Note: Duo Security's app (for android) is better. It supports TOTP and lets you rearrange accounts. With more websites adopting TOTP 2-factor, rearranging accounts is a mandatory feature.

Google Authenticator's bug on this issue (android specific) has made no progress. The iOS Google Authenticator app rearranges accounts just fine.

https://code.google.com/p/google-authenticator/issues/detail...

Disclaimer: I don't work for, or have any stake in, Duo Security. None of this implies a preference for Duo's service (I prefer TOTP wherever it makes sense).

On the ios version of GA you have to hit the "legal information" button, before the "edit" button will work and you are able to rename/rearrange things.

No clue why, and you have to do it any time you restart the app (I think it works across backgrounding, but I can't remember). Pretty weird bug.

Good to know, thanks. Duo Security's app will work just fine with this tutorial. I just decided to use Google Authenticator because it seemed to be the best known TOTP client implementation.

Wow. This is thorough. Well done!

What else would you be expecting from joel? :)

Nice work.

I created a service here: https://www.gauthify.com , although its production ready I haven't really announced it anywhere (100% uptime between the servers the last 4 months with heavy testing going on 24x7) . Anyway, it essentially Google Authenticator as a service paired with SMS and Email as alternative authentication methods. Plus it has libraries in python, ruby and PHP.

The best part? Read the docs, you can implement email, sms & Google Authenticator OTP/2FA it in as little as 4 lines of code.

I made a RubyGem for implementing this with Rails not too long ago: https://github.com/jaredonline/google-authenticator

Just wanna say, met jf once at a panel, could not be a nicer fellow. Lots of fun to talk to and he writes awesome posts.

I wrote some example Ruby code to do the same thing (we use Google Authenticator on the web and for our VPNs via the Perl hooks in FreeRADIUS) if anyone is interested: https://github.com/bithive/example-totp-vault

Specifically, if you set things up as in the linked article, no traffic or other information is going to Google (unless you think that the Google Authenticator app is leaking info to Google for whatever reason). Specifically, Google doesn't see how many logins your app gets.

If you're trying to sneak up on a market, or if for some reason you're trying to hide from Google the number of active users you have, you might see this as an advantage.

I might consider it an advantage if Google isn't able to snuff out my user's accounts/access with impunity. I don't understand the technology enough to know whether that is the case, but I wouldn't rely on Google for authentication at this point for this reason.

TOTP is surprisingly easy to understand and implement. I do my best to explain how it works in the "Understanding TOTP" section of this article. Take a look at that section and let me know if it makes sense.

What's ambiguous about it is whether or not I need a Google account (and whether Google having taken away that account, I can still log into your service). The "Understanding TOTP" section seems to be saying that you don't and they can't, in which case there's nothing to object to.

Great feedback, thanks. I've updated the "Adding Google Authenticator" section with a note that should make that less ambiguous.

That's a valid point, if you don't rely on Webmaster tools and analytics. If you do, they can extract this information anyway.