New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Google Authenticator: Don't Lose Your Phone...
raindog308
Administrator, Veteran
in General
Apparently if you replace your phone, you'll lose all your Google Authenticator configs for all sites except Google, requiring you to potentially dig out dozens of backup codes. Google has known about this for 8+ months.
Google used to support moving authenticators from phone to phone, but apparently no longer does, so if you lose your phone, you lose all your authenticator configs.
https://productforums.google.com/forum/#!topic/gmail/7-1D5Nn7C8Y
Thanks, Google.
Thanked by 1vimalware
Comments
Aaaaauthyyyyyyyyyyyy!
Thanks, ants.
Yep, this is pretty well known. Thankfully there are many other options, like Authy, and other 2FA systems that aren't quite so dire.. however, how much would YOU trust them?
I've got GA tied to both my phone, my SIM, and about 6 reset codes so I can always just load it on another Android.. everything else, welp..
I always save backups codes to an external drive.
Yeah it's why i use Authenticator Plus which allows syncing of GA site/configs across multiple Android devices, so have same sync'd info across 3x tablets + 3x phones https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus&hl=en
Sure, I have mine...just not looking forward to resetting up a couple dozen sites, going through their "use a backup code" method, etc.
Just unbelievably lame by Google.
If you've rooted your phone, you can backup and restore Google Authenticator's database, e.g., with Titanium Backup. Or use any of a number of other TOTP apps; I prefer open-source over Authy, but there are many. The basic TOTP protocol is pretty simple to implement.
Take a picture of the QR code.
...and you get only a link back to google. That's the point. You don't get back any other sites you've added.
Time to setup an Android VM just for Authenticator so you can keep it in the cloud.
Always save the key to the password manager so it can be added later to GA.
If the phone has root access: Open file explorer in System root > 'data' folder > 'data' folder (inside the other data folder) > Copy the folder named com.google.android.apps.authenticator2 > Exit System root folder > Open normal Main storage / SD storage space and paste the folder here so it can be accessed via USB mount/PC.
View the keys in a FOSS SQLite editor (SQLite Database Browser Portable) and add it to GA app.
Pavin.
Do you mean save the QR code?
The backup key yes, I get that...but that is a huge hassle for many sites, as each site is different, you have to login, go to your profile, etc.
Most sites show the key as well alongside the QR code for backup; if not have to look through the db.
EDIT: If there's no key alongside QR code, just open the barcode app and scan it to get key.
I'm using both 1Password and Authy for this purpose.
1Password as backup, while Authy for Apple Watch when I'm on the move.
Moved to Authy more than an year ago and never looked back at Google Authenticator.
Now even last pass has added 2FA with its Authenticator app, but I am not comfortable having password and 2FA in same place. It kind of defeats the purpose.
@raindog308
The key everyone is referring to is not a recovery key, it's an alternate form of the QR Code that allows you to add new websites to Authenticator.
Once bitten twice shy :-)
After I got into trouble post my first Android migration, I became "smart" (i.e. less reliant on all these fancy
toolsabstractions) and started to also maintain my own TOTP "passwords" separately.As @mailcheap said, all is not lost if you have a rooted phone (heck, if you're anyway going to migrate to a different phone, might as well root the existing one and get what you need).
Grab the sqlite DB (which is of course unencrypted - talk about security) file that contains all the initializing tokens for TOTP and either use a vanilla tool to generate the OTP directly (tada - no more phone dependencies!) or else also import it (via hand or use a tool to generate a QR code from the token and "scan" the QR code) into your new phone's preferred OTP generator (Google's or Authy or whatever).
But this time (and moving forwards) preferably keep the raw token (i.e. the "initializing token") somewhere safe (including inside your existing password manager - which ... I ... assume ... you ... are ... using ...).
Now all is NOT lost if you loose your phone and sometimes it is much handier to be able to directly generate and paste the token into whatever browser window you want by directly generating your OTP on your system.
Its these sorts of things that makes me want to get everyone involved in the decisions that lead to this point in 1 room and interrogate them to find out how specifically the decision was reached and what made them feel it was acceptable.
Sadly the answer is usually the same: no one had to be accountable so they just did a bad job while being badly managed.
1Password has the ability to set up 2FA and sync them. Otherwise use Authy.
I swapped phones last October, don't remember this being a drama...
I got into this trouble long time ago. Lost mobile and i cant access all accounts which enabled 2 FA. It was quite hard time for me to recover access
(
Then i move to Authy, it just works! Never look back
Titanium Backup and then encrypt the folder.
Authenticator Plus has a backup feature, it automagically syncs with GDrive/iCloud.
PS: I hate Authy cuz it costs $$$ to implement, plus you can't transfer the keys out(without hassle).
I am so glad I switched to Authy. They have a feature called "multi-device" so I can have my accounts on both my iPad, iPhone and Mac.