Users of Google's Authenticator application were surprised to see that their soft-tokens were completely purged from the app after upgrading to a new release that rolled out today. Data loss is always frustrating but in this case that loss led to many end-users being unable to login to a variety of services that they were protecting with two-factor authentication. Awareness of this bug quickly spread online via the usual means such as Twitter and technology news sites. More impressively, Amazon Web Services even sent out a proactive notice to customers to notify them of the potential for account lock-out due to this upgrade.
Google's maintenance of Authenticator is a good indication of how much of a priority it represents to the company as a product offering. Prior to today's broken release, it had been over two years since the last release of the iOS application. For reference, Duo Security releases a Duo Mobile app update every month or two. The difference here is that while Google is providing their Authenticator app to supplement service offerings, our entire focus is on two-factor authentication. This difference in focus helps to ensure that we're delivering a great experience to customers that can't afford to have bugs like this occur.
Peter Johnson, one of Duo Security's Senior Software Engineers explains how our process prevents scenarios like this from happening to our customers:
For both iOS and Android, we have automated tests, but we also have a manual acceptance test procedure that must pass before the software is released. The manual acceptance tests cover various installation scenarios such as new installs, delete and install, and upgrade install, among other things. We specifically include in these tests loading up an old version of the app with data and then loading the new version over it and verifying that all of the account data is still there and is usable.
If you're looking for a different two-factor solution to use, our mobile application fully supports not only Google's two-step verification (2SV) but any other time-based one time password (TOTP) service. That includes great services like GitHub, Dropbox, LastPass, Linode, and many others! Check out our guide for further details about how to quickly setup these third-party integrations in our app.
