Simple solution --- don't use Google Authenticator.
Google didn't invent any of this, it is fully standardized (see RFC6238). There are lots of fully compatible alternatives with better options for security and backup and restore.
Personally, I use FreeOTP+ with a password lock and secret keys backed up off device.
Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.
Remember, everything Google does is subtly designed to help violate your privacy in some way. The quickest way to convince me not to use an app is to put a "Google" label on it.
> Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.
Sure, companies may do some evil things intentionally, but an app UI sucking is usually the default state of things and not some malice necessarily. In this case, I think part of the neglect of Google Authenticator is them trying for years to pivot to other forms of two-factor authentication that are more phishing-resistant than an OTP (Yubikey-like and smartphone based systems).
SMS 2FA is basically the same as TOTP against phishing. It is worse in that you can be hit with sim-swapping. Phishing is many orders of magnitude more common than sim-swapping. There is a real difference between these two options, but it is wildly overemphasized online. The gap between SMS/TOTP and a Yubikey or equivalent is way larger.
I was not suggesting SMS 2FA when I referred to "Smartphone-based solution". I meant relying on Secure Enclave or alike on the smartphone as the second factor in a challenge-response fashion that makes the "OTP" bound to a specific domain and thus unphishable.
Google didn't invent any of this, it is fully standardized (see RFC6238). There are lots of fully compatible alternatives with better options for security and backup and restore.
Personally, I use FreeOTP+ with a password lock and secret keys backed up off device.
Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.
Remember, everything Google does is subtly designed to help violate your privacy in some way. The quickest way to convince me not to use an app is to put a "Google" label on it.