Google Authenticator used to be disconnected from reality like this. Users were asking how to copy the codes to another phone, and they said "you can't, WAI, should add the other phone as a second auth method on every site." Like how people say you shouldn't copy SSH privkeys. I figured out an undocumented way to do it on iPhone by taking an encrypted iTunes backup though.

Eventually they yielded on this, but their later updates had other usability traps. Because Google Auth was the household name for TOTP apps, this maybe ruined TOTP's reputation early-on.

On the security versus convenience spectrum, allowing a user backup and taking an automatic corporate backup are far apart.

Yes you should do the former. That doesn't say much about the latter.

Except nobody wants to allow users to make backups themselves.

Or maybe I missed something, and there is actually a way to download your phone backup from Google, or PC backup from Microsoft, as actual files you can browse, without having to have a sacrificial device to wipe and restore from backup?

> should add the other phone as a second auth method on every site.

That's the problem right there. Migrating my phone recently (without having broken/bricked the previous one, which is somehow even worse wrt. transferring 2FA these days than getting new phone after old one breaks!), I discovered that most sites I used did not allow more than one authenticator app. If I try to add new phone as second-factor auth method, the website deletes the entry for the old phone.

> Security aficionados pushing non-recoverable traps on people are plain disconnected from reality.

To be fair, if you inadvertently get locked out of your Google account "tough luck, should have used a different provider" and Gmail is a household name so ...

Less snarky, I think that there's absolutely nothing wrong with key escrow (either as a recovery avenue or otherwise) so long as it's opt in and the tradeoffs are made abundantly clear up front. Unfortunately that doesn't seem to be the route MS went.

Google has a pretty robust recovery process. Of course if you've given them absolutely nothing about them then forgotten your password, it's tough.

Google will lock you out of an account even if you remember your password. This happened to me, when Google decided to use the recovery email address for 2FA, locking me out of my primary account. And the exact same change was made to my recovery account, at the same time. As for the recovery email of my recovery emails address, it was with a company that hadn't existed for over a decade, and no longer existed.

As long as the automated flow works everything is great. But if the music stops can you get in touch with a human to fix it? That applies not just to auth but pretty much all of their stuff. Plenty of horror stories have made it to the HN front page over the years.

I've had to get in touch with a human before for account recovery, it worked. Horror stories, idk. I hear horror stories about every single business I interact with, but then don't experience it myself.

I had hoped the average person would have a baseline understanding of how computers work by now. Baseline includes things like the difference between a web browser and a search engine, "the cloud" is someone else's computer, and encrypted means gone if you lose the password/key.

I am sad that this now appears unlikely. I suspect it may even be lower for people in their 20s today than a decade ago.

> Baseline includes things like the difference between a web browser and a search engine, "the cloud" is someone else's computer, and encrypted means gone if you lose the password/key.

One of these things is not like the other...

That's why I'm stressing the comparison to e.g. government documents: nothing in meatspace requires regular people to show anywhere near as much conscientiousness as handling encryption keys.

Or: many people probably know, in the abstract, that "encrypted means gone if you lose the key", much like many people know slipping up while working on a HV line will kill you. Doesn't mean we should require everyone to play with them.

> Do you feel equally strongly about people using drives that can fail? Is selling a computer without redundant drives also borderline malicious?

No. Drives wear out and fail, like all hardware. Much like the compressor in your fridge, or V-belt in your car, you can extend the service life of your drive through proper care, and replace it when it fails to keep the system running. And in practice, hard drives are reliable enough that, with typical usage patterns, most people don't need RAID).

And, much like with fridges and cars, computers and their parts are subject to both market forces and (in more civilized places) consumer protection laws, which ensure computer hardware meets the usual, reasonable expectations of the common person.

> To accounts there is. But data gets lost all the time.

Data loss still happens, which kind of proves my point - computers are hard, and normal people can't even be expected to back things up properly. That's why every commercial PC and mobile OS vendor these days is pushing automated off-site backups using their cloud offerings. Might not be ideal, and even might be a tad anti-competitive, but it's a good deal for 99% of the users.

But this brings me back to my other pet peeve: 2FA, via authenticator apps, passkeys, and other such things that tie your credentials to a device via magic crypto keys. These crypto keys are data, and given how tech companies get away with having no actual customer support, 2FA ends up turning data loss into account access loss.

Mandatory 2FA is a trap, a time ticking bomb, because it's way too easy to make a mistake and lose the keys - and if the backend follows the current High Security Standards, this is irreversible even from the vendor side.

Compare that to expectations people have about the real world - if you lose all your keys to your home or your car, you... just go to a locksmith and show some plausible proof of ownership, and they'll legally break in and replace the locks for you. If you can't produce a plausible proof of ownership, you involve police in the process. And so on. There's always a recovery path.

> And in practice, hard drives are reliable enough that, with typical usage patterns, most people don't need RAID

And most people aren't going to forget a password they put in almost every day that never changes. I don't see why that kind of full disk encryption is so bad.