>Hi Lutz,
>
>>>While I count the kind of 2FA you do as data gathering by google and adding an external point of failure, also it exposes your mobile even more to google - it nicely connects the phone to the app, usage of the app by owner of the phone and so on, data you might freely hand to google or not (You will not believe what one can read from this data), others might think different.
>
>What you're saying is true for many of the other implementations out there that use online APIs to generate QR codes and validate the entered codes. However:
>
>Try disconnecting your Google Authenticator device from mobile and internet. Google Authenticator still scans the QR code and generates the validation code. It appears that Google Authenticator is a simple local app that creates an account on the device when you scan the QR code, then creates the validation code every 30 seconds while open. You can even block network access completely in settings; still works fine AFAICS.
>
>AFAICS the only data gathering point connecting app, user and secret code would appear to be the QR code that gets generated locally in this implementation, to be displayed under app/customer control.


Hj John,

Beg your pardon for the salutation last message, I was in wrong mode.
Where do you run google authenticator? If not on an extra device (mobile phone) I don't see a sense of it. But if the mobile is not online, how should that work?
I'm confused.

Lutz