites. Of course backup one is always on my desk - but I don't have offsite backup for these. Problem is I don't want these TOTP tokens offsite really so it is a bit of a challange :) to come up with everything proof plan.

There are a lot of options, including free software and no-cloud alternatives, to get backups without doing that manually in such a cumbersome or fearful way your are now.

For example:

> "Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.

> With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.

I store them in a keepassxc database for syncing and alsomprotect it with a yubikey. Lets me back it up to other places while also allowing them to stay secure. Most other password manager solutions should also be able to be used to keep them secure and backed up.

And this has now just encouraged me to buy a Pixel 6A running GrapheneOS to have as a backup at all times for my important google accounts

i feel like I'm asking a dumb question but why not just use a password manager that syncs your stuff and handles 2FA like 1Password? Break the phone? no worries you've got the info on your desktop. House goes up in a fire, no worries, they've got it on the cloud and you can access from a friend's house / library / whatever.

You can't actually access your 1pw vault from wherever if you don't have an existing authenticated device or a copy of your secret key. That's intended to provide added security in case your master password is compromised. So to guard against the house burning down situation you need to either keep a printout of the secret key somewhere else (friend's house, bank box, etc.) or save it somewhere (secure) online where you can get it without using 1pw.

The QR that you mention, is just an encoding of an actual string key (edit: I'm reading now that it's called seed). If possible, it is better to get the string directly, instead of its QR encoded counterpart.

This is needed for example to store the TOTP in a device that has no camera. Or in your Bitwarden Pro account. Obviously you wouldn't be able to scan a QR with such an application, so the actual string is needed you just copy-paste it, so it should be provided by any service that offers 2FA (I confirmed Google does)

You are correct about the QR code just representing a (fairly short) string, but applications can handle QR code just fine - 1password can read it directly from the screen.

There may be a plugin for it but the KeePass clients I've used don't support this by default. Generally, it would be best to look for the string (and keep both the string and the image secret!).

KeepassXC lets you store the TOTP seed value associated with an entry by right-clicking on that key and selecting "Setting up TOTP".

Also, other TOTP generators like Authy and Aegis let you backup your tokens to restore to another device.

Yes, but be careful which totp app you're using to store seed values/secret keys : some store them as plain text! Personally on android I'm using keepass2android and keepassium on ios to store both the QR image and the string value. It will also generate the OTP value at login. As you know, the keepass password file can be backed-up anywhere.

https://raw.githubusercontent.com/blues-lab/totp-app-analysi...

You can scan any QR code with the iPhone default camera app and get the string back that way. But yeah, all QR codes are just encoded strings.

Sharing a useful app I found: The Orca Scan app on iPhone can scan and decode all kinds of barcodes and qr codes

Linux:

    xclip -sel clip -t image/png -o | zbarimg -

macOS:

    pngpaste - | zbarimg -

Why not both? Thanks for the clarification.

You can extract plaintext secret keys from google authenticator app and store them in user friendly format/password manager

https://github.com/scito/extract_otp_secrets

If you're using Authy: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d... (be sure to read the comments if you see "appManager is not defined")

Warning: Samsung browser on Galaxy S10 hangs when opening this URL.

1Password stores QR codes and syncs them across any device that has access to your vault. I highly recommend this solution if you're worried about losing access to your 2FA codes. It is also easy to back up.

This article helped me to understand how totp works and how it can be implemented [1]

[1]: https://digitalbunker.dev/how-do-time-based-one-time-passwor...

If you use 1Password, the initial code (just a string) is always available in the app. You can use it to move TOTP to another app, if you wish.

Printing it out and putting it in some safe is what i did.

And works like a charm.

I mean, if it works for crypto wallets it might also work for 2FA...

I use VaultWarden to store my 2FA info which (aside from being very handy) replicates the codes offline on each device I sync my vault to.

