If memory serves, you have to approve on the app when another device is added. You also get a notification when an account is added. Your mobile device is the "source of truth" and can disable any synchronized apps at any time. The other alternative is using Authy which will allow you to sync your codes across multiple devices including a desktop. Using the TOTP feature and Yubikey requires their "premium" paid service, but it's extremely affordable ($10/year for an individual, $40/year for a family of up to 6 users which also includes password sharing). This is secure as long as you keep your account secure (strong password and MFA, I use a Yubikey for MFA). It's handy because the MFA code lives with the password. You can put the TOTP code in when you save the password to the service and it will generate for you on the fly. I'm sure I'm overlooking something really basic. I figure if anyone knows the answer, it'll be this sub. Its being tied to the phone OS makes it not really a distinct authentication entity like a hardware token, so separating it from desktop seems pointless to me. I don't want to have to keep a spare phone with my auth app on it in case my phone breaks for the 1000th time and has to be replaced again. I'd just go with an RSA token for everything, but so many sites take Google Authenticator only.
So why aren't they doing it? And furthermore, why do you have to scan a QR code or jump through a ton of hoops to get a recovery phrase by claiming you can't scan it? Many would even pay a small fee to use it, vs. The app is widely used, so the investment in a desktop app would certainly not go to waste. Google is all over phones anyway, so there can't be that much gained from having app presence on phones to collect data.
0 kommentar(er)
