Hacker News new | past | comments | ask | show | jobs | submit login

I had always thought that the lack of cloud synchronization was a deliberate security feature. If my TOTP secrets sync to the cloud, doesn't that defeat the entire point of 2FA? Now, instead of my physical device being the sole second factor for authentication, anyone who is able to breach/intercept/coerce someone at Google into divulging/etc the TOTP secrets from Google's cloud storage, my accounts are toast...



While I agree and wouldn't use this personally, I do have argument in favor of it.

1) Attack vector reduced to one account which you maintain with healthy hygiene, and hopefully don't use with public systems, etc.

2) You can keep backup 2FA for single account instead of keeping for N accounts.


Agreed, it seems bizarre to me that any company especially Google would roll out something like this.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: