Google Auth 2FA TOTP Client for Samsung Gear, Android, Android Wear, Fitbit

Gear 2, S, S2; Fitbit Versa, Ionic; Huawei WearOS, Apple Watch

Update for Fitbit Users with iPhones:

A new iPhone app called 2FA Hub has been released. It makes account creation and integration with your Fitbit smart watch easier. Check supported models in Fitbit section of this document.

An idea was to have a Google Auth/2FA TOTP Client running on all Android-bound phones and watches. It includes:

  • Contemporary high end Android phones running ver 6.0 or higher
  • Contemporary Samsung Gear devices such as Gear S2, S3, Sport, Galaxy
  • Android Wear watches
  • Fitbit Versa and Ionic watches

The major benefit is that it integrates phone’s, Wear and Gear’s 2FA apps in a single solution and allows transferring accounts between peers in any direction: from phone to watch or vise versa. There is no need for Google’s stock app anymore, because the companion includes all GA functionality and adds features that stock GA app is currently missing.

The companion allows scanning Google’s QR bar code, which is a client/server shared secret used for generating one time passwords (OTP).

In addition, the Android’s companion can be also used to backup and restore all 2FA accounts. Backups could be encrypted using a password based encryption (PBE) with HMAC signature intended for verifying  backup’s integrity (e.g. signature verification will fail if a password is not valid).

Plain backups are also supported, but not recommended, since they are stored in Android’s “Download” directory that can be accessed by other applications that are granted “read storage” permission.

Using Google Drive for backup/restore operations makes syncing accounts across all your Android, Gear and Wear devices simple.

Where and How to Start

To create a 2FA account on your phone using this app, you’ll need a shared secret, which is a Base32 code generated by your 2FA provider. How to get that code depends on a provider and the code is generated at the time when you enable 2FA in your web app. Instructions for getting the code for all Google accounts are provided here:

https://credelius.com/?p=108

However, those instructions change often, so the best way is to read recent 2FA enabling instructions for each provider. The app was tested and actively used with the following 2FA providers:

  • Amazon
  • Google
  • WordPress
  • Twitter
  • Fastcomet
  • DHS
  • Sonic Internet Provider
  • AWS
  • Sophos VPN
  • Google Cloud (GCP)
  • G Suite

The number of websites supporting 2FA grows fast and the list above will grow as well. Check also this to learn what other websites support TOTP: websites supporting 2FA

The following providers are known for not completely following TOTP standards or for hiding important implementation details, which makes integration with their solutions impossible:

  • Microsoft
  • Symantec VIP
  • Fidelity (uses Symantec VIP)
  • Schwab (uses Symantec VIP)

The rule of thumb to check provider’s compatibility: if Stock Google Authenticator works, then GAC and GACW will work as well.

Compatibility with Google’s Authenticator

If a 2FA account supported by standard Google Authenticator, it should be supported by GACW mobile application as well. However, it’s not possible to simply export accounts from Google Authenticator and import them to GACW.

You’ll need to request a new QR bar code from your 2FA provider and then scan it in GACW.

App Flavors and Their Usage

How to Choose Right App in Google Play Store

There are two apps in Google’s Play store and the simple guidance below will help you to make the right choice.

  1. “GAC – 2FA TOTP Auth Client ” supports Samsung’s Gear and Android Phone. Choose this one if you want to have an authenticator that works as a standalone app on an Android phone, or if you want an Android phone and Gear app to work together. The Android app is free,
  2. “GACW – 2FA TOTP Auth Client for Wear” is very similar to the first one, except that in addition to Gear, it supports Android Wear and Fitbit devices as well. It also doesn’t have any ads. Choose this one if you need support for both Gear and Wear or Fitbit devices, don’t like ads, and don’t mind to spend $2.

How to Choose Right App in Samsung Store

There are three GAC apps in Samsung’s App store, and the guidance below will help you to to select the right one:

1. First Client for 2FA TOTP Google Authenticator without Android’s companion was created in 2015, supports many legacy devices such as Gear, Gear 2, Gear Neo, and Gear S, along with newer Gear S2, Gear S3, and Gear Sport. Buy this application only is you need support for legacy devices. If you have S2, S3 or Gear Sport, consider other two choices.

NOTE: This app has been decommissioned since 11/9/2019 due very low demand and confusion coming from not reading instructions.

2. Client for 2FA TOTP Google Authenticator with Companion was created in 2017, supports Gear S2, S3 and Sport only, and requires Android’s companion to work. Use this app if you have S2, S3, Sport, or Galaxy and like additional Android’s companion features such as bar code scanning and backups, and don’t need support for Android’s Wear and Fitbit devices.

3. “GACW – 2FA TOTP Google Auth Client for Gear, Wear, Android” was created in 2018, has the same functionality as “Client for Google Authenticator with Companion”, but in addition, it also supports Android’s Wear devices. Use this app if you have Gear S2, S3, Sport or Galaxy, and need support for Android Wear or Fitbit watches as well. It’s free in Samsung store, but GACW companion will cost you $2 in Play Store, so in the end the price is the same as for other two.

Prerequisites

Supported Phones

  • All Android Phones with Android version 6 and higher should be supported
  • iPhones are not supported and there is no plans to support it in the future

Supported Smartwatches

The following Gear devices are supported:

  1. Gear S2
  2. Gear S3
  3. Gear Sport
  4. Galaxy

The following Fitbit devices are supported:

  1. Ionic
  2. Versa
  3. Versa Light
  4. Versa 2
  5. Versa 3
  6. Sense

Theoretically, all Android Wear devices should be supported by GACW as well. Since there are too many different models in this category, we were not able to test all of them, so if you see any problem with your specific Wear watch model, please provide device details to us and we’ll try to fix.

The minimum Android version to run the companion app is Android 6.0

To see the list of all supported watches/phones combinations check the following link: supported-devices.

