Is there any security reason to not allow adding authenticators for a certain account?

It depends on what risks are acceptable to you.

When there is a single authentication code, the probability to guess it is 1/1000000 = 0.000001. And it does not matter on how many devices you install authenticator. If there are two independent authentication codes, the probability to guess a valid code is 2/1000000 = 0.000002. The more independent codes you allow, the higher is the probability to guess.

Is it a security issue or not? It depends on what risks you accept. If you require that probability to guess a valid code is not higher than 0.0001, then you can allow up to 100 independent codes. If you accept the probability 0.00001, then you can allow up to 10 independent codes. If you accept the probability 0.000001, then there must be a single code.

Whether Google used this rationale or some other, can answer only Google.

Leave a Reply

Your email address will not be published. Required fields are marked *