A huge headache created by Google Authenticator.
Issue #207 • May 24, 2022 • By Ernie Smith • View on Web

The Missing Second Factor 🔐

Google, for some reason, let its Authenticator app break for a sizable chunk of its Android users over the weekend, leaving at least some of them without an easy way to log into their accounts. WTF, Google?

Sponsored: Today’s issue is brought to you by Morning Brew. Like addictive early-morning reads? Morning Brew is a good place to look—after you’re done reading MidRange, of course.

(Jon Moore/Unsplash)

As someone with a lot of computers who takes his security seriously, I tend to type in a lot of two-factor authentication codes, in part because I want to keep certain logins secure and it’s my way of ensuring that only I can access my applications.

It’s a little frustrating to have to grab my phone every time I want to log into my email provider, sure, but it also means that nobody else can log into that service unless they physically have access to a device of mine that can generate two-factor authentication codes.

But I have to admit, something happened over the weekend that had me questioning the push towards two-factor authentication. And that problem was with the authenticator app itself.

Essentially, Google let its Authenticator tool sit around with a botched Android update for a whole weekend, preventing anyone who relied on its two-factor authentication tool (and for some reason had a random incompatibility with their Android app) from using it. And because Google doesn’t tie Authenticator codes to, say, a Google account, this meant that deleting the app would have potentially put me in danger of straight-up losing the codes that I needed to log into my apps.

Now, I had a backup option for getting into my accounts—a version of the Authenticator app for iOS, which I could access via my iPad—but it was significantly less convenient, the difference between having my second factor in my pocket and my second factor on the other side of the house.

Markus @MoeFwacky
Google Authenticator has decided it's going to crash on every attempt to launch it, effectively locking me out of half of my 2FA accounts. What in the actual fuck,

05/20/2022 13:06 • 0 retweets • 2 likes

But I’m lucky I at least had that! See, it turns out that I was not the only person who had this problem, with some saying it was a deep inconvenience. Google literally convinced numerous people to use this tool to log into their accounts, uploaded a botched update that prevented a number of people from logging into their accounts in a secure fashion, and didn’t bother to update with a fix for four whole days. Some of them were left begging for a fix.

I initially thought this was a Samsung issue, and because Google doesn’t have, like, a phone number that you can call, I spent hours on the phone on Saturday basically trying to reach someone on the technical support lines I could access—both T-Mobile and Samsung—to inform them that they have a botched update for an essential application hanging out on the Google Play store.

This was not easy. I had to explain to T-Mobile that no, I was not going to delete this app and lose all of my logins, and to Samsung that yes, this is their problem even if they didn’t make the app themselves. This was a frustrating process, but T-Mobile seemed to take it seriously enough that they called me back multiple times to check in on the problem. (Google, it’s been 25 years, you’ve made your point; open up a damn customer support line already.)

The thing is, two-factor authentication is growing in importance as a way of securing identity. At work, I have to log into a second factor, using my phone, just to access my applications. Numerous other applications are reliant on second-factor authentication. Google itself is starting to require people to use two-factor to log into their Google account (which, fortunately, does not require Authenticator). Applications like GitHub are also moving to require two-factor authentication.

I guess what I’m trying to say is that this should just work, and despite that, Google just let this essential tool hang around for a whole weekend, not letting people log in.

We shouldn’t settle for that—not when it’s our security on the line.

Related Reads:

Time limit given ⏲: 30 minutes

Time left on clock ⏲: 3 minutes, 47 seconds

If you like this, be sure to check out more of my writing at Tedium: The Dull Side of the Internet.

Do you own a newsletter? Want to try your hand at writing an entire article in 30 minutes or less? If so, let’s do a swap—reply to this email to see about setting something up.

Dig this issue? Let me know! (And make sure you tell others about MidRange!)

Copyright Š 2021-2022 Tedium, all rights reserved. No Elon Musks were involved in the making of this issue.

unsubscribe from this list | view email in browser | sent with Email Octopus