Downloads

Refunds, Reviews, Donations

Please check Google’s Play Store and Samsung Galaxy App Store refund policies before purchasing any paid app. Please also notice that Google and Samsung usually charge taxes and marketplace maintenance fees that only they can refund, so contacting them for a refund is your best option.

Samsung app store refund policies: https://www.samsung.com/us/support/answer/ANS00076970/

Google play store refund policies: https://support.google.com/googleplay/answer/2479637?hl=en

PLEASE READ THE POLICIES ABOVE AND DON’T BUY AN APP IF YOU DON’T AGREE WITH THE PROVIDED RULES.

If you submit a review, especially negative one, please provide as many details as you can, so we can review and help. We’ve seen quite a few responses without any details, and helping in those cases is difficult. Please also read this wiki for a quick start.

You can provide the details either in this wiki’s comments, or send a direct email to the admin whose email address can be found in the app’s description.

Expenses for supporting various Android and smartwatches apps are much bigger than income generated by app stores so far. Real smartwatches are often required to test apps on new models. Software emulators, especially Samsung’s ones are not very good, and do not reflect the real “look and feel”

Donations

If you like this project and want to see more features and other smartwatches models supported, have your own suggestions that you want us to consider, please donate to the project using the bitcoin donation box below.

  • Bitcoin
Scan to Donate Bitcoin to 1CRMQd91Lhm2EP8vSXcyyP2FsTfXXpAjF4

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Why Updating Old App Not Possible in Samsung Store

The old GAC app supports many legacy Gear devices such as Gear, Gear II, Gear Neo, and Gear S. Since all these devices are different, they require different binaries. Samsung App Store doesn’t allow mixing companion and non-companion binary types in a single app’s distribution. That’s why new app is needed to enable companion functionality. We will gladly merge versions as soon as Samsung changes their policies (the best scenario) or when we decide to stop supporting legacy devices.

Below is an error message, which is caused by an attempt to add a companion-based binary to the old non-companion style app

Adding New Account from Android on Gear or Galaxy

To add a new account from the phone you’ll need to select “Connect to Phone” menu on Gear first:

Pic 1. Menu Page on Gear

If the device is already paired with and connected to the phone through Bluetooth, an icon on the top will turn green and you’ll see the following message:

Pic 2. Gear Connected to Phone

At this point an account page should popup on the phone automatically. You can either select an existing account or tap “+” button to add a new one. Selecting ‘+’ button will bring you to Scanner page. Now you can point the phone’s camera to a QR bar code. When QR bar code is recognized, the blue border will be blinking and a scanned code will show up in an edit box located just above the camera window.

Pic 3. QR Scanner Page

Press “Send to Watch” button and the scanned account will be sent to your Gear device. You can also save the account to phone by pressing “Save” button. After an account is saved, the “Accounts” page will be displayed. Alternatively, you can get there by pressing an “Accounts” menu in the toolbar.

Pic 4. Accounts Page

At the “Accounts” page you could see a list of OTP tokens for all your accounts, and you can use the buttons on the bottom to perform the following actions (left to right):

  • Send selected accounts to Gear
  • Save all accounts to a backup file
  • Delete selected accounts from your phone
  • Restore all accounts from a backup
  • Add more accounts by either scanning QR bar code or by typing a shared secret manually

Tap a token if you want to zoom it. The token will be refreshed properly in the zoomed view as well. When a color of the border becomes red, a new token will be generated automatically.

Pic 5. Zoomed Token

You can scroll accounts on this page using left and right arrow buttons on the bottom.

Changing Account’s Order

By default the accounts are stored in an alphabetic order, but it’s possible to change the order by long pressing an account name and dragging it to the new place.

Editing Account

Tap an account name in the list to edit it. It will bring you to the Scanner page where you can edit account name, the bar code, or scan the code using the phone’s camera. Press store icon on the bottom to save the account to the phone.

Backing up and Restoring Accounts on Phone

Account restore page can be reached by tapping restore button (second from the right) on Accounts page.

Pic 6. Backup and Restore

By default restore logic will try to create an encrypted backup and password will be required to decrypt the accounts and to verify a signature created by a backup. You can use plain unencrypted backup by unchecking “Encrypt backup” option in Settings, but that option is strongly discouraged. If you want your app to remember the password, use “Remember password” option in Settings.

A button located below “From Watch” title can be used to restore phone’s accounts directly from a watch.

The backups that are not needed anymore can be deleted by selecting them in the backup list and pressing a “trash” button on the bottom.

Saving accounts to a backup file is similar and has two options as well: encrypted and unencrypted backups.

Google Drive can be used to backup and restore accounts as well. Use Google Drive button with a question mark to check what backups are available.

Legacy Backup and Restore

Legacy backup and restore are used to save or restore data in gac-codes.mp3 file that can be used for integrating with an older Gear’s GAC version that doesn’t have an Android’s companion app. Use either MP3 button on the bottom or Legacy Backup/Restore menu items in tool bar to create a backup or restore your accounts from it. The MP3 file will be created in Music directory that can be used by Samsung’s Gear App for transferring it further to your Gear device, where the file can be used to initialize the accounts through “Init from File” menu.

Working with Samsung Watch

Token Page

After accounts have been imported to the watch, they will appear in the main menu. Simply tap an account to see a token. To return to menu again tap a “list” button on the top of token page.

 

Account Deletion

To delete an account, tap an account name in the list and hold for a couple of seconds until it changes a color and starts buzzing. Confirm account deletion on the following screen:

Getting Help

To get more help on usage tap the “Help” item in the main menu.

Other Screens Seeing on Samsung Watch

When accounts are successfully received by Gear you’ll see the following screen:

Pic 7. Accounts Received from Phone

When messages are sent by Gear to phone, you’ll see the confirmation screen:

Pic 8. Accounts Sent to Phone

If Gear is disconnected from its peer, the green icon will turn red.

Pic 9. No Connection Page

 

GAC Widget

GAC widget can be used to see the last viewed account and is activated in the same way as any other Gear’s widget: you add it on home screen selecting and tapping the icon below (just swipe screens left until you see it).

