The one-time codes that Google’s Authenticator app generates to secure your accounts no longer have to live in one place. Instead, they can sync to your Google account.
This update announced Monday by Google closes a feature gap between Authenticator and such competing authenticator apps as Twilio's Authy (as well as many password-manager services) that have long provided cloud synchronization.
All of these apps stop a password from being the last line of defense for an account by generating quickly expiring, single-use codes as defined in the Time-Based One-Time Password (TOTP) standard. When you type in these numbers on a site's login page, the site compares the code you typed with one it just generated based on a shared cryptographic formula created when you enabled TOTP verification. If they match, you’re in.
Google Authenticator was among the earliest mass-market TOTP apps, having debuted in 2010, but for its first few years it did not support phone-to-phone transfer of saved codes. You had to set them up anew for each account on a new device, a chore that Google security chief Stephan Somogyi admitted to me in 2017 was "a complete, total and unmitigated pain."
Google later added a more pleasant code-transfer system in which the copy of Authenticator on your old phone generates a QR code that you scan with Authenticator on your new device. But that doesn’t work with a lost or stolen phone, while the new account-synchronization feature ensures your codes stay with you, unless you opt to use Authenticator without an account.
To set it up, update the Google Authenticator app and you'll be prompted to link a Google account. You can then, for example, download Google Authenticator for iPad, log in with the same Google account and get codes on the iPad as well as the iPhone.
In the bargain, Google Authenticator’s app icon has changed from a stylized gray “G” to an asterisk in Google’s brand colors of blue, red, yellow, and green.
Having your TOTP codes sync to your Google account also elevates the potential damage from having your Google account compromised. If you’re going to use this, you should lock down your account with a USB security key, the most secure sort of two-factor authentication available. Those keys, available from Yubico and other vendors for $25 and up, also verify your identity based on shared cryptographic secrets. And because they won’t even attempt that exchange with the wrong domain name, they’re immune to phishing.
Passwordless authentication, in which you confirm your login on a computer by unlocking your phone via biometric authentication (to confirm that it’s you) while in close proximity to that machine (as verified by Bluetooth to prove that you’re actually there), can do away with the entire need for two-factor authentication. But although Apple, Google, and Microsoft made an unusual joint endorsement of the passwordless spec last spring, the industry is only getting started in supporting this standard.