I started working on a replacement TOTP app on iOS that I intend to use instead of Google Authenticator. (Currently I am not planning on supporting HOTP, since all of the accounts that I secure with Google Authenticator are using TOTP.)
Google Authenticator prevents the MFA shared secrets from syncing to iCloud and it also prevents said shared secrets from being restorable from local backup to any device aside from the device where the secret was originally put into Google Authenticator [1].
What Google Authenticator does is good for security but not so great for the experience of switching phones.
The first time I came across this was a few years ago, when for the first time after beginning to use Google Authenticator I had bought a new phone, and I had factory reset my old phone and was restoring the local backup of it to a new phone. At the time, when I saw that Google Authenticator was empty on the new phone I freaked out a little bit and I also did not realise that I would be able to restore them on the old phone still because I assumed that them not being on the new phone meant that they were not included in the backup at all. So I went through account recovery for all of the accounts that I had MFA enabled on and it was a bit of a drag but at least all of them allowed me to use my e-mail or phone number in order to regain access so I was not permanently locked out of any of my accounts.
When I set up MFA again on the accounts, I stored screenshots of the QR codes for each of them all together in a directory on an external, encrypted drive.
Still though, when I replace old hardware with new hardware those QR codes can become difficult to find back to. And keeping the files on an external drive at home also means that if I lose my phone while I am traveling then I can't access the QR codes that I saved until I get back home.
So currently I have decided that at the very least my app will allow me to retrieve the original MFA shared secrets from within it when the phone is unlocked (PIN code) and user presence is confirmed. In other words; kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .userPresence [2] [3]
Doing as I suggest in the above paragraph will at least make it simple to set up the MFA on a new device as long as I still have the old device in hand, without having to go through each account and disabling and re-enabling MFA in order to get new shared secrets for each of them.
So far I consider the security of my MFA to be equivalent to that of not having export functionality built in. If my device is lost or stolen, the data would still remain as well guarded as they were.
Beyond that I am thinking about even compromising on the security a bit by allowing the TOTP shared secrets in the keychain to be synchronised to iCloud. But I am still a bit on the fence about that one. I have misplaced my phone in the past, and I've caused accidentally damage to it as well when it has slipped out of my hand. So there is a plausible risk that I might lose or accidentally destroy my phone while traveling. Then again, when I travel I also bring with me my MacBook Air.
So instead of syncing the TOTP to iCloud, I could make a macOS version of the TOTP app and have it function in the same way that it would on the phone in terms of requiring that my machine is unlocked and presence is confirmed and then allowing the TOTP shared secrets to be seen. And whenever I add a TOTP shared secret, I do so on both my computer and my phone (either at the same time or one first and then later the other).
If I was on a trip and I lost or accidentally destroyed both my phone and my computer at the same time, I would certainly be returning home early anyway. And if on top of that my home had burned to the ground while I was away, so that the external drive at home was gone too, well, I think that then the TOTP stuff would be the least of my concerns anyways. Probably.
So I think I've figured out the answer to what my app should do. iCloud no, show secrets when unlocked and presence confirmed yes.
Microsofts Authenticator App allows backups of the MFA secrets on iOS at least. As far as I understood, it does the backup of the secrets to iCloud and requires a separate microsoft account (o365 won't do) to store an encryption key. So an attacker would need to breach both accounts.
Google Authenticator prevents the MFA shared secrets from syncing to iCloud and it also prevents said shared secrets from being restorable from local backup to any device aside from the device where the secret was originally put into Google Authenticator [1].
What Google Authenticator does is good for security but not so great for the experience of switching phones.
The first time I came across this was a few years ago, when for the first time after beginning to use Google Authenticator I had bought a new phone, and I had factory reset my old phone and was restoring the local backup of it to a new phone. At the time, when I saw that Google Authenticator was empty on the new phone I freaked out a little bit and I also did not realise that I would be able to restore them on the old phone still because I assumed that them not being on the new phone meant that they were not included in the backup at all. So I went through account recovery for all of the accounts that I had MFA enabled on and it was a bit of a drag but at least all of them allowed me to use my e-mail or phone number in order to regain access so I was not permanently locked out of any of my accounts.
When I set up MFA again on the accounts, I stored screenshots of the QR codes for each of them all together in a directory on an external, encrypted drive.
Still though, when I replace old hardware with new hardware those QR codes can become difficult to find back to. And keeping the files on an external drive at home also means that if I lose my phone while I am traveling then I can't access the QR codes that I saved until I get back home.
So currently I have decided that at the very least my app will allow me to retrieve the original MFA shared secrets from within it when the phone is unlocked (PIN code) and user presence is confirmed. In other words; kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .userPresence [2] [3]
Doing as I suggest in the above paragraph will at least make it simple to set up the MFA on a new device as long as I still have the old device in hand, without having to go through each account and disabling and re-enabling MFA in order to get new shared secrets for each of them.
So far I consider the security of my MFA to be equivalent to that of not having export functionality built in. If my device is lost or stolen, the data would still remain as well guarded as they were.
Beyond that I am thinking about even compromising on the security a bit by allowing the TOTP shared secrets in the keychain to be synchronised to iCloud. But I am still a bit on the fence about that one. I have misplaced my phone in the past, and I've caused accidentally damage to it as well when it has slipped out of my hand. So there is a plausible risk that I might lose or accidentally destroy my phone while traveling. Then again, when I travel I also bring with me my MacBook Air.
So instead of syncing the TOTP to iCloud, I could make a macOS version of the TOTP app and have it function in the same way that it would on the phone in terms of requiring that my machine is unlocked and presence is confirmed and then allowing the TOTP shared secrets to be seen. And whenever I add a TOTP shared secret, I do so on both my computer and my phone (either at the same time or one first and then later the other).
If I was on a trip and I lost or accidentally destroyed both my phone and my computer at the same time, I would certainly be returning home early anyway. And if on top of that my home had burned to the ground while I was away, so that the external drive at home was gone too, well, I think that then the TOTP stuff would be the least of my concerns anyways. Probably.
So I think I've figured out the answer to what my app should do. iCloud no, show secrets when unlocked and presence confirmed yes.
[1]: https://apple.stackexchange.com/questions/305372/will-my-goo...
[2]: https://developer.apple.com/documentation/localauthenticatio...
[3]: https://developer.apple.com/documentation/security/ksecattra...