Pic. 11 Adding GAC Widget

After widget is added and if a user had recently viewed an account in the GAC app, the latter account will be displayed in the widget. If there was no account previously selected by a user, the following screen will show up.

Pic. 12 Non-initialized Widget

Tap the widget to initialize it or if you want to change a previously selected account. After an account is selected, the widget will display it until another account is selected.

Pic. 13 Initialized Widget

Navigate to the home screen and slide screens left to see the GAC widget.

Adding New Account from Android on Wear

First, start GACW app on Android phone, then start the same on your Wear watch. The beacon icon will turn green on the watch and Wear OS icon will show up in phone’s app tool bar.

Select accounts on your phone and press a “Send to Watch” button or menu item. After accounts are transferred, the Android app is not needed anymore. You’ll see an account list on your Wear device:

Pic. 14 Account list on Wear

Now you can select an account from the list to see the token:

Pic. 14 Auth Token on Wear

Google Auth for Fitbit

NOTE for users with iPhones:  New  app called “2FA Hub” is available in iPhone’s App Store now. It makes account creation and transfer easier. Connectivity is much better than in Android’s. Give it a try!

New Features Introduced in ver 1.1.3

The following new features have been implemented in ver. 1.1.3

  • App version is visible in app’s Settings (see General section)
  • App auto-close timeout setting was added. By default it’s off. Edit “Auto close app after n secs” property to setup the timeout in seconds. This can be used to avoid excessive battery usage if app was not closed.

Tested Devices

The following Fitbit devices have been tested:

  • Fitbit Versa (real device)
  • Fitbit Ionic (through simulator only)

Required Fitbit OS SDK

The first app’s version (1.0.5) was built with Fitbit SDK 1.0, which is supported by all known Versa and Ionic devices. However, starting from version 1.0.7 the SDK used was 3.1. It means that for using the latest versions of the app you’ll probably need a firmware upgrade. The minimum firmware version that supports SDK 3.1 on Versa is 32.33.1.30, for Ionic – 27.33.1.30. Updates are available in Fitbit’s mobile app when you choose your device in the dashboard. Use Settings/About on your Fitbit device to check its firmware version.

If you don’t see the latest app’s version in the Gallery, it’s because your firmware was not upgraded.

Installing Google Auth on Fitbit

Fitbit app is approved and is available in the official Fitbit Store: https://gallery.fitbit.com/details/583cf908-87d4-4ae6-9331-ca0fbffd0ff0. To find and install it:

  1. Open Fitbit App on Android phone
  2. Tap Apps icon and type “Google Auth” to a search bar

Quick Start

  1. Open Fitbit App on Android and make sure that your Fitbit device is visible
  2. Open GACW App on Android. This step could be optional if you don’t mind typing your accounts manually
  3. Open Google Auth app on Fitbit device

The following screen will popup on Fitbit device:

Pic. 15 No Accounts Screen

4. To quickly check if the app is functional, click top-left button. It will import a testing account from settings:

Pic. 16 Account Received

5. Press green Ok button on the right and you’ll see an account list:

Pic. 17 Account LIst

6. Tap “Test” item to see a token:

Pic. 18 Test Token

7. If everything worked as described above, you can proceed to creating your own accounts. There are two ways of doing this: using GACW Android App and typing accounts manually in Fitbit’s Android App settings.

If you can’t import testing account, most likely you have a connection problem. Read the next section to troubleshoot the connection.

Troubleshooting Connection With the Phone

If buttons on the top do not work it’s certainly a connection issue. To troubleshoot go through the following steps:

  1. Open Android’s Fitbit App
  2. Make sure that Sync is not running. If it does connection from the watch will be ignored.
  3. Select your watch by clicking its name and press “Apps” button. If you see “Unable to Connect” message, you don’t have a connection. Make sure that Bluetooth and Location are on in your telephone settings.
  4. Exit the app on the watch
  5. Start the app on the watch again and check if top-left and top-right buttons work this time

If you tried everything and connection to the phone is still not available, you can always enter the accounts manually in the app’s Settings section from the phone.

Creating Accounts Using GACW Phone App

  1.  Open GACW, Android Fitbit App, Google Auth on Fitbit device
  2. Go to accounts page on Fitbit device and press beacon icon (top-right button)
  3. Device pairing dialogs will show on Fitbit and GACW:

Pic. 19 Pairing

4. Enter PIN from Fitbit to GACW and press enter. If paring is successful, you’ll see a confirmation message

5. Choose Ok button on Fitbit and GACW to close dialogs.

6. Beacon icon should be green on Fitbit’s accounts page. Fitbit icon will show up in GACW’s toolbar and “send to watch” button on the bottom-left will turn green. Select account that you want to transfer and press low left button on GACW to send them to Fitbit. If transfer is successful, you’ll see “accounts received” message on Fitbit.

   

Pic. 20 Accounts in GACW

7. Tap an account on Fitbit to see a token

Creating Accounts Manually

For each account that you want to create you’ll need:

  • Arbitrary account name, e.g. “Google”;
  • Shared secret in Base32 form.

 

  1. In Android’s Fitbit App find Google Auth and open its settings:

Pic. 21 Accounts in Fitbit’s Settings

2. Tap “Add Account” link and add a new account in the form: Account:SharedSecret. Make sure that there is no any errors in “Errors” section below.

Pic. 22 Settings Page

Alternatively starting with version 1.1.5

you can add optional parameters after the secret, e.g.

AccountName:f7gjhjrjaheksk6f:10:1:8

where

  • 10 is a sequential number of the account in the list (use it if you want to change the order of accounts when they are displayed
  • 1 indicates that HmacSHA256 will be used (default is 0, which is HmacSHA1)
  • 8 length of the token (default is 6)

The full syntax of the account string is as follows:

AccountName:secret:[order:[Algorithm:TokenLength]]

3. On Fitbit’s device tap left-top button to import accounts from setting. An “accounts received” page will show up if import is successful.