This. I always keep that qr code screenshot & pharse in a seperate keypass database. Instant same 2fa anytime.

https://spa.bydav.in/otp.html

Shameless plug, I spinned up a local html javascript page to import export these code phrases anytime, with customization options, like issuer name, account name etc.

Best bet is to save those QR codes (or text codes) in a different vault. I use passwords in LastPass and QR codes in KeePass.

So if my MFA-secured Google account is working fine right now, is the best course of action to remove MFA, then re-add it with this QR picture and/or jotting down the key trick?

Fully understand why some people wouldn't want to do this given the LastPass hack, but some authenticators like Authy let you store a master backup password for all your codes.

And for authenticators that do not allow to export the secret, while your authenticator is not lost yet, add another authenticator: and during registration, save the QR code.

There is no option to add another authenticator app at https://myaccount.google.com/security (desktop UI). I think the only feasible option is to first remove Google Authenticator and then re-enable it.

Seriously, Google?

Might be micro, but this is not a sign of a healthy company on an upwards trajectory.

It's time to de-google. Seriously. Now it's from a self-preservation POV, not a political POV.

And this is how you turn a second factor into another first factor.

This assumes you are using TOTP.

Or save the TOTP hash directly.

I remember Google not letting me log in with my TOTP code when it insisted on me clicking a prompt I hadn't received. Only after two timeouts did it add the option to use a TOTP code. If I recall correctly, I had to let the thing fail and then click "let me try another way" or something similar. This leads me to believe that maybe Google hides certain options by default.

However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.

This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.

My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.

Yep it absolutely ratchets up "suspicion" on your account, and failed attempts will quickly get your account in some sort of state where you're locked out. It's absolutely maddening.

Definitely - and I think now that I've gone to that 2FA page and let it time out (since I only have backup codes), I think it's racheted up suspicion higher as these login attempts count as "an attacker has the password but not the 2FA code!"

Definitely. I did that a few weeks ago and got an email from Google to my gmail saying something along the lines of "somebody has your password and is trying to log in!" even though it was just me on a different computer and after submitting password I realized I didn't have my phone on me so couldn't submit the 2FA. It was even a computer on the same LAN (with same WAN IP), so not like I had an active session in the US while the attempt came from Moscow...

Can't you add a security key like a Yubikey? Do they let you do that without requiring your Google Authenticator / TOTP secret?

What about adding someone who can get access to your email after six months of inactivity? Maybe they let you add that without your lost google authenticator? It'd be better than nothing.

Time for a Google Takeout while you still have access to the account then!

If you login on your phone, it’s possible your phone will automatically become a “second factor” if on Android, or if you have Google apps installed on iOS. This would resolve the problem, but I can’t promise it’ll work.

Note: I mean in mobile apps, not browsers.

Time to repeal 2FA. I can't believe it's required for SOC2 type 2 compliance.

2FA/MFA isn’t the problem. Google is just a pain to deal with when their products don’t work as expected. On one hand, security-wise, it’s good that they tend to design their algorithms to err on the side of being restrictive, but on the other hand, they have no legit support, so if you or their algorithms mess up and you’re locked out of your account, you’re basically on your own. For a company so many of us rely on so deeply, that’s awful!

Nobody should be forced into this terrible scheme if even Google can’t get it working. It’s a case of “this idea isn’t bad, people just implement it wrong”. If nobody can implement it right, it’s not right. Complexity kills.

The alternative is picking a smaller company that might be an easier hacking target or might go out of business when you're not paying attention. I have a Protonmail account but I do wonder how long they'll be around.

2FA is okay. But the practice of backup code sucks. Instead, save the TOTP hash and make extra sure to back it up. Then you can just reconfigure your 2FA app.

This really isn't a problem with 2FA. It is a problem with Google not understanding the reason for backup codes. It's just plain old bad design on Google's part.

Thank you for this. I will make extra backups of my 2fa seeds. I currently have all of them in my bitwarden vault which won't probably ever fail me but it's better to be extra safe