MFA: why your Google Authenticator app is letting you down

A client shows me their “2FA” setup: Google Authenticator synced to their Google account, backup enabled to Google Drive. Their Google account was compromised last month. In one move, the attacker had every single TOTP code — email, bank, work accounts, all of it. The 2FA didn’t fail. It never existed in the way they thought it did.

The common trap

“I have 2FA turned on — I’m protected.” That’s the sentence I hear most often. And it’s the most dangerous sentence in personal security vocabulary.

The problem: 2FA is not a single category. It’s a spectrum that runs from almost-nothing to genuinely-robust. Treating all MFA as equivalent is like saying “I have a lock on my door” without specifying whether it’s a bathroom hook or a grade-3 deadbolt.

The direct consequence: people who believe they’re protected when they aren’t, and who don’t invest in real protections because they think the box is already checked. Worst of both worlds.

The real robustness hierarchy

Here’s the reality, worst to best.

SMS OTP — abandon it on anything serious

SMS as a second factor is convenient, ubiquitous, and fundamentally breakable. The attack vectors are multiple.

SIM swap: your carrier ports your number to a SIM controlled by the attacker. One phone call, three pieces of public information (name, date of birth, address), and a customer service rep makes the change. Princeton University tested five major US carriers in 2020 and found all of them failed simple social engineering attacks in a majority of cases.

SS7 attacks: the SS7 network that routes SMS traffic globally has known vulnerabilities documented since the early 2000s. An attacker with access to this network — a poorly secured carrier, a network capacity reseller — can intercept SMS messages for any target, anywhere. This isn’t theoretical: researchers at Germany’s Chaos Computer Club demonstrated it live on television in 2017, intercepting an elected official’s SMS in real time.

Social engineering at the carrier: even without a full SIM swap, call forwarding and temporary SMS redirects can be triggered by convincing a support agent. Scripts for tricking carrier support circulate openly.

When is SMS acceptable? For a forum account with no sensitive data, or a service that offers literally no other option. Never on your primary email, bank, or password manager.

TOTP with cloud backup — the false friend

TOTP (Time-based One-Time Password) generates 6-digit codes that change every 30 seconds. Technically: RFC 6238, based on HMAC-SHA1. Robust on paper. The problem is in the implementation.

Google Authenticator introduced cloud sync in 2023 — if you lose your phone, your TOTP codes restore on the next device. Convenient. But the security of your TOTP codes is now exactly equal to the security of your Google account.

Authy, for a long time the standard for TOTP apps, enabled multi-device sync by default — your codes synchronized across all your devices via Twilio’s servers. In 2022, Twilio (Authy’s parent company) suffered a breach that exposed 33 million phone numbers linked to Authy accounts. In 2024, there was another incident. The fundamental risk hasn’t changed: the cloud account becomes the single point of failure.

Microsoft Authenticator with sync enabled, Samsung Pass, and any other cloud-synced TOTP app fall into the same category.

Local TOTP without cloud — structurally better

Aegis Authenticator (Android, open source) and Ente Auth (Android/iOS, open source, end-to-end encrypted on their own servers) store your TOTP secrets locally on your device. No automatic sync to a third-party cloud. Raivo (iOS, open source) does the same.

The robustness is structurally different: to compromise your TOTP codes, an attacker needs physical access to your device or must compromise your local backup.

The real risk: losing your phone without a backup of your TOTP secrets means losing access to all your accounts simultaneously. The mitigation is simple but requires discipline.

Backup strategy for local TOTP:

1. Aegis supports encrypted export (AES-256-GCM) of all your secrets. Do this export, encrypt it with a strong passphrase, store it on an offline medium (USB drive in a safe, for example).
2. For each critical service, print the TOTP configuration QR code and store it physically.
3. Don’t forget recovery codes — most services provide them when you first enable MFA. Print them, put them somewhere safe and offline.

FIDO2 hardware — the only truly phishing-resistant option

FIDO2 (Fast IDentity Online 2), specified by the FIDO Alliance, is fundamentally different from all other methods. There is no shared secret between you and the service. Instead, the protocol uses asymmetric cryptography: a private key stays inside the hardware key, a public key is registered with the service.