Pic. 23 Accounts Page

Auto Close App

To avoid app running forever and consume battery if a user forgot to exit it by pressing “back” button, auto close feature has been implemented starting from version 1.0.8. The default timeout is set to 0, meaning there is no timeout, but it can be changed in the app Settings page on the phone.

Pic. 23 Auto close app

Known Issues

Issues that have been fixed

  1. An issue specific to Android 8.0 has been identified: the Android companion crashes with a Runtime Exception. The issue was attributed to the “new behavior” of Android 8.0 and is considered by many as a platform bug: https://stackoverflow.com/questions/48072438/java-lang-illegalstateexception-only-fullscreen-opaque-activities-can-request-o. That issue has been fixed in GAC version 3.4.1. Please report if you still see this problem.
  2. Progress bar might not work correctly on some older Android’s phone models: it didn’t go all the way to the end and didn’t refresh the tokens. The issue has been fixed in GAC version 3.4.0.
  3. There was a complain that camera can’t scan QR code on Pixel 2. Unfortunately, no details have been provided. Research has shown that Pixel 2 had many problems with camera in other apps as well. One suggestions was to use 16:9 resolution, which I did for Pixel2 and Pixel 2 XL devices only. Try Android’s version 3.4.5+ and let me know if it works. A ticket was opened with Google to investigate the issue, but they are very slow and I don’t have any confidence that they will ever find or fix it: https://issuetracker.google.com/issues/77754219.
    Note: The latest message from Google was that it does work on Pixel and other Google devices. If you still have problems with those, please provide details.
  4. No support for Lollipop and lower versions. I’ve created a debug version for Lollipop. Try it and let me know if it works. If it doesn’t, please provide details and a log file (adb logcat -d >log.txt). You can install it from here: http://credelius.com/credelius/app-debug.apk (simply click on the link from your phone’s browser). You’ll need to enable install from 3rd parties to make it work: Settings->Security->Unknown Sources. I’ll merge that version with the main branch if see a need for Lollipop and a positive feedback. So far I’ve seen only one user who wanted it.

Under Investigation (happens rarely)

  1. Sometimes tapping on GAC widget doesn’t start the GAC app. If you see “Launching app” message too long and nothing happens, just tap the widget again. The root cause of the problem has not been identified yet. It could be platform related.
  2. On a very rare occasion, GAC widget can stop working and won’t react on a tap. It’s not clear why it’s happening, and reproducing is not possible, since it’s a very rare event. A work around for now: long press the widget and remove it, then add again. We’ll fix as soon as find a reason. It could be platform related.

81 thoughts on “Google Auth 2FA TOTP Client for Samsung Gear, Android, Android Wear, Fitbit

  1. I have a new Gear S3 but I can not find GAC or GACW in Samsung Store. I need to use iPhone for business. Any ideas hole to get Google Authenticator Codes to Gear S3 in combination with iPhone?

    • Unfortunately, I don’t have a companion for iPhone.

      However, you can use an older “Client for Google Authenticator” app on the watch, since it doesn’t require a companion.

      Create gac-codes.mp3 file and put it to a Music folder on iPhone, then transfer it to Gear S3 as a music file. After this is done, you should be able to import your accounts on the watch using “Init from File” menu.

      The format of mp3 file is one line for an account:
      AccountName:secret

      Example
      Google:4ioe3cvjyae7w6bk2zas5nyhbynqf5xe

      If this method doesn’t work, you can always use “new account” menu on the watch. Typing on the watch is not fun, but it’s doable.

      Please let me know, which method worked.

  2. I have gear fit 2 and I want to use it for 2FA, but I found out that my smart watch isn’t on any of the supported wearable list.
    I also can’t find nither GAC or GACW on the samsung appstore.
    Is there an alternative way that I can get GAC/GACW for the Gear Fit2 or am I stuck without it?
    Will there be an update that will support my watch?

    • I currently don’t have it for Gear Fit series due small screen resolution, but I’ve noticed that Gear Fit2 resolution (width) was improved significantly, so I’ll take a look. It’s 216 now vs 360 in Gear S2-3 and Galaxy. Fitting existing UI to that screen might be still difficult.
      Thanks for bringing it up.

        • I don’t want to promise any date. I’ll take a look in a couple of days. If it’s just a matter of changing a style sheet, it could be fast, but if it requires re-factoring the code in many places, it can take some time.

          • Too bad
            No way to go around the official store?
            Like downloading homebrew apk’s for android and stuff?
            Anyway really thanks for checking it out for me!

          • It’s not apk in an Android store, it’s a wgt in a Samsung store. They don’t even have a simulator for this device type. We’ll need to wait until they release a full dev platform for these devices.

          • Created a beta for Fit 2, and tried to upload to the Samsung app store, but expectedly got an error. Wrote a message to Samsung support asking when they enable dev platform for this type of watches.
            Error
            Other than that beta is operational
            Menu
            Token
            Unlike Android, Samsung has a very difficult and obscure dev platform and no support for app side-loading. We’ll need to wait until they unlock the dev platform for Fit 2.

            Here is Samsung’s official answer. Not very encouraging.

            Dear Customer,

            Thank you for contacting us. We appreciate the opportunity to assist you.

            Regarding your inquiry, we would like to inform you that, in order to register Gear Fit2 device for watch face, please check the Application Registration Guide > 5. Attachment > 1) Binary Extraction Information > ③ Galaxy Watch Device Recommendation Information > Fitnessband.

            However, if you request to register general Gear application for Gear Fit 2, not watch face, we are sorry to inform you that sellers who have a strategic partnership on 'Health & Fitness' field with Samsung only can provide general Gear applications for Gear Fit 2 and its SDK for Gear Fit 2 is not published publicly.

            We regret to inform you that you are not able to register general Gear applications for Gear Fit 2 and we ask you to understand it.

