Testing Google Authenticator App Login Security

This article concerns login security and two-factor authentication (2FA) on wordpress. Not the usual dismal fare.

[everything below is just examples, and not live]

to login to test site go to: http://cazbike.com/XYZ/wp-admin/

username is azbikelaw
(password is isn’t needed, because it’s configured to just use the 2FA code)

To get the one-time code, add this “secret” to google authenticator app , or some other authenticator that generates HOTP / TOTP 2FA codes, e.g. authy, etc)…. either by image:

sample 2FA secret

or by secret: J2YM7NMMFLXYQMVE

or (theoretically) by link, but the authenticator app has no way to handle a link: otpauth://totp/blahblah@blah.com?issuer=miniOrangeAuth&secret=J2YM7NMMFLXYQMVE

Note that the only necessary part is the secret, not the email address or the issuer; although somewhere back at miniorange headquaters, this secret is tied to a particular account, but that’s irrelevant for generating correct codes. This was all tested using the miniOrange 2FA plugin for wordpress.

The Google Authenticator app is simply a repository of any number of such secrets. Most people simply use it to store the secret

The “secret” isn’t linked to any particular google account, rather they just live on the device where you’ve stored the secret, usually your phone. You or anyone can add the secret to as many devices as they wish.

The normal use case is the QR gets ephemerally displayed and then is gone/forgotten once scanned and added to authenticator. But you can certainly retain it, as in my example above. In that case, you (or anybody!) anytime later can add the secret to another device, say because you lost your phone.

Google could choose to store the secrets within a google account (in “the cloud”) and  propagate the secrets across all your (google logged-in) devices; i assume they don’t because of security concerns. On the other hand, in the present scheme, if you lose the device, the secrets are lost with it, unless you took extraordinary steps to save the original codes. hmm.

When setting up a new google/android device, there is an option to transfer setting from an existing device to the new device.  I assume the Authenticator app settings including all the secrets would get transferred, but I haven’t tried it. However, this relies on physically having the old device present (bluetooth? NFC? It says to place the devices close together and listen for a beep??) — so if it’s lost or broken, that won’t help.