What changes everything: phishing resistance is native. When you use a YubiKey on bank.example.com, the key cryptographically verifies it is communicating with bank.example.com. If an attacker directs you to bank-evil.example.com, the key refuses to authenticate — not because it detected fraud, but because the protocol structurally cannot work otherwise. The difference between “I check if it looks suspicious” and “it cannot work any other way.”

Hardware options worth considering:

• YubiKey 5 series: industry reference, physically robust, supports FIDO2/WebAuthn, TOTP, PIV, OpenPGP. Around $50-70 per unit.
• Nitrokey: European alternative, open-source hardware and firmware, independently auditable.
• SoloKey: open source, inspectable firmware.
• Google Titan: reliable, less versatile than YubiKey.

The Authy trap in detail

Authy deserves a separate section because many people use it believing it’s more secure than Google Authenticator. That’s true — but only if you disable multi-device sync.

By default, Authy synchronizes your TOTP codes across all registered devices via their servers. To audit and harden your setup:

1. Open Authy → Settings → Devices
2. Check the list of authorized devices — remove anything you don’t recognize
3. Disable “Allow Multi-Device” — once disabled, no new device can register

Passkeys: promising but with caveats

Passkeys are a consumer-facing implementation of FIDO2. Stored in your Apple Keychain (iCloud), Google Password Manager, or a third-party manager like 1Password or Bitwarden, they offer phishing resistance equivalent to hardware keys.

The caveat: passkeys synced to iCloud or Google are exactly as secure as your Apple or Google account. If that account is compromised — which is precisely the scenario you’re trying to prevent for your most critical accounts — your passkeys are too.

For truly critical accounts, a passkey should be stored on a FIDO2 hardware key (recent YubiKey firmware supports non-synced passkeys). In that case, you get the convenience of passkeys with the security of hardware keys.

Passkeys are not yet universal. Check before counting on them for any given service.

Strategy by account level

Level 1 — Critical accounts (primary email, bank, mobile carrier, password manager, domains): FIDO2 hardware minimum. Two keys — one primary on your person, one backup stored separately. Register both on all critical accounts. Store recovery codes offline as a complement.

Level 2 — Business and social media accounts: Local TOTP (Aegis or Ente Auth) with encrypted offline backup. No cloud TOTP sync. FIDO2 if the service supports it and your risk profile warrants it.

Level 3 — Secondary services, forums, subscriptions: TOTP or SMS acceptable depending on the actual risk. The email linked to these accounts should ideally be a secondary address — not your primary.

Managing hardware keys: the non-negotiable rules

Minimum two keys. One hardware key is a single point of failure. You lose it, you break it, it goes through the wash — access to all your FIDO2 accounts is gone. Buy two keys of the same model, register both on every critical account at the moment of activation.

Where to store the backup. Not in the same bag as the primary key. Not in the same room, ideally. Options depending on your level: locked drawer at home, personal safe, bank deposit box for the most exposed profiles.

Systematic registration. When you activate FIDO2 on a new account, register both keys immediately. Many people register the primary key and “do the backup later.” Later never comes.

Mistakes we see all the time

SMS on the primary email account. Most common and most dangerous. Your email is the master key to your digital life — password resets, sensitive communications, everything goes through it. Protecting it with SMS is like protecting a vault with a bicycle lock.

Unaudited cloud TOTP backup. People who enabled Google Authenticator with Google sync without realizing their TOTP codes now live in their Google account.

One hardware key, no backup registered. See above. Losing a YubiKey without a registered backup is an operational emergency.

Recovery codes in the password manager. If your password manager is protected by FIDO2 AND your FIDO2 recovery codes are in the password manager, you’ve created a circular dependency. Recovery codes must be offline — paper in a safe, engraved on metal for the truly paranoid.

Migrating without a plan. Disabling the old MFA before validating that the new one works.

• N1 Identify your 5 most critical accounts (email, bank, carrier, password manager, primary cloud)
• N1 Remove SMS MFA from those 5 accounts
• N1 Audit Google Authenticator and Authy for active cloud backups
• N2 Install Aegis (Android) or Ente Auth (iOS/Android) for local TOTP
• N2 Migrate level-2 accounts to local TOTP without cloud sync
• N2 Print and store recovery codes offline for critical accounts
• N3 Buy 2 YubiKey 5 keys (or equivalent)
• N3 Activate FIDO2 on all critical accounts with both keys registered simultaneously
• N3 Store the backup key in a physically separate location
• N3 Create an encrypted Aegis export and store it offline