Mar 29, 2012

New: Google Releases Authenticator Version 2 for Android

Google Authenticator, the most recent addition to our suite of multifactor authentication options, is a mobile app that allows you to add a second step of verification to your LastPass account for free (as well as your Gmail and other online accounts). The app generates codes that you enter when prompted to gain access to your LastPass account.

If you've been using Google Authenticator as a multifactor authentication with LastPass, you may have recently noticed a warning to update the app. With an error message indicating that the "old" version of Google Auth will no longer be supported, the prompts redirect you to Google Play to install the "new" version. We discovered that Google silently launched version 2 (2.15 to be exact) of Google Authenticator on March 21st - not just an upgrade, but a new app.

If you want to get technical, the new app's program name is com.google.android.apps.authenticator2, while the old one was com.google.android.apps.authenticator. Because version 2 is a new app, and Google appears to be removing the old version from the store, the "update" process is a little more involved. The upgrade prompts will take you to Google Play, where you can install the new version, migrate your tokens, and uninstall the outdated version. If you attempt to install version 2 with version 1 still installed, you'll see prompts to uninstall the latter.

Google offers the following updates to the app in their changelog:
  • Updated look and feel
  • New entry for Google Play, same great app
  • "Scan barcode" and "Manually add account" options moved to Menu > Add account.
However, these minor changes have prompted some to wonder why a separate app needed to be released for the new version. Some have speculated that Google lost their signing key, prompting them to release a new app under a new package name. Currently there's no evidence to support this claim; a plausible explanation may be that Google simply wants to integrate Authenticator more tightly with other apps.

To expand on that explanation:
  • The signing key used on the old version of Google Authenticator (SHA1 fingerprint: 24:BB:24:C0:5E:47:E0:AE:FA:68:A5:8A:76:61:79:D9:B6:13:A6:00) is also used to sign: Scoreboard, Goggles, Finance, Google Voice, Shopper, Transalte, Chrometophone, Earth, Reader, and a few others.
  • The signing key used on the new version of Google Authenticator (SHA1 fingerprint: 38:91:8A:45:3D:07:19:93:54:F8:B1:9A:F0:5E:C6:56:2C:ED:57:88) is used to sign: Google Maps, Google Play Store, Gmail, Google+, Google Chrome and Google Music.
It's important to note that the changes and upgrade process will not affect the current set-up with your LastPass account. If you've been using the old version (0.91), you'll be able to smoothly transition to logging in to LastPass with the codes from the new app.

The changes appear to only affect Android devices, so will not affect those running Google Auth on their iPhone.

The LastPass Team