Saturday, November 11, 2017

Selling or retiring an iPhone -- I hope you disconnected Google Authenticator and Google Prompt first.

Wipe that iPhone to give to your child or sell? I’m sure you remembered to launch Google Authenticator and remove the device from your trusted device list before you erased all …

Using a new phone to receive 2-Step Verification codes - Google Account Help

… On your old phone, open the Google Authenticator application…

Oh, you forgot about this step? You are clearly inadequate.

There’s hope though. Assuming you have a computer, there’s another option hidden away …

Add or remove trusted computers - Google Account Help

… Under “Devices you trust,” select Revoke all...

Except that’s not a bit misleading. There are more options once you sign into you Google Account and dig through the “Sign-in & security” section, select Signing in to Google, and Choose 2-step verification.

There you can remove the “Google Prompt” iPhone that manages authentication via Google App. That flips authentication to an Authenticator app (OTP authentication with RFC 6238 and 4226). The Authenticator app might be Google’s, a 3rd party, or 1Password or another password manager. I use Google’s because I started with it and I’m lazy.

You can also “change phone” on Google Authenticator. Authenticator is working for my new device though — which was restored from a 6s backup. So I didn’t do that immediately. 

Instead I removed the Google Prompt device, since that was still going to my (since erased) 6s. Then I added it back to my new iPhone 8. Google had the 8’s name so I authenticated there. 

Then, because I’m a paranoid sort, once I had Google Prompt working, I went into Authenticator on my i8 and removed my Google account then setup authenticator again from the 2-step verification page (scan barcode).

I’m sure everyone knows to do this. Otherwise why would pundits keep telling us to enable 2FA on every service we care about?

PS. I think when you authenticate within Safari for iOS Google can’t identify the host device. So my https://myaccount.google.com/device-activity list shows both “John8” (my current iPhone) and “Apple iPhone” — even though I believe they are the same thing.

PPS. I think if you want to be very careful you really should do the “Revoke all” as I suspect the old device Safari authentication can still be an issue (except I erased it, but if you’re paranoid …)

See also

2 comments:

Anonymous said...

I have encountered this on two separate occasions -- last year when I upgraded to the iPhone 7, and this year upgrading to the X.

On both occasions, I traded the old phones at the Apple Store and hoped that they would have me sign out of the appropriate apps, or maybe even remind me to do so, but no!

Caught up in the excitement of setting up my new devices, I forgot to sign out of the appropriate apps and/or areas from the old phones. Why can't Apple just have one area to sign out from versus multiple areas, e.g. iMessage, FaceTime, Find My Phone, iCloud, etc.

Since I never signed out of those areas or apps, I see small reminders of my error, e.g. in Find My Friends app there is my old phone and new one. This is one app that comes to mind at the moment of where the old phone shows up.

JGF said...

I ran into a variant of this with the XBOX. Microsoft has an obscure way to remove one as registered owner, but it doesn't work as expected.

Funny so few people comment on this. Guess we are just picky.