  3. How do i delete an account on gear s3? Somehow I have the same account added once with my email sign-in address and the second time with the renamed name for the account. I’ve tried selecting the one account in the phone app and the overwrite checkbox when syncing, but the watch won’t remove the original account. Is there a full account erase on the watch, or is removing and reinstalling the answer? There are limited actions on the watch app unless i missed something. Fyi i have limited file system access on the watch if i need it via tizen studio.

    • Wait, i got it.. in help on the watch it directed me on how to manage accounts. Not the most intuitive app, but I like the functionality, and it works good so far.

      Do you have a user manual on the website somewhere? I missed it if so.

  4. Thank you very much for this app, I use it regularly with my Galaxy Watch! I have a large number of accounts I’d like to use this with, but it seems the app is limited to 25. Is there any way to get beyond this?

    Thanks again!

    • I was trying to keep footprint small on watches since they have limited resources. How many accounts would you need? I need to set a maximum anyway.

      • 50 would be ideal as it would leave room for growth. I set 2FA for all accounts that support it, and although not absolutely necessary, it would be nice to have them all available on the watch. It’d also be great to use GACW as my only 2FA app, so perhaps a compromise could be made by being able to select in the phone app which accounts to push to the watch, up to the limit of 25 (or even smaller since the less-used ones could live on the phone).

        • All right, I’ve tested it on watches and Android phone, and think that I can increase the # of accounts to 100 for Android phones, Samsung, and Android Wear watches. You might see some slowness when scrolling on a Samsung watch (I’ve tested with Gear S2) when the # of accounts is bigger than 50, but it’s not that bad, and is definitely usable. On Android Wear, I didn’t see any slowness (tested it with a Huawei watch).

          Hopefully, Samsung App Store will approve it fast and you’ll get the new version by the end of this week.

          For Fitbit watched it will be still 25, sorry. That watch is really low end in regard of memory, and I was running to “out of memory” situation very often, so it’s already on the edge.

          • Thank you so much! I really appreciate the quick update! Do you have a Bitcoin Cash donation address?

          • Thank you for the suggestion. My BTC address is 1CRMQd91Lhm2EP8vSXcyyP2FsTfXXpAjF4

            The status of the app in Samsung App Store is still “Under device test”. It’s annoying, but this is how Samsung App Store works. I wrote them that they should’ve learned how to release fast from Google who releases new apps in minutes, but Samsung has their own mysterious ways of doing things, so we’ll need to wait 🙁

          • The new versions have been released. Make sure that you use GACW 3.5.0 on Samsung watch and 1.3.2 on Android. Updating only one app won’t help.

  5. Hello. I have the Google Auth App installed on a FitBit Versa. I have thirteen accounts loaded in the FitBit App and transferred them to watch directly. On the watch I can only scroll through or see seven of those thirteen accounts even though the watch states that all thirteen were added/updated. What am I missing? Should I try to transfer via the separate Android app?

    • Thanks for reporting, Nathan. I’ve just checked it and found a problem in UI that was limiting the # of items to 7. I’ve released ver. 1.0.5 and it’s under FitBit’s review now. It usually takes a few days for them to release. Stay tuned. The max should be at 25 now.

      • Thanks for the quick reply. So I tried deleting a few apps I rarely use and attempted to resend all accounts to the Versa from the FitBit app. No error msgs yet still only seven out of thirteen accounts show in the watch app. Then, I attempted to add a few additional accounts from the Android GACW app with no error msgs but no additional accounts are able to be added beyond the 7. Wiped all accounts from watch and attempted fresh upload from FitBit App and the list only shows seven accounts again. I’ll try starting over with the Android GACW app and see what happens.

        • Thanks for troubleshooting. It looks like you didn’t see my last message. I found a UI bug where the # of items have been limited to 7. I’ve fixed it, and submitted to FitBit store. It’s under their review. They usually release in a few days. The app version that you’ll need on FitBit is 1.0.5
          The latest message from FitBit app store:
          “Update Waiting for Review
          Your App is available to users in the Fitbit App Gallery. An update is pending review

      • More info… Tried to freshly load all accounts from the GACW app and only seven loaded. Tried to load one at a time which resulted in only a total of seven accounts being allowed to show on the watch, but curiously when a new account is added to the bottom of the list the top one is lost. Now I’m lost on what to do next.

        • The update has been approved today by Fitbit. Yes, it took the whole 8 days for Fitbit to approve! The version that you’ll need is 1.0.7 or higher. You’ll also need to upgrade Fitbit firmware to support SDK 3.0. It’ll require firmware version 32.33.1.30 or higher.

          Please provide feedback for GACW on Android if everything works as expected. If not, let me know what the problems are.
          Thanks for using.

  6. Hello,

    it would be nice if you can add HOTP too.

    Iam using KeePass2 with HOTP and works great. to add an extra layer of security i want use it on an extra device (Galaxy watch) and not in Google Authenticator because i use it too on my Smartphone with Keepass2Android. And of Course it is faster to use instead of a Smartphone.

    There are no App at the Moment which support that would be nice if you can add it as “first mover” on a Smartwatch.

    Greetz Martin

    • I’ve checked KeyPass. It looks like they support TOTP too. What are benefits of HOTP? If the state is out of sync, you would need to reset both client and server, which is rather inconvenient. Since you want it on the watch, time is already set correctly, and the correct time is the only thing you need to get a TOTP token.

  7. The fitbit app is cool, however, if you do not close it by pressing the back button, it keeps on running. Sometimes, I look up a code, and forget to close the app, so it keeps draining the battery for hours until I look at my watch again and notice the error.

    Is it possible to configure the fitbit app to automatically close after let’s say 5 min?

    • I’ve released a new version 1.0.8. It’ll be available after Fitbit’s approval. You’ll see a new parameter in Setting: “Auto close app after n seconds”. Default is 300. 0 means no timeout. Timeout is calculated as a time of inactivity. Any click will lead to a timeout reset.
      You’ll also need to upgrade Fitbit firmware to support SDK 3.0. It’ll require firmware version 32.33.1.30 or higher. See “auto close” and “firmware requirements” for details.

