How to Backup Google Authenticator or Transfer It to a New Phone
Courtesy of Protectimus.com
Our regular readers know that we strongly recommend applying two-step verification wherever it’s possible. In the contemporary world, where database leaks are a standing affair, two-step authentication is not an option, it is, in fact, a must. If you use two-factor verification, an intruder would need to get both the unique password you came up with, and the gadget, which produces the verification codes, to break into your account. Thus, two-factor authentication protects from brute force, keyloggers, most cases of phishing and social engineering. It also complicates man-in-the-middle and man-in-the-browser attacks.
So why two-factor verification is still unpopular? Sure, it creates an extra step to take to log in, but most users omit it not because of this extra time and effort, but because they are afraid of losing access to their credentials if something goes wrong with their authentication devices.
“As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.”
– Newton Lee, Counterterrorism and Cybersecurity: Total Information Awareness
From all available options of one-time passwords generation or delivery (SMS, emails, hardware and software tokens) most people choose Google Authenticator or other similar applications like Authy, Protectimus Smart etc. Operating principle is pretty much the same for all the software OTP tokens – they generate authentication codes for logging into your account right on your smartphone.
It’s very convenient to use the smartphone for two-factor verification, but there are always these nagging questions: What do you do if you lose the smartphone which generates your one-time passwords? What occurs if you switch smartphones, do you lose the entire account? How do you transfer Google Authenticator to a new phone? In this article, we will answer these nagging questions and help you protect your invaluable personal data.
3 ways to backup Google Authenticator
1. Backup codes
Google, as well as some of the other websites where you can protect your user account with two-step authentication, provides backup codes. These are the one-use codes that allow you to login into your account if you lose access to your OTP token. After you use a backup code once it’s gone for good. Most people print out these Google Authenticator backup codes and keep them at hand.
It is imperative to understand that Google Authenticator is a multi-token, thus you can enroll many tokens for various websites using one app. Some of these websites provide backup codes, and a user can gain access to these websites if his/her smartphone is lost. But what do you do with the websites which do not support backup codes?
Another point against Google Authenticator backup codes is – they are as secure as a password written down on a paper. An intruder can easily copy them if they are in physical vicinity and use them to gain access to your account. Granted, the intruder will have to be among your peers and know the user password, but you know… things happen.
Other things that you might want to keep in mind when it comes to printed out backup codes:
- You do not have them at hand at all times
- You can lose the paper or destroy it by mistake
- Only a few services provide them
Google Authenticator backup codes have their perks, but you have to be ready for the drawbacks as well.
2. Saving screenshots of the secret keys
This is by far the easiest way to never lose access to your account. When you first set up your Google Authenticator simply make a screenshot of the barcode with the secret key. Keep the screenshot very secure though, if someone in your vicinity finds it they can access your data. Please, mind, if it really happens and someone steals your secret key, they will still need to know your user password, so make sure it’s not a simple combination to guess.
3. Programmable hardware token
Created as a more secure alternative to the authentication apps, hardware tokens Protectimus Slim NFC can be used with Google, Facebook, GitHub, Dropbox etc. These tokens are easily programmed with an application for Android with NFC support.
The token looks like a credit card and can be carried with you effortlessly. So you’ll always have an alternative source of one-time passwords on all times, for example, if your smartphone battery is out of charge or you’ve reset the phone or deleted the token accidentally.
The hardware token is far more secure than a backup code on paper or a screenshot of the key – extracting the secret key from the token is absolutely impossible. Protectimus Slim NFC allows for unlimited reprogramming, so every time you change a token on a service you can simply reprogram it and stay protected.
The main drawback here is that one token allows for one secret key only.
How to transfer Google Authenticator to a new phone
1. Move Authenticator to a different phone
NOTE: You will transfer only the Google token this way.
With Google, it is pretty straightforward to transfer the authenticator and all the secret keys within it to another smartphone. All you’ve got to do is go to the two-step verification page, click the “Get started” button, enter your password to verify it’s you, and click the “Change phone” button. Then either scan the QR or barcode, or put in the secret key on the other gadget manually. That’s it.
This works only with the Google account, the other accounts where you use Google Authenticator for two-step authentication might not support this option. You will transfer only the Google token this way. So you might want to try the next two options instead.
2. Disable & Re-enable Two-Factor Authentication
Disabling two-step verification is pretty easy if you still have your old smartphone. It’s usually required to enter the OTP from the currently used token to disable two-factor authentication on any account. To disable 2FA for a while, just click the “Turn Off 2-Step Verification”, “Delete the token”, “Disable 2-step verification” or similar button, depending on the service you use. You’ll find it at the two-step verification page in security settings.
Then add the authenticator application to your new gadget and follow the usual steps to set up Google Authenticator on the new phone.
3. Manually Extract Your Credentials [Root Only]
Note: There are many ways to manually transfer Google Authenticator if you have an Android smartphone with root access to it. We do not recommend using them though. Getting root access can significantly damage the security of your apps and make the device prone to getting viruses and errors.
This is a more time and effort consuming way to transfer Google Authenticator key to the other smartphone. It requires you to have root access to the smartphones.
To extract the secret keys manually you need to give adb root access, this is easily done with an app like [root] adbd Insecure if you’ve got stock ROM. And in case you happen to have custom ROM you might already have the necessary root access adb, so no additional apps are needed.
Set adb onto insecure mode with the application or directly, connect the smartphone to your PC or laptop and copy the Google Authenticator databases to the computer using the commands.
This is the pathname:
adb pull /data/data/com.google.android.apps.authenticator2/databases/databases
After the file is copied