Google's Abandoned Android Authenticator App

android Apps developer · 12 comments · 800 words · Viewed ~19,132 times.

The news has just broken that Google's Authenticator App can have its codes stolen by malware. I doubt Google will ever release a fix for this issue - their 2FA app hasn't been updated since September 2017.

Update! 3 months after I published this post, Google updated their app

For two-and-a-half years, Google hasn't touched their 2FA app's code. Perhaps it is perfect? Perhaps there are no more UI improvements or security enhancements that can be done? Or, more likely, it joins a long graveyard of Android apps - launched optimistically and then abandoned.

I get it, not every product you release is a winner. And some have to be shuttered gracefully. But Google Authenticator is special. It is trusted to protect users' accounts. Not just Google accounts - thousands of providers specifically recommend it.

Sure, you and I know that any OTP app will work. But Google spend a lot of money on branding - and organisations use that to signal trust to their users.

Frankly, Android Authenticator is too important to be neglected like this.

Open Source

The Authenticator app is open source. But comes with this delightful disclaimer:

While this fork is open source, the official version of the app still remains proprietary. There is no guarantee that the open source repository will receive any changes made upstream (or vice versa).

Despite multiple bugs being filed, no one is fixing them. Occasionally users are told that an internal Google ticket has been raised - and then silence.

As I mentioned last year, I've switched to andOTP. It's open source, and actively being developed and improved.

Final thoughts

It's OK to stop developing software. It's OK to decide that your limited resources are best spent elsewhere.

It's not OK to heavily promote an open security standard, convince people to rely on your proprietary app, and then abandon it.

Bonus Content For Patreon Subscribers!!!!!

Here's a quick look through all of Google LLC's currently published Android Apps. I've highlighted any which haven't been updated in over 12 months. That seems like an appropriate cut off for abandonment.

App	Last Update
Cardboard Design Lab	2015-05-29
Hangouts Dialer	2015-09-02
Authenticator	2017-09-27
Toontastic 3D	2017-11-02
Google AdSense	2017-12-13
Wallpapers	2018-01-24
Indic Keyboard	2018-04-19
Wear OS Phone	2018-05-14
Cloud Print	2018-05-23
Gmail Go!	2018-06-06
Google Korean Input	2018-06-25
Google Spotlight Stories	2018-11-13
Pinyin (Chinese) Keyboard	2018-12-12
Japanese Keyboard	2019-02-25

I'm sure there are some I've missed - and there are loads more which are coming up for their one-year anniversary.

12 thoughts on “Google's Abandoned Android Authenticator App”

2020-02-27 13:14

Matt Andrews said on twitter.com:

Oh wow, didn't realise it had been so long without an update.

Re "you and I know that any OTP app will work" – my work (Microsoft shop) needed me to enable 2FA for something and it didn't work with Google Authenticator, I had to use the Microsoft equivalent.

Reply | Reply to original comment on twitter.com
2020-02-27 13:24

Shane Hudson said on twitter.com:

Glad I use @1Password which works even when Google says "use Google Authenticator app"

Reply | Reply to original comment on twitter.com
2020-02-27 17:22

Beko Pharm said on beko.famkos.net:

Whaaat? I had no idea and I’ve very mixed feelings about this now. Damn it. I guess I’ve to sort this out now 😱

Reply | Reply to original comment on beko.famkos.net
2020-02-28 08:48

Henry Hadlow says:

It’s also a real problem to switch from Google Authenticator even to the same app on another phone. There’s no way to migrate your information to another app. 1Password ftw.

Reply
2020-02-28 12:06

drew says:

The Adsense app abandonment is also shocking. Aren’t ads the engine driving Google on the business side?

So if they don’t care to support users’ security and ensure their Google loyalty or support business ads, won’t they lose users and advertisers?

Nope, because there is no where else to go. In part because of what google does choose to support, “Figures released last week show that Google spent a record amount of almost $6m lobbying in Washington DC in the past three months, putting the Silicon Valley behemoth on track to be the top …”

Reply
2020-02-28 15:50

Hacker News said on twitter.com:

Google's Abandoned Android Authenticator App: shkspr.mobi/blog/2020/02/g… Comments: news.ycombinator.com/item?id=224328…

Reply | Reply to original comment on twitter.com
2020-02-28 16:53

𝟶𝚡𝙵𝙴 𝟶𝚡𝙴𝙳 𝟶𝚡𝙵𝙰 𝟶𝚡𝙲𝙴🧣 said on twitter.com:

We have another victim of @killedbygoogle: the Authenticator App.
Darn: shkspr.mobi/blog/2020/02/g…

Reply | Reply to original comment on twitter.com
2020-02-28 16:57

Cem Paya said on twitter.com:

As one-time maintainer of Google Authenticator (and the person who added Bluetooth support to the internal, Google-employees-only version) my preferred TOTP/HOTP app for past 5 years has been Duo by @duosec
shkspr.mobi/blog/2020/02/g…

Reply | Reply to original comment on twitter.com
2020-02-28 18:15

Jason says:

Damn, I guess I'll migrate everything to Authy. Their last update was Feb 11th.

Reply
2020-03-02 10:08

Dznsm says:

Not sure andOTP is currently the best bet. See eg. https://github.com/andOTP/andOTP/issues/427

Thankfully there's another nice OTP app that among others, imports andOTP backups https://github.com/beemdevelopment/Aegis

Reply
2022-02-27 08:22

Terence Eden said on twitter.com:

A few months after I published this, Google updated its authenticator app.

It hasn't received any subsequent updates in the last two years.

Reply | Reply to original comment on twitter.com
2022-02-27 08:29

Roo Reynolds said on twitter.com:

I use an alternative (Authy) specifically because I don’t trust Google not to abandon / break Authenticator

Reply | Reply to original comment on twitter.com