October 7, 2016 by Paul G. | Migrated, Shield Security

Google Authenticator Backups – The Best 2-Factor Authentication?

Shield Image

Google Authenticator provides a neat way to use 2-Factor Authentication (2FA). But it has a massive downside that is mostly ignored.

If you lose/reset/replace your phone (which is normally your primary 2FA device) then you’re completely screwed.

Why? Because all your two-factor authentication codes are gone, never to be seen again.

The huge effort in recovering from this sort of mini-disaster can be hugely distressing.

But don’t worry, we’ve found the perfect solution to this and finally put an end to all your Google Authenticator woes. 😀

A two-factor authentication disaster just waiting to happen

Google Authenticator works by using an App (of the same name) on your phone. You scan the QR codes, and it saves the 2FA account on your phone.

There is no easy way to move this App from off your phone to anywhere else. In fact, you can’t even export these codes.

You’re pretty much stuck with the Google Authenticator app on your current phone.

If this phone is destroyed, or the Authenticator app is uninstalled, then it’s going to burn you so badly that you’ll never want to use 2FA ever again.

And that can’t be a good thing.

2FA goes a long way to protect accessing to your important online accounts, and anything that increases the friction in using 2FA needs to be mitigated.

So what are your options?

We’ve experimented with a few different approaches because we’ve been burnt in the past. We found only one way to solve this problem once and for all.

Enter: Authy App, with Google Authenticator integration

Authy is a fully-fledged two-factor authentication service.

But don’t get this confused with Google Authenticator. They’re completely different.

We’re not interested in their service, just their app: the Authy App. You see, the Authy App also handles Google Authenticator 2FA code registration. This means that instead of using the official Google app, you’ll use the Authy App instead.

You’ll probably be asking the question: “Isn’t the problem of your losing your phone exactly the same?”

The answer is “no”.

With an Authy account you can backup your 2FA/Google Authenticator codes to your Authy account via the app. This means that if you install the Authy App on another phone, you’ll have the same Google Auth googles available on that phone, too.

Yes, you read that right. You’ll have Google Authenticator backups! 😀

What happens if you lose/reset your phone? You simply download the Authy App and retrieve your Google Authenticator codes from their backup.

It really is as easy as that!

You must replace your existing Google Authenticator codes

To replace your Google Authenticator App with the Authy App requires a little bit of work, unfortunately.

All those codes you currently have on the original Google Authenticator app will need to be transferred to your new Authy app.

You can’t transfer them directly, so it’s more of a “turn it off and on again” process. These are the basic steps:

For each Google Authenticator 2FA account you have:

  1. Go to the original service (e.g. Gmail, Github etc.) and remove Google Authenticator 2FA.
  2. Re-enable Google Authenticator for that account
  3. Use the Authy App instead of Google Authenticator app to register the new 2FA account.

It might be a bit tedious, but if you’ve already experienced the pain that comes with losing your GA codes, then you’ll agree some time spent here is a cheap price to pay for such a huge upside.

Thoughts or Questions?

Pretty useful, right? The fact is that we wouldn’t use Google Authenticator without a backup option.

The cost in time and friction you would incur every time a phone is replaced is massive. For some reason, folk that recommend Google Authenticator overlook this downside.

Please share this and get the word out – there is nearly always a better way to do things.  We hope this helped you!

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@vandaleonor's Gravatar @vandaleonor

Very happy

I’m very happy with security shield plugin, it is very easy to use, I have never had any issues. And the price is great. My head and my heart are rested…

@josemarcosgonzalez's Gravatar @josemarcosgonzalez

Muy bueno

fácil de instalar y de configurar

@doctor1's Gravatar @doctor1

这是个很好的插件

这个插件很稳定,功能很强大,解除了我被骇客攻击的困扰。谢谢。

@hyerbon's Gravatar @hyerbon

Excellent plugin

A great plugin to batten down the hatches. Feel safe.

Comments (31)

    This also concerns me. Big issue.

    I’ve deliberately not used the app, but have used the option to have a code texted to my phone by Google. This will work as long as I keep the number (even if I get the SIM replaced), but not so well if I’m overseas, especially if I switch to a local SIM or lose my phone…

    I’ll check out Authy. Thanks.

      Hey Chris, thanks for your comment.

      Yep, I’ve resisted SMS because, like you say, if you’re not in a place with decent coverage, or you’re travelling, you’re stuck again.

      Would love to hear what you think of the Authy app approach once you give it a go.
      Thanks again!

      SMS is a know vulnerability, you should never use this as an account recovery mechanism.

    Hi Paul

    Same here, have some other control panels that is using Google Authenticator, I have not implemented because of the same issue.
    Will give this a go and see how well it works. But you know if you are in an area with decent coverage for SMS while traveling, that means more than likely your data to the internet is going to be spotty as well.