  8. I have just updated the GAWC app on my fitbit
    But after update when I go to the app setting in my Fitibit->My App->GACW->Settings
    I got a blank screen now
    I deleted the app and reinstall it
    It is the same

    • Thanks for reporting. Have you upgraded your Fitbit’s firmware recently? Please let me know what you have in Settings->About on the device. I had the same problem after the upgrade. Try to turn the Fitbit device off. On Versa you can do it by pressing “back” and right bottom button simultaneously for 10 seconds. Try to update both Fitbit mobile app and GACW one more time if it doesn’t help.
      There are many issues with upgrades on Fitbit reported by customers, e.g. GACW itself didn’t change much. I’ll submit the problem to Fitbit.

      I’ve researched it more and you’ll need to wait for version 1.1.1 that should be released this week.
      I’ve documented all problems here:https://credelius.com/credelius/?p=241#fbissues

    • Sorry for the delay. Fitbit was very slow with addressing SDK upgrade issues, but now it’s solved. Please upgrade the app version to 1.1.3. You might need to upgrade device’s firmware to the latest to be able to use the ver 1.1.3 and the new Fitbit’s SDK.
      Thanks for your patience and let me know if you see any other problems. There are a couple of new features as well: https://credelius.com/credelius/?p=241#fbnew

  9. Do you have plans to port the app to the FitBit Charge 3 ?

    I would buy the app with support for the Charge 3.

  10. Hey, great app! I have a few suggestions:

    fix typos on launch popup
    fix locked narrow aspect ratio (on Android device display)

    having 3-dot menu be identical to buttons is redundant and reduces intuitiveness. the five buttons could instead be five stacked text boxes in a 2×3 position (in this order because more commonly-used buttons belong on the right-hand side, closer to the thumb):

    double wide [send to gear]
    [delete][add]
    [restore][delete]

    this leaves 3-dot menu open for things like about, help, and purchase/upgrade.
    put some color in it too!!

    happy dev’ing 🙂

    • Thanks for the great feedback. I’ve quite a few popups and some of them cryptic to save space on the screen. Please do tell me, which one is bad in your view. In regard of aspect ratio – I dah a lot of problems with Pixel devices, finally came to a solution that seems to be working for all. Let me know what your mobile device is, and I’ll take a look.
      I didn’t have that dotted menu at all in the very beginning, but then people started complaining that buttons are not intuitive, so I’ve added the menu. What do you suggest: removing buttons or menu?

  11. I have downloaded the correct app, I have a Samsung Galaxy Watch and I am trying to set up my account. For the account name, is it my email? and where do you find the QR Code? Nothing popped up on my phone or watch with a QR Code?

    Thank you

    • Rachel,
      Thanks for using. This is the client, it doesn’t provide the QR bar code. A website that you want to authenticate against should provide this code. After you have it, you can either scan or type it manually. Instructions about how to get the code should be available at that website. They are different for each provider. What website do you want to use it with?

      • Hi, I have the same question. I want to connect to Google fit and my galaxy watch. I have the authenticator app but dont see how I get the QR code to scan. Any help appreciated.

        Thanks.

        • There are two parts here: client, which generates the token and a web server that uses the token as a second authenticating factor. Client app like GACW doesn’t generate the QR bar code, it only uses it. QR bar code is generated by a web server. Examples are: Google, Twitter, WordPress and many others that you can find in this list: https://twofactorauth.org/. Each server has its own way and rules how QR bar code is generated, e.g. for Google you can get a QR bar code following these instructions: https://credelius.com/credelius/?p=108. For others – they are different. Only after you get a QR Bar Code from a website where you want to enable 2FA you can start using the client such as GACW.

  12. I is possible to use this app to log into my Google Account. For example…everytime I login in I have to use the 2 factor authentication. I click the “Yes” its me on my Phone. Can I do that by clicking “Yes” on my Fitbit Ionic?

    • What you’ve described is “out of band” auth, and its implementation is proprietary AFAIK for each website/service. My app implements a public standard called TOTP. Google is one of the early adopters of TOTP and you can definitely use my app for TOTP, which requires entering the token, but my app doesn’t do “out of band” auth. I personally use my app to do TOTP with Google. It works fine.

      • So I cannot use this app from my Fitbit to verify that it is me….so I can login to my Google Account using 2 Step Authentication?

        • You can use Fitbit to do TOTP with Google, not “pressing yes” button as you’ve suggested initially. Steps:
          1. Enable 2FA with TOTP at Google
          2. Get QR bar code from Google
          3. Scan it by GACW, transfer accounts to watch
          4. Use auth tokens generated by GACW on phone or watch to authenticate against Google’s websites

          There are many flavors of 2FA, but my app supports TOTP.

    • Thanks for your inquiry. First of all it’s not just SHA1, it’s HMAC with SHA1. I don’t believe that making it HMAC-SHA512 will add much to security. It would be relatively easy to implement, but the qs is – where this requirement is coming from? Can you name a few 2FA providers and clients who support it? All I’ve seen is HMAC-SHA1 so far. If I see a demand for HMAC-SHA512 i can implement it, but it will be very slow on platforms like Fitbit smartwatch.

      • Thank you for your response. I agree with you concerning the security. I just need it because a Sophos TOTP code I was provided for 2FA uses SHA512. It seems there’s others using different SHA methods as well (RedHat, MyGov). It was discussed here (https://github.com/keepassxreboot/keepassxc/issues/873) for the same request in KeePassXC and eventually realized. For Android, Sophos provides their own Authenticator, for Wear OS I have be found nothing supporting it.

        • Interesting. I’ve checked RedHat’s FreeOTP and it looks very cool. I might need to consider adding the following parameters: digits and algorithm. GACW can scan their QR code, but it doesn’t currently honor algorithm or digits of course. I’ll take a look

          Here is a URL generated by their QR generator:
          otpauth://totp/gryb.info:test?secret=yjyafuqe7sxpyaqfni2ypn6ptfsax6nn45f2kjirarb5k32j2nojtinn&algorithm=SHA256&digits=6&period=30

        • All right. I’ve just added support for SHA256, 512, and different token lengths: 6,7,8,9,10. Make sure that you enable yourself as beta tester, because both Android and Wear OS apps have been released as beta. You’ll need to find “Early Access” feature in Play Store. The versions are 1.6.1 and 1.6.0 on Android and Wear. Didn’t do anything for other watches yet. It could be more difficult.
          Please test and let me know if it works for you.

