Table of contents of the article:
What is Google Authenticator and what is it supposed to protect?
Google Authenticator is a mobile application designed to generate temporary login codes (OTP – One Time Password) used as a second authentication factor (2FA) in systems that support two-factor authentication. Its main purpose is to add an extra layer of security to a simple password, making it more difficult for unauthorized access to your accounts.
In practical terms, even if an attacker manages to steal or guess the user's password, they won't be able to log in without the temporary code generated by the app. This approach has become a security standard across numerous online platforms, including financial services, cloud computing tools, email providers, and social networks.
How it works, step by step
Let's take a concrete example: imagine we want to log in to our account on a service that has enabled one-time password authentication. After entering our username and password, the system will ask us to provide a second code: this is the one-time password generated by the Google Authenticator app.
The app, once configured for that account, generates a 30-digit numeric code every 6 seconds. This code is calculated locally on the device, based on a TOTP (Time-based One-Time Password) algorithm that uses:
- a secret key shared with the service server
- the current time of the device
Since both the service server and the app have the same key and time synchronization, they both generate the same code at the same time. The user enters it into the login form, and if the code is valid and temporarily consistent, access is authorized.
All this happens without requiring an active internet connection, neither on the part of the app nor on the server that generated it. It's precisely this simplicity and independence that has made Google Authenticator so widespread.
A brief history of the application
Google Authenticator was launched in 2010 in response to the growing need for a second authentication factor for Google accounts, and was later made available for use with third-party services. Initially available only for Android, it was later released for iOS as well.
It works based on the TOTP (Time-based One-Time Password) standard defined by RFC 6238, and on the generation of OTP codes synchronized with the device's clock. The codes are regenerated every 30 seconds and do not require an internet connection or cloud access to function.
For many years, Google Authenticator was the go-to solution for two-factor authentication. However, it also faced criticism for its lack of backup and sync features, a shortcoming that was only addressed in 2023 with the introduction of cloud sync, which raised new security concerns.
Piattaforme supported
Google Authenticator is officially available for:
- Android (via Google Play Store)
- iOS (via App Store)
The app can be used to generate OTP codes for any service compatible with the TOTP standard, including:
- Google Account
- Microsoft Account
- Amazon Web Services (AWS)
- GitHub
- Dropbox
- Twitter (now X)
- Slack
- Wordpress
- Hetzner, OVH, DigitalOcean and other cloud providers
- Banking services that support external OTPs
Additionally, it is also compatible with any custom system that supports generating TOTP codes through a shared key.
The problem it's supposed to solve: the weakness of passwords alone
Passwords alone are no longer considered sufficient. With increasingly sophisticated phishing attacks, databases of stolen passwords circulating on the dark web, and users' tendency to reuse the same passwords across multiple services, two-factor authentication (2FA) is now considered a minimum security measure.
Google Authenticator was created specifically to reduce the risk that, even in the event of credential theft, access to accounts will be prevented without physical possession of the smartphone that generates the OTP.
Google's Backup and Sync Feature: A Double-Edged Sword
In 2023, Google introduced a much-discussed feature: the automatic syncing of OTP codes with your Google Account. This means that if you lose or break your smartphone, simply log in to your Google Account on a new device to recover your saved codes.
At first glance, this feature greatly simplifies OTP management and recovery. But it also introduces a dangerous vulnerability: All the security of two-factor authentication is brought down to a single compromiseable element: your Gmail account.
If an attacker manages to obtain a person's Google account credentials, they can easily install Google Authenticator on their device and sync OTPs, completely nullifying the protection provided by 2FA.
Real-world case study: 100 Hetzner cloud instances powered up in minutes
This article was born following a serious accident that occurred to one of our customers.
Within minutes, Hetzner's account was activated. over 100 cloud instances, with a potential cost of thousands of euros. We initially hypothesized that access was using stolen credentials and an OTP that had somehow been bypassed. After a thorough analysis, we discovered that the attackers had managed to log in to your Gmail account Client.
From there, they regained access to Hetzner using the “recover password” procedure via email, and then used Google Authenticator synced to your Google account to get the OTPs needed to bypass 2FA.
Result: the entire security mechanism collapsed, despite the adoption of two-factor authentication.
The false sense of security
This case highlights a key point: Many users believe they are safe just because they use the OTP, ignoring that, if the OTP codes are synchronized and accessible from a vulnerable cloud service (such as Gmail), the entire security system is fragile.
In other words, if your email is compromised, it's as if you don't have two-factor authentication.
The solution: Unlink Google Authenticator from your Google Account
Google allows, even if it does not actively promote it, disable OTP code synchronization on your Google Account. Simply go to the Google Authenticator app settings and remove the association with your Google Account.
This way, OTP codes remain only locally on the device e they are not synced to the cloudEven if someone hacked your Gmail, they still wouldn't have access to the Google Authenticator app and its codes.
But this solution has a problem: if you lose or break the smartphone on which the unsynced app is installed, Protected accounts will no longer be accessible, unless you have manual backups or previously saved emergency codes.
Best Practice: Clone your app across multiple devices
The best strategy, therefore, is to adopt a hybrid approach that combines the security of local management with redundancy across multiple devices, avoiding cloud synchronization.
- Disable cloud sync Google Authenticator from any device: In the app settings, remove the association with your Google Account.
- Use the Google Authenticator app's built-in export feature: By accessing the app, tap the three-dot icon in the top right, then select "Transfer Account" → "Export Account". A QR code containing all your configured accounts will be generated.
- On the second device, open Google Authenticator and choose “Transfer Account” → “Import Account,” then scan the QR code generated by the primary device. This will securely copy all OTPs to the new device. without the need to connect to a Google account.
- Please store the secondary device carefully or migrate to a third device for added redundancy.
- Alternatively, consider using apps open source like Aegis Authenticator or FreeOTP, which offer advanced features such as encrypted backups and manual exports.
This method allows you to have an exact copy of all OTPs across multiple devices, ensuring that if your primary phone is lost or broken, you can still access your 2FA-protected accounts. without exposing your codes to the cloud and without depending on Google's automatic synchronization.
Conclusion: Protecting the OTP means protecting the digital identity
Two-factor authentication is an important measure, but it's not foolproof. Blindly relying on a cloud-synced OTP app can give a false sense of security and become a vulnerability.
The case of our client, who saw his Hetzner account hacked and compromised with a potentially very high damage, teaches us that it is essential understand how security tools really work that we use, and configure everything carefully.
In an increasingly connected world, protecting credentials and OTPs means protect your digital identity, your data, and often, your wallet.
Don't let the convenience of the cloud compromise the security of your accounts.
