How to Backup Google Authenticator or Transfer It to a New Phone

Our regular readers know that we strongly recommend applying two-step verification wherever it’s possible. In the contemporary world, where database leaks are a standing affair, two-step authentication is not an option, it is, in fact, a must. If you use two-factor verification, an intruder would need to get both the unique password you came up with, and the gadget, which produces the verification codes, to break into your account. Thus, two-factor authentication protects from brute force, keyloggers, most cases of phishing and social engineering. It also complicates man-in-the-middle and man-in-the-browser attacks.

So why two-factor verification is still unpopular? Sure, it creates an extra step to take to log in, but most users omit it not because of this extra time and effort, but because they are afraid of losing access to their credentials if something goes wrong with their authentication devices.

“As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.”

Newton Lee, Counterterrorism and Cybersecurity: Total Information Awareness

From all available options of one-time passwords generation or delivery (SMS, emails, hardware and software tokens) most people choose Google Authenticator or other similar applications like Authy, Protectimus Smart etc. Operating principle is pretty much the same for all the software OTP tokens – they generate authentication codes for logging into your account right on your smartphone.

It’s very convenient to use the smartphone for two-factor verification, but there are always these nagging questions: What do you do if you lose the smartphone which generates your one-time passwords? What occurs if you switch smartphones, do you lose the entire account? How do you transfer Google Authenticator to a new phone? In this article, we will answer these nagging questions and help you protect your invaluable personal data.

| Read also: How does 2-factor authentication work?

3 ways to backup Google Authenticator

Backup codes

Google, as well as some of the other websites where you can protect your user account with two-step authentication, provides backup codes. These are the one-use codes that allow you to login into your account if you lose access to your OTP token. After you use a backup code once it’s gone for good. Most people print out these Google Authenticator backup codes and keep them at hand.

Google Authnticator backup codes

It is imperative to understand that Google Authenticator is a multi-token, thus you can enroll many tokens for various websites using one app. Some of these websites provide backup codes, and a user can gain access to these websites if his/her smartphone is lost. But what do you do with the websites which do not support backup codes?

Another point against Google Authenticator backup codes is – they are as secure as a password written down on a paper. An intruder can easily copy them if they are in physical vicinity and use them to gain access to your account. Granted, the intruder will have to be among your peers and know the user password, but you know… things happen.

Other things that you might want to keep in mind when it comes to printed out backup codes:

  • You do not have them at hand at all times
  • You can lose the paper or destroy it by mistake
  • Only a few services provide them

Google Authenticator backup codes have their perks, but you have to be ready for the drawbacks as well.

| Read also: Mobile Authentication Pros and Cons

Saving screenshots of the secret keys

This is by far the easiest way to never lose access to your account. When you first set up your Google Authenticator simply make a screenshot of the barcode with the secret key. Keep the screenshot very secure though, if someone in your vicinity finds it they can access your data. Please, mind, if it really happens and someone steals your secret key, they will still need to know your user password, so make sure it’s not a simple combination to guess.

Google Authenticator QR code

Programmable hardware token

Created as a more secure alternative to the authentication apps, hardware tokens Protectimus Slim NFC can be used with Google, Facebook, GitHub, Dropbox etc. These tokens are easily programmed with an application for Android with NFC support.

The token looks like a credit card and can be carried with you effortlessly. So you’ll always have an alternative source of one-time passwords on all times, for example, if your smartphone battery is out of charge or you’ve reset the phone or deleted the token accidentally.

Protectimus Slim NFC OTP token

The hardware token is far more secure than a backup code on paper or a screenshot of the key – extracting the secret key from the token is absolutely impossible. Protectimus Slim NFC allows for unlimited reprogramming, so every time you change a token on a service you can simply reprogram it and stay protected.

The main drawback here is that one token allows for one secret key only.

| Read also: Hardware or Software Token – Which One to Choose?

How to transfer Google Authenticator to a new phone

Move Authenticator to a different phone

With Google, it is pretty straightforward to transfer the authenticator and all the secret keys within it to another smartphone. All you’ve got to do is go to the two-step verification page and click the “Change phone” button. Then either scan the QR or barcode, or put in the secret key on the other gadget manually. That’s it.

Google Authenticator Chang Phone function

This works only with the Google account, the other accounts where you use Google Authenticator for two-step authentication might not support this option. You will transfer only the Google token this way. So you might want to try the next two options instead.

| Read also: Will Google’s Authentication without Passwords Be Safe?

Disable & Re-enable Two-Factor Authentication

Disabling two-step verification is pretty easy if you still have your old smartphone. It’s usually required to enter the OTP from the currently used token to disable two-factor authentication on any account. To disable 2FA for a while, just click the “Turn Off 2-Step Verification”, “Delete the token”, “Disable 2-step verification” or similar button, depending on the service you use. You’ll find it at the two-step verification page in security settings.

Google Authenticator Turn Off function

Then add the authenticator application to your new gadget and follow the usual steps to set up Google Authenticator on the new phone.

| Read also: What is Online Skimming and How to Avoid It

Manually Extract Your Credentials [Root Only]

Note: There are many ways to manually transfer Google Authenticator if you have an Android smartphone with root access to it. We do not recommend using them though. Getting root access can significantly damage the security of your apps and make the device prone to getting viruses and errors.

This is a more time and effort consuming way to transfer Google Authenticator key to the other smartphone. It requires you to have root access to the smartphones.

To extract the secret keys manually you need to give adb root access, this is easily done with an app like [root] adbd Insecure if you’ve got stock ROM. And in case you happen to have custom ROM you might already have the necessary root access adb, so no additional apps are needed.

Set adb onto insecure mode with the application or directly, connect the smartphone to your PC or laptop and copy the Google Authenticator databases to the computer using the commands.

This is the pathname:

adb pull /data/data/com.google.android.apps.authenticator2/databases/databases

After the file is copied you can open it and see the keys using these sqlite editor commands:

sqlite3 ./databases

select * from accounts;

Now you have your secret keys and can add them to your new device.

| Read also: Which messaging apps are trustworthy?

Conclusions

Two-phase authentication is a reliable and reasonable way to shield your invaluable personal data. Whether you use a hardware token or apps like Google Authenticator or Protectimus Smart, you now know how to stay safe even if you change devices or lose your smartphone.

We showed you easy ways like Google backup codes and making screenshots of the secret keys. And we showed you more secure option like the Protectimus Slim NFC hardware token.

You also know now how to extract the Google Authenticator data manually, transfer Google Authenticator to another phone and even shut off the two-factor verification if you happen to need to.

So now you do not have any excuses not to protect your info better. All that is left to do is come up with proper user passwords which are not the name of your cat!

Read more

Author: Maxim Oliynyk

He worked in the IT industry for many years. One fine day, he had an idea to create a convenient and affordable two-factor authentication service. He gathered a group of talented like-minded people. A bit of time + a lot of work + a lot of money + a million experiments. And – voila! Protectimus is born! After a little more time and effort, not only is Protectimus not in any way inferior, it is often superior as compared to former industry leaders.

Share This Post On

11 Comments

  1. Thank you, author, you saved a lot of my time and nerves with this article.

    Post a Reply
    • Dear Dirk!

      I am really happy to give you a piece of my knowledge.
      I’ll continue to work for you 🙂

      Post a Reply
  2. Hello Maxim,
    I have a situation. old phone, (galaxy note 5), has dead screen. Google Auth on it. Of course, lost backup and QR. the program is paired with a crypto currency web site.
    Have another Galaxy note 5. Can not log on the the site because 2FA is turned on. Should have stayed with SMS auth. Crypto Site support has been unresponsive. If i load Google Auth. on new note 5, using same SIM(phone number). Will new phone take over Google Auth from old phone? Or is it encrypted based on the EIN? If I an i spoof the new note 5 EIN will it generate authorization to paired crypto web site? Or is there an app that will display a dead screen on PC just by plugging into the mini usb? Worst case,…i will replace the display and problem solved. Just wondered if any other less expensive ways to do it! (Besides saving backup!!) I am stupid. Any help for me? Thanks in advance.
    Chris
    PS,…Did my Chrome /Google account save the backup somewhere?

    Post a Reply
    • Hi Chris!
      Thank you for reaching out. It’s a pity, but Google doesn’t save any Google Authenticator backups. For the future, the easiest backup approach is saving secret keys for every website where you use two-factor authentication. Or, at least, for the most important websites for you. You can save the screenshots with the QR codes, or write down the secret keys, or use Protectimus Slim NFC tokens, which is probably the most reliable option.

      I suggest contacting the support team of your cryptocurrency website one more time. If this is not a fraudulent company, they’ll definitely verify your identity, and disable two-factor authentication for you. But if they don’t answer you, unfortunately, there seems to be no other way to restore your Google Auth than to replace the display. It could be possible if your phone was rooted. But now you can’t root the phone as you’ll have to tap several buttons, which is impossible in your situation.

      Post a Reply
  3. A little confusing. I already have Google Authenticator installed on my andriod phone and I use it daily. But I CANNOT FIND the original QR code or secret key when I first installed it. I have not lost my phone (yet) but this is very important in case I do lose it or it breaks. I went into my google account and added a 2 step verification and printed out 10 codes which I’ve now placed in a safe place. Please tell me: if I should lose my phone or it breaks, would I download Google Authenticator again? and since I have the 10 codes and can verify my Google account, will it work with my accounts that require Authenticator like before? Will i never have that QR code that I can’t find? thank you, appreciate your help

    Post a Reply
    • Hi Alyce, thank you for the question.

      1. You’ll never find the QR code with the secret key you used to create your current token, even don’t try. You can see the secret key (QR code) and save it only once – at the moment when you create the token. Then it disappears, which is right from the security point of view (actually it’s stored on the authentication server and in your phone, but it’s too complicated to pull it out and you actually don’t need this).

      2. That’s very good that you’ve saved 10 Google backup codes. Now if something happens to your smartphone you will easily disable 2-step authentication and restore access to your Google account. But please note, if you use Google Authenticator app for any other website (Dropbox, Facebook, any payment system ect.), Google backup codes won’t help you to restore access to any account except Google.

      3. What can you do to backup the secret keys for all other websites where you use two-factor authentication? You can log into every account using current tokens, disable or delete two-factor authentication, and then enable 2-factor authentication one more time and create new tokens, saving the secret keys this time.

      Post a Reply
  4. Hello. I’m really hoping you can help me. I invest in cryptocurrency and use the Google Aunthenticator for the 2-step verification. Last week I upgraded to a new iphone, but with the same number. After connecting my iphone to my computer and restoring the backup, the Google Authenticator was not working. I downloaded it again and it keeps asking me for the barcode or enter manually. I don’t recall it giving me a “key” to use later. I searched my emails for a screen shot of it, but nothing. Now I can’t get access to barcode on any of my crypto wallets because I’m already a client per se; meaning all I need is my login information and the 2-step verification…which I can’t get. What can be done and why when I restored my phone does the google authenticator no longer work? Please advise if you’re able to assist. Kind Regards, James

    Post a Reply
    • Hello James!
      Unfortunately, this is a common issue for many iPhone users, Google Authenticator can’t be restored from iCloud backup. If you don’t have access to your old iPhone the only thing you can do is to contact customer support for every cryptocurrency exchange you use. There should be a way to restore access to every legal website. Maybe you’ll be asked to provide some documents for verification, it’s a normal practice for many payment services.

      Post a Reply
  5. Another option for backups is Authy (you briefly mentioned it, but not in depth). Yes, it stores your secrets “in the cloud”. Yes, part of the authentication method that it uses is SMS (which is technically against best standards for 2FA). What it excels at is the ability to back it up automatically. You can set your own encryption key as well. The methods that you mentioned are good if you always follow best practices for security; but the average user will never do so. (Heck – I’m a infosec engineer, and even I have a hard time following all best practices 100% of the time.) That’s where it comes down to a risk assessment. The chances of your secrets being lost through Google Authenticator is astronomical compared to the chances of a breach in a service like Authy. Not all sites support hardware authentication (I love my Yubikey; but very few services that I use 2fa on support it).
    There’s another part to the equation too… if someone gains physical access to my device, then my secrets in GA are compromised. There’s a good chance that one or two of my passwords are in memory; so I have to assume those are compromised as well. Yes, my phone is encrypted… but the problem with phones is that people (myself included) leave them on all the time – which means it will most likely be in a decrypted state when it is obtained by another party. With Authy, I can set it to require my encryption key whenever I open the app – meaning the secrets are much less likely to be compromised unless the attacker can brute force or guess my encryption key. From that respect, Authy has some security advantages over GA.

    In the end, the biggest problem facing 2fa is that people think it’s too complicated. These methods for backing up secrets are great… if you’re willing to put the work into it. Most people aren’t, so they just will not do it if this is their only option. The best security mechanism is the one that people use – which means it needs to be easy to use. That’s where Authy makes more sense than GA. Both are great options, and it really doesn’t matter which one you use, as long as you use one. 🙂

    Post a Reply
    • I should clarify… when I say “The chances of your secrets being lost through Google Authenticator is astronomical compared to”…, I should have phrased it as “The chances of your secrets being lost through Google Authenticator is astronomically higher compared to”…

      Sorry for the confusion.

      Post a Reply
  6. how do I set it up for my Hotmail account

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This