Personally, I'd rather deal with the hassle of carrying around multiple hardware tokens than give companies a continuous stream of data about my personal life to use against me.
If I wipe my phone, I have permanently lost all of my TOTP codes if I wasn't careful and backed them up manually before wiping...
TOTP is great for security conscious and technologically fluent folks... awful for your grandma.
Do not, ever, store the TOTP seed in your phone! At least not as the one and only location.
TOTP at least is just a standard so you can either use a client that has backup options, write your own, or whatever. It's better.
I upgraded to an iPhone 13 about 6 months ago and it was almost completely seamless to restore everything to it.
Let's just hope they don't use _that_ for marketing purposes! ;)
https://bitwarden.com/help/authenticator-keys/#steam-guard-t...
———————
On a recent find apparently Authy (the app not the sms fallback) has a weird, uh, “feature?”, where my 2fa, for example, for Sendgrid will unlock all of my Sendgrid accounts, which I personally find mildly concerning.
Ultimately with any service you’re only protected by your contract and the PR value of a breach of trust. Unless you’re using an open source app and rolling your own sync, an app where trust is paramount (1Password), or one where a misstep is a huge media hit (Apple), you’re at the mercy of that company.
Microsoft fwiw, probably uses location to spot fraud and is unlikely to breach user trust imo.
https://techcommunity.microsoft.com/t5/azure-active-director...
https://support.microsoft.com/en-us/account-billing/common-q...
This app has access to: Photos/Media/Files
read the contents of your USB storage
modify or delete the contents of your USB storage
precise location (GPS and network-based)
find accounts on the device
read the contents of your USB storage
modify or delete the contents of your USB storage
take pictures and videos
find accounts on the device
add or remove accounts
receive data from Internet
run at startup
draw over other apps
prevent device from sleeping
create accounts and set passwords
view network connections
close other apps
control vibration
use accounts on the device
full network accessFrom Microsoft's Authenticator help page:
"You will see a prompt from Microsoft Authenticator asking for access to your location if your IT admin has created a policy requiring you to share your GPS location before you are allowed to access specific resources"
https://support.microsoft.com/en-us/account-billing/common-q...
You can use something like KeepassXC (desktop) or something like KeepassDX or Aegis (on F-Droid on Android) for your OTP authentication app to manage 2FA for Google, Amazon, eBay, Dropbox, etc. and there are other options as well.
And it has zero permissions needed (aside from camera which is granted on a need basis for scanning qr codes). And also works fine without ever having a Internet connection.
And node, meaning it's a security nightmare.
There are likely other options I guess, but for something of this level (keys to your, or a company's kingdom!), I'd want to see a project with an arm long history, loads of review, etc.
> Optional App functionality, Fraud prevention, security and compliance
However I’m not surprised such apps keeping double standards between iOS and Androids. Apple spanks (or spanks harder) the apps that ask permissions frivolously or block functionality behind permissions unnecessarily just to collect data.
For e.g I use TrueCaller on iOS without giving Contacts permission, but on Android the app features are blocked without it. Not sure of now but earlier Ola/Uber didn’t work on Android without location permission but on iOS they did and still do. Many such examples.
By default, someone can call up your cellular provider, claim to be you, pass trivial to no security questions, and request a replacement SIM be mailed out, or that your number be ported to another device. Or they can slip a bit of cash to any employee who works at any cell phone store that sells service for your carrier.
SMS 2FA isn't better than just a password. It's objectively worse, dramatically increasing the attack surface. Compromise someone's cell phone account and you are virtually guaranteed access to their bank/retirement/investment accounts, email, social media, etc. And they are virtually powerless to do anything about it for at least a few hours while they scramble to, say, get phone service working again and rush to contact everyone they can think of. By the time you're able to even get to your bank to talk to a branch manager and show all sorts of proof of identity, your accounts could be long since cleaned out.
Some providers finally are offering secondary passwords for porting/SIM replacement, that sort of thing. Absolutely call them and request your account be locked down as much as possible, ask to specify a secondary password, etc.
Any 2FA - no matter how weak - should in theory not be weaker than no 2FA. In practice of course these things can often be used as the only factor to "recover" access to an account so yes, weak 2FA like SMS can make things worse.
But I gotta ask. How are they using your personal data against you?
> But I gotta ask. How are they using your personal data against you?
the answer is that they'll use your data against you in any way that they can if it works to their advantage in any way.
Companies don't care about you and your needs, they care about themselves and making money. The reason there is a multi-billion dollar industry around the collecting, buying, and selling of even the most mundane aspects of your life is that companies have seen that all that data can be leveraged against you to give them money and power and one way or another that usually comes at your expense.
Often they use the data they collect to manipulate you. Maybe they want to get to you buy something you wouldn't otherwise, maybe they want to shape your political opinions. Maybe they just sell your data out to others directly or they use that data to make it easier for others to exploit you.
It doesn't matter if it's Facebook selling your data to Cambridge Analytica so that they can try to swing an election, a group of activists who buy up lists of people who have visited abortion clinics so they can harass them, or a company or data broker letting people buy lists of individuals with low IQs and poor education, or lists of people who are likely to suffer from dementia so they can be targeted with scams, it's all using the data you barely noticed you were handing over.
Even when it's not intentional algorithms are constantly searching for ways to exploit you in the moment you're at your weakest. They can detect when someone who is bi-polar is entering a manic phase and push airline tickets to them since people in that state tend to make last minute travel plans. They can detect when you're tired, heartbroken, or under a lot of stress and anxiety and target you aggressively at those times using one trick after another to find whatever works best (both using what has worked for others like you and tailoring their methods to you individually), and they do it all without ever being explicitly programed to. The algorithms just maximize for results, and the ends justify the means while giving corporations plausible deniability for even the most egregiously exploitative means their algorithms employ.
In the US, companies like Google, Microsoft, Facebook, your ISP and cell phone company routinely turn data over the state with both three letter agencies and local police departments sucking up all the data they can. It's a huge violation of our rights and a threat to our freedoms.
Even the most well-intentioned company collecting your personal data is likely not doing enough to secure that data, and whatever data they hold onto is just waiting to be abused when a less scrupulous person takes over, or to be handed over when the company is bought or absorbed into another, or to be sold should the company ever go bankrupt or become desperate enough for the money.
One way or another, the data you hand over will be used against you, and worse you'll have no idea when it happens. Today people are turned down for jobs and denied rental contracts because of the data collected on them. They are charged more for the same products they buy online than what other people are paying. They are told a company's polices are one thing, while other customers are told they are something else. Their insurance premiums are being raised based on this data. Companies have even been shown to use this data for things as trivial as leaving some people on hold longer than others, but nobody is ever told the reason why those things happen. You have most likely already paid more than someone else, had your time wasted, been denied something, been mislead, or been rejected based on the personal data you've handed over.
Nobody is using your data to protect you or put more money in your pocket. It is always used to serve someone else regardless of what that does to you.
For the most part, "authenticator app" means TOTP, which isn't proprietary.
Which is beautiful because you don't actually need any app for it. Just save the TOTP seed. There are plenty open source implementations to compute the one-time code when you need it.
On my iPhone settings it doesn’t seem like Microsoft Authenticator is accessing location data at all.