  13. I did eventually find the correct app in the Watch store, however it was confusing as the one I needed was called “Client for Google Authenticator with Companion”, not “Client for Google Authenticator”. The multiple versions had me confused as there are 3 different places you need to look for this: 1. The Google Play Store. 2. The Galaxy App Store. 3. The Galaxy Wear App Store, and they have to be precisely paired for it to work it appears. If there is some documentation that shows exactly which pairing works and include links to each store app in that documentation that would be helpful and less confusing. Please delete my previous comment as it was unfair given the more recent find.

    • Thanks for your feedback. Yes, the documentation is available, its URL is provided in the app description and the reason for many versions is explained there. To put it short:

    • I wanted to keep 5-year old app for legacy devices starting with Gear 1 and Gear S
    • Samsung platform doesn’t allow combining apps with and without companion in a single bundle
    • The complete docs are available in this wiki: https://credelius.com/credelius/?p=241 (see App’s Flavors section for your initial qs about app’s versions). I know that people (including me) don’t like reading instructions, but sometimes we should. If you have any qs about the wiki, please ask and I’ll do my best to help you.

      Per your request, I’ve deleted the previous commnent.

  14. It was working with my old phone (Moto 4G+ android 8.1) and my Versa 2 but after getting a new phone (Moto G7 android 9) I can no longer get the Versa 2 app to talk to the android app. I can get the watch to display the pin, but I can’t get the android app to ask for the pin.

    I can do a roundabout method and copy the secret to the android Fitbit app settings, then transfer it to the watch but I can’t do a direct transfer.

    • The problems with Fitbit are almost always related to a flaky connection. Try going through the following steps:

    • Make sure that you have the latest version of Google Auth on Fitbit: you can see version on Android in Fitbit App -> Your Device -> Apps -> Google Auth -> Settings. Version should be 1.1.3. If not, upgrade
    • Exit Google Auth app on the watch
    • Make sure bluetooth and location service are on on your phone
    • Go to Fitbit app on the phone, then click your watch icon, and then click on Apps tab
    • If you see “Unable to connect” message after clicking on Apps, it’s still not connected and you need to make sure that this error goes away
    • After watch is connected, make sure that sync is not running and start Google Auth on the watch again
  15. what a load of ???? I paid for an app to give me Google assistant on my mobile … what’s all this crap …. either give me the app or credit pls

  16. First & foremost, I’d like to thank you for this well designed, PERFECTLY functional lifesaver of an app. For many years, I’ve been one of the highest volume OTC Bitcoin Traders in N. America. I use TOTP codes over 100x per day sometimes…releasing escrowed funds, signing in at various financial sites, etc. Pulling my phone out, typing the long pin, opening Aegis Auth, typing my Aegis pin and THEN navigating to the code every. damn. time. that I need one is simply not an option.

    I’ve always worn the venerable Huawei 1 with Google (yuk) Auth support. But I have one for every strap/band in every color so have added a couple Gears S2’s as well because FASHION! Anyhoo, your app is the LONE option available for my Gears. You are my hero and I think of you every time I grab a code from any of my S2’s…and some other times too.

    🙂

    To add my codes, I just typed the secret, added the acct name for each and then sent all to each Gear S2 watch. Couple questions, tho:

    1. Pretty sure I can delete the codes from Android companion app. I use Aegis (which is stellar) and will keep my encrypted originals safe there on my phone and in an Aegis Multi App Functional backup stored physically offline in a safe. See any problem w that setup? If watch malfunctions, I’ll just add them again from scratch.

    2. Are the codes encrypted on the watch?? Shirley they are and Shirley you touch on this but I can’t find the answer ss easily as I can reference 80’s movies like, “Airplane!” I’m assuming the codes sent to watch are considered “backups” and thus, are encrypted from the companion app backup pw as long as user added one before sending. Yes? No? Maybe??

    If I’ve been walking around with secrets on mu wrist in plain-text that help protect my triple-digit hodl horde…I’m just gonna quit the BTC flippin’ game bc I’m obv not as smart as I think I am and hackers (and some fraudsters), whom of which I encounter on a daily basis, are.

    (run-on sentences ftw)

    One “last” thing, I’ve always admired you Mobile Devs abd your calm/collected ways…especially in the Android realm. I think you are all probably subs who enjoy abuse. I could never do it. ~95% of the idiots (everybody) expect every app to be totally free, no “pro” costs, no $ add-ons with zero ads! What’s more, instead of contacting the dev(s) via obv channels, 99.99(repeating)% of them head straight to the reviews the instant they have a technical issue.

    If I see ONE more “If I could give this app NO STARS, I would.” comment, I am going to use my vast resources to hunt the offending party down and give em the Ol’ “London Bridge Head Spike” treatment (look it up). So the other Lemmings will know what awaits their entitled, fat-arses should they propogate additional diarreah if the mouth.

    (whew)

    You see? I’m all worked up FOR you…imagine if I had skin in the game. I’d probably spike some heads, dude! You don’t even wanna know how I handle attempted scammers but I *am* exerting this level of effort on a rando, positive comment at 430am…do the math.

    Anyway, there were a couple questions hidden within this diatribe. I think. I’m verbose by nature and I am literally certifiable. LITERALLY. But it cool, I usually take my meds and you gotta be crazy to do what I do at the level I do it at…trust me.

    For suffering my incessant blathering (if you read this far) aaaand for maintaining A+ apps, I WILL send you some BTC. That is all for now. I have a gambling problem that needs nursing and must bid you ‘good DAY, sir!’

    • Thanks for all the good points. I did read your comments to the end and appreciate the intelligent questions that you’ve asked. If you really want to send coins, the wallet can be found here: https://credelius.com/credelius/?p=241#donats.

      I’ll answer your qs in details later, but I want to mention right away that there is no 100% security in anything especially when it comes to consumer’s products like this. Threat modeling, risk assessment and assigning severities to residual risks while taking into consideration protected asset’s value is a common approach to addressing those issues. In enterprise world and in highly regulated environments this is a mandatory thing, while in consumers products I’ve never seen this approached used. Take a look at any similar products like Authy (probably the most popular in this domain) or even stock Google’s authenticator and try to get answers for you questions.

      As for idiots publicizing their idiocy by writing ignorant and angry reviews, there is nothing we can do about it: both Google and Samsung app stores are reluctant to remove those reviews even if they are an obvious lie and an abuse of their own rules. The simple truth here is that idiots are many and they produce a lot of traffic that generates revenue for the platform creators.

  17. Please, I wanna buy your app but my situation is this; I have an iPhone and a Wear OS watch. I need 2FA on my watch, so can I install this app and enter de 2FA code manually on may watch without using a phone at all?

    • Unfortunately, for Wear OS you’ll need an Android phone to transfer accounts to the watch. I don’t have a companion app for iPhone. Sorry for the inconvenience, I’ll consider building an iPhone based companion for Samsung and Wear OS watches in the future.

      If you have a Fitbit’s Ionic or Versa watch, you can try setting it up manually from your iPhone as described here: https://credelius.com/credelius/?p=241#fitbit ( see “Creating Accounts Manually” section).

      I have many watches, but Fitbit is my favorite so far that I use on a day to day basis. The reason – I can charge it ones a week, unlike all others, and I bought my almost new Ionic for $70 only on ebay.

  18. Does this work without the wear device being connected to a phone?

    I understand you need the companion app to load secrets into the wear app, but once the secrets are loaded can I use the wear app to get OTP codes even if the phone is turned off/not nearby?

    • That’s correct, after OPT secrets are loaded, a telephone is not required to get an OTP. No connection to the phone is required. It works this way for all supported watches: Samsung Galaxy and Gear series, Android Wear and Fitbit smartwatches.

      • One other question – will this work with the newer Samsung watches? Specifically the Samsung Watch 3? They look to be a direct replacement for the gear watches so I’m inclined to think so

        • I do not have this specific watch model, but can you please go to Samsung Galaxy App store to see if you can install my app (GACW – 2FA TOTP Client for Gear, Wear, Fitbit, Android) to your watch? It’s free in Samsung store. If you can, it should work. If you don’t see it, I might need to test it with the new watch model and update the app in the Galaxy App Store.

          • heh, the issue is I don’t have the watch, was looking at what was compatible before buying. I’ll try track someone down who has one. Thanks for being so responsive!

          • Ah, sorry, I didn’t realize that you didn’t have a watch. I’ve just checked the released binaries in Samsung’s App Store and saw these models supported: Galaxy Watch 3, Galaxy Watch BT, Galaxy Watch LTE. This is in addition to the older devices like Gear S2 and Gear S3, Galaxy Gear and Gear Sport.
            Check also this link with very details phone/watch combinations

            Hope it helps.

  19. Hi Oleg. GACW is such a helpful app. Thanks for working on this. I am using a Samsung Galaxy Watch and have successfully set up two accounts for common services. But I fail when setting up an account for my Sophos VPN (which works on another 2FA app). I see you solved a Sophos VPN problem for another user last year and it appears that your fix is in this latest version of GACW (which I am using).

    Here is my problem. While creating an account in the phone app I successfully scan the QR code and the secret is appropriately filled into the field on the scanner page. When I save the account to the phone, the app shows no OTP value for the Sophos account. When I save the account to the watch, the app shows either ‘000,000’, the appropriate OTP, or an incorrect OTP. In all cases, the number does not refresh unless I leave and re-enter the account. Any idea what’s up?

    • I think, I found the problem. Try simple thing before I fix the bug in a new release:
      1. Edit your Sophos account in GACW on your phone (just press the list button on the right.
      2. On account page unmask the shared secret and remove all %3D characters in the end of the string. Be careful – don’t delete any other characters.
      3. Save the account by pressing “down arrow” on the bottom
      4. Sync with your watch
      5. Let me know if the fix worked, so I could provide a permanent fix with a confidence

      Update: new GACW ver 1.7.7 has been just released. It should fix the issue.

      • Look at you! Just look at you! This solved the problem after I deleted and re-established the account. You are so helpful. Thank you! I am now recommending your app to colleagues.

        • I’m glad it worked for you. Please don’t forget to rate in Android and Galaxy app sores (each new version can be rated). It’ll help the app and support even more than word-of-mouth.

  20. With the new releases for the Versa 3 and Sense, will the app be updated to work on those models? I just received my Sense, and the app is no longer available via the Fitbit app store (presuming model doesn’t match for compatibility). This is one app I used the most on my Versa 2. I really do appreciate all the work in getting 2FA to work on the smart devices. it makes thing so much easier than grabbing the phone out of my pocket all the time.

    • Thanks for your inquiry. I’ll need to check these two new models. Currently the app support Versa, Versa 2, Versa Light and Ionic. If the same API are supported the porting should be easy. If not, I might need to release a new version.
      UPDATE
      I’ve just checked the changes that Fitbit made to SDK 5 needed to support new models. It’s a disaster requiring a complete UI rewrite. I’ll try doing that, but it won’t be simple nor fast. I’ll keep you posted. My rant is here if you’re interested in details: https://twitter.com/oleggryb/status/1310420895828123648

    • Good news – I was able to port the app to SDK5 to make sure that Fitbit Sense and Versa 3 are supported. I’ve submitted the binary to Fitbit App Store today. Hopefully, they will release soon, but it normally takes one week before you see it in the app store.

Leave a Reply

Your email address will not be published. Required fields are marked *