    Thanks for the heads up on this.

      Hey Roy,

      Yep, it’s true about SMS, but with Google Authenticator, you don’t need data at all, so it’s useful to have GA and SMS as the fallback – assuming that the service supports it. Google itself certainly does.

      Hope it goes as well for you as it has done for us.
      Thanks for your comment!

    You could also print out the original 2FA signup bar code’s and keep those in a safe place. Then re-scan then if needed.

      Yep, that’s definitely true. This solves a certain use-case, but it doesn’t help with the problems:

      – many services don’t give out backup codes
      – your safe place is nowhere near you when a disaster strikes
      – paper can easily get lost or destroyed
      – scalability. If you have 100s of services with backup codes (assuming they provide them), you’ll need to be pretty awesome with your organisation skills for all your “safe” data). Furthermore, if you ever reset your 2FA, you’ll have to go back and “update” your safe backup codes.
      – how safe is “safe”? There is any possibility that your safe place is compromised and a) you don’t know about it until it’s too late; b) both your primary code source and safe place are destroyed at the same time.
      – you need a printer; you need paper/trees.

      Backup codes are definitely useful, but you have to run scenarios against your backups to determine if they’re the best fit for your needs. If it works for you, then perfect, you should use it! I’ll personally stick with Authy until it proves to be untenable, for any reason. 🙂

      Cheers!

    Can this be used to unlock your Google accounts/phone if you’ve already lost your phone? I lost my Pixel phone a month ago, and of course 2FA is activated on that phone and of course I try to log into my account and it wants the code that was sent to my lost phone. I have a new phone now with a new number. Thanks

      Yep, it could. If you don’t have a phone to use it on, grab a friends phone and put it on there to get your auth codes temporarily.

      Also, you said “it wants the code that was sent to my lost phone”… Google Authenticator codes aren’t “sent” to your phone. So perhaps we’re not talking about the same thing.

    Thanks for the post. Having recently been the “victim” of losing my Authenticator setting, I needed this.

    I installed Authy, but in trying to activate it, I see a message that says “Multi-device is disabled. To enable open Authy on your other device and go to Settings -> Devices.”

    I can’t figure out what the heck I’m supposed to do. Any ideas?

      To be honest, I’m not entirely sure. Perhaps the best bet here is to contact Authy directly…

      Go to the device you first setup Authy on. Turn on multidevice. Go back and now setup your second device.

    Hey Paul,

    I’m afraid of the answer but aren’t the codes backed-up by Android Google Backup?
    That service restore all the app/settings on a new phone, so I would expect it to have also the Authenticator data…

    Thanks!

      hmm… I don’t know if that’s covered. Worth checking it…

      Honestly, I wouldn’t be relying on that to have my back on this :/

    Ghadaffi Khalid

    Thanks a lot, Paul! It’s such a relief to know that there’s another Google Authenticator alike apps, which actually HAS a backup function.

    Been through a hard time recovering previous code loss and hopefully with this Authy, it will never happen again.

    Issue here is that using Authy means that if Authy servers get hacked then bye bye bitcoin, gmail…etc.

    Better to buy a crap Android throw away prepay phone just to have a secondary back up of Google Authenticator codes. When you turn on two factor use your main phone and prepay to scan the barcode at the same time.

    Then you have a live back up that you can password protect. Or… print the bar codes and lock then in a safe. I prefer a back up device personally. But no way I’m keeping those codes on Authy servers.

      Thanks for taking the time to comment here.

      Fortunately it’s not as simple as this. Not everyone can afford a 2nd Android phone, and/or this option may not be viable for many. Not only that, it represents an extra point of failure where this phone could get into the wrong hands or get hacked/corrupted – potentially far worse than a hack on Authy’s systems.

      Furthermore, if Authy servers do get hacked, it’s not bye-bye anything. These codes are just a 2nd factor to login – they don’t provide access to anyone’s accounts. Anyone finding these codes will not only need the code, but also the username/password for the account they want to gain access to. So it isn’t as big as disaster as you might think.

      Every solution as its own advantages and disadvantages… it’s up to each of us to find which works for us and our own systems and way of doing things. No one size fits all.

      Thanks again for commenting!

    I don’t think this is a good approach personally – the whole point of it being a 2nd factor (it being something only you have as well as something you know) is compromised by it being saved online somewhere that could be hacked. This is very likely why google doesn’t let you back this up.

    A better way would be to print out the secret keys apps give you when you sign up for 2FA and scan the ‘barcode’ and keep these only offline – then you can enter these keys instead of scanning a new code to recover your 2FA on a new device.

      Thanks for commenting Andy. There are many different approaches and some have advantages and disadvantages against others. If “cold storage” works best for you then this is absolutely the approach you should use, bearing in mind the disadvantages it has to other methods (just a this method outlined here has its own disadvantages too).
      Thanks!

    I have also found that people completely overlook this issue. An authenticator works very well in case a website or your password is otherwise hacked. It can happen, although the chances arent very big.

    But do you know what other kind of things also happen? Hardware failure, loss from theft, house fires, and so forward. It seems completely insane to me that someone would want to make a mobile and fragile device like their phone the single point of failure.

      You’re absolutely right… this is why a recovery strategy/plan is critical.
      Thanks!

    Excellent post! This is the simplest way to go about it when it comes to backing up our 2FA. I’m glad I had found this post. I’m now going about with using AUTHY at the sites with 2FA. Beginning with the least important ones first, to make sure everything works fine. For crypto exchanges, I’m making doubly sure I don’t bungle and accidentally lock myself out – will move the coins and token to my own wallets first. Despite the cost. Then do the 2FA thing with AUTHY.

    Thank you very much for your tips here.

      Great, glad it helped. And definitely, in the world of cryptocurrencies, having a solid security strategy is very important.
      Thanks!

    Hello,

    I’m choosing between the two 2FA options. It’s all pretty obvious with Authy…

    However, say I have GA for, say, 4 services (gmail, faceboook, etc). Say i had NOT printed out my secret key/code when enabled my 2FA GA’s. Say i want to back up existing GA’s now. Say i start with logging in to my gmail -> disabling my exisitng 2FA -> deleting my exisitng 2FA GA -> re-enabling new 2FA GA for gmail – > printiong out secret key/code for re-enabled 2FA GA for gmail.

    SO my question is – how do i delete my existing 2FA GA app when I have other three 2FA’s (for Facebook, Dropbox, Snapchat) installed within the same GA 2FA app on my phone? Once i delete 2FA GA app all 4 2FA’s will be gone, hence i will be able to back up my gmail only (see process i described above) and won’t be able to back up/go through the same process i described for gmail (log in to my gmail -> disable my exisitng 2FA -> delete my exisitng 2FA GA -> re-enable new 2FA GA for gmail – > print out secret key/code for re-enabled 2FA GA for gmail) for other services to back up 2FA?

    Does it make sense?

      Hi Phil,

      If I understand the question correctly… why can’t you just do for all your other apps, exactly what you did for Gmail?

      i.e. remove GA from Facebook. Re-enable 2FA for Facebook and use Authy to set it up. Then do this for every site you have on your GA app, until you’ve replicated all of them to Authy.

      Then your old codes on your GA app wont work. And you can remove it.

    Hi Paul,
    Thanks for your prompt reply.

    The question is whether I must or must not delete/uninstall GA 2FA app from my phone after these two steps: “remove GA from Facebook. Re-enable 2FA for Facebook “? Cause if I must delete/uninstall GA 2FA app from my phone it means (at least as I see it) that all my 2FA’s left re-enabled will be deleted (for Facebook, Dropbox, Snapchat).

    I’ll be fine in case I can do the following steps 1-4 w/o deleting/uninstalling GA 2FA app from my phone : Step 1. Gmail, remove GA from Gmail – > re-enable 2FA for Gmail; Step 2. FB remove GA from FB – > re-enable 2FA for FB; Step 3. DropBox remove GA from DropBox – > re-enable 2FA for DropBox; Step 4. Snapchat remove GA from Snapchat – > re-enable 2FA for Snapchat.

    Please confirm
    Thanks!

      Hi Phil,

      Don’t delete the GA from your phone until you’ve “transferred” all your 2FA accounts over to Authy. Each time you transfer an account, the old one on GA wont work anymore. But that’s okay to leave it there while you complete all your changes.

      Once you’re happy and you’ve tested all your changes and you can see you don’t need anymore GA accounts, you can delete the app. But only after you’ve confirmed all your changes to the new system.

      Hope that helps!

    LastPass also has an app called Authenticator.
    It allows you to back up your 2FA codes to your LastPass account, as well.

    I highly recommend it. Couple that with a 30+ character key phrase, and you should be good ?

    thanks you for the information

    I think that the Google should just do like every other blockchain is doing at the moment in crypto and give you a memonic phrase or word phrase that you can recover your authenticator with. Then back them up encrypting it with your memonic keywords. That way you can recover to any device and only keep your phrase safe.

    The best way is always to save or print the QR codes, then safely store them in a secure place. From a web browser, right-click on the QR code and Save Image. Give it a meaningful name, like my-gmail.png or my-gmail.jpg (depending on the file/image type). Also, save any backup codes that allow you access should you lose the QR code.
    From a security point of view, it makes no sense to trust a third party. Why give them access to your secret / personal QR codes that enable access to your personal accounts. Even if you trust a company with your QR authenticator codes (and you really can’t be sure how they store it and what they do with it), like someone mentioned, if their server is hacked or they get acquired by another company – your private information is in another’s hands.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese