On your websites, refer to TOTP authenticator MFA using generic terms instead of promoting the Google authenticator

[octavian]

Both on this site and in the client area, it is possible to use TOTP authenticator apps for multi-factor authentication, and that's great!



However, one thing that I noticed is that on both websites this option is listed as "Google Authenticator". My assumption is that it was named this way for the sake of simplicity, or perhaps out of lack of familiarity with TOTP.

As you are probably well aware, the Google Authenticator is based on the generic TOTP standard (time-based one-time password); it is not something that Google has come up with, and there are many other apps that offer the same functionality. By referring to it as "Google Authenticator" and linking to their app, you might be unintentionally harming your users, who maybe don't know any better, later down the road. If one uses proprietary authenticator apps, their data is taken "hostage" by these companies. They purposefully make it hard to move your MFA tokens somewhere else once you're in, to lock you into their ecosystem.

To give you an example: In the past, I found myself using the "Microsoft Authenticator" for work. Since I didn't know any better, I put many accounts in there. And when I wanted to secure my entries I found out that Microsoft doesn't allow you to export your entries or put them somewhere else. They only allow "OneDrive" backups, which I didn't want to use. They also go out of their way to unnecessarily use custom algorithms that are not interoperable with any other app, to prevent you from having control over your data. In the end, I had to painstakingly change every single account manually to an open-source alternative.

Though it is a bit less locked down, The Google Authenticator is similar to Microsoft's in that normal exports are not allowed. If you lose your phone and don't have a backup because you couldn't export your tokens and didn't want to rely on Google cloud services, you might find yourself in big trouble as you could be losing access to important services.

I assume that Anego Studios is not getting paid to advertise Google's app, so, from my perspective, there is no reason to promote it. There are better open-source alternatives which could be linked to when setting up multi-factor authentication. For Android, Aegis is a top choice. For iOS, Raivo is a good alternative. As for the name of the settings section, it could simply be called "Authenticator App (TOTP)".

Just my two cents, do of it what you will.