2

I have recently added 2FA for my Google account using an authenticator installed on my mobile phone. After doing this, I have realized that it would be nice to also have the authenticator installed in a backup phone.

However, it was not possible to simply enable another authenticator. The only way was to remove the authenticator and register both authenticators at the same time (scan the same QR code, thus generating the exact same authentication code).

I am wondering if there is any reason for this restriction. I was able to register two authenticators for another application (they generate two different codes, but they are both valid as 2FA).

Is there a security rationale for this restriction or is it just a rather unpleasant UX?

Alexei
  • 2,183
  • 3
  • 9
  • 23

1 Answers1

1

It depends on what risks are acceptable to you.

When there is a single authentication code, the probability to guess it is 1/1000000 = 0.000001. And it does not matter on how many devices you install authenticator. If there are two independent authentication codes, the probability to guess a valid code is 2/1000000 = 0.000002. The more independent codes you allow, the higher is the probability to guess.

Is it a security issue or not? It depends on what risks you accept. If you require that probability to guess a valid code is not higher than 0.0001, then you can allow up to 100 independent codes. If you accept the probability 0.00001, then you can allow up to 10 independent codes. If you accept the probability 0.000001, then there must be a single code.

Whether Google used this rationale or some other, can answer only Google.

mentallurg
  • 8,536
  • 4
  • 26
  • 41