How to set up Google 2FA with third party OTP app
I have a Google account with one of the organisations I volunteer for. They have recently taken the decision to require 2FA for all account sign-ins. Google's 2FA enrolment process requires one of (a) PSTN phone number, (b) Google app on smartphone (NOT Google Authenticator), (c) hardware security token. I'm not prepared to give Google my phone number, nor am I willing to install a Google app that requires me to be signed in on a phone when there are numerous third party OTP implementations available (apart from anything else I very rarely use a smartphone and would prefer to use a desktop app). The organisation is not providing a hardware token and I don't have one of my own. Is there another alternative? For example, getting the settings and initialisation key to use with an OTP app, or a browser extension that acts in the same way as a hardware token. I'm running Ubuntu 21.04 and Firefox, but could use a Chrome-based browser if absolutely necessary.
(Edited to clarify that Google Authenticator is NOT offered as an option during enrolment: only the Google (Search) app or the Gmail app are possible.)
Solution 1:
There are two choices for "Google specific app on smartphone" – one uses online notifications (Google Prompt), the other uses offline OTP (Google Authenticator).
OTP
Google supports OTP-based 2FA under the name of "Authenticator app". It uses the OATH TOTP standard – exactly the same as what most other OTP apps use, with standard parameters (6 digits, 30 second interval).
As part of enrollment process, you'll be shown a QR code which directly contains the TOTP shared secret. You can scan it with just about any OTP app that exists (desktop apps should be able to "scan" a screenshot as well).
During the same step, you can also click the "Can't scan it?" and reveal the same TOTP seed as plain text. You can copy & paste it into your desktop OTP app, and perhaps write it down on paper to store as a backup.
The app will not need to communicate with Google. However, the device's clock needs to be accurate (the official Google app automatically compensates for wrong clocks using an online time server, but in other apps you'll need to take care of it yourself).
It does not matter whether you choose "iOS" or "Android" when asked for your phone type – you'll get the same process either way.
(In case the "Can't scan it?" option goes missing, the QR code can also be scanned using a generic QR decoder, which will reveal the TOTP seed in plain text. The QR code's contents use the format otpauth://totp/GitHub:someuser?secret=ABCDEF&issuer=GitHub
, with the username and issuer being for display only.)
Tokens
Regarding hardware tokens – yes, there are browser extensions which emulate a WebAuthn or U2F token, but many of them seem to be abandoned and they might not necessarily be secure. (There's also the risk of them suddenly no longer working, so if you use one, make sure to have TOTP as a backup.)
On Linux you also have software such as rust-u2f which emulates a hardware U2F token at OS level – it will work with any website and any web browser because it's seen as an actual connected HID device. Still, it is somewhat more fragile than a real hardware token, and I'm not sure if I would go as far as to recommend using it.
Finally, letting the OS provide a software-based "platform token" is actually part of the newer WebAuthn specification. Windows 10 implements it under the "Windows Hello" name (supported by all major browsers), and Apple just added a similar "iCloud Passkey" feature in macOS Monterey.
Unfortunately, Google does not support 'platform' tokens, only hardware tokens – I'm not sure whether it's deliberate or if it's because they use the older U2F API rather than WebAuthn. (However, rust-u2f will still work because it emulates a hardware token, not a platform token.)
Solution 2:
You don't need Google Authenticator specifically - any TOTP app will do. I've migrated from Google Authenticator to andOTP on my smartphone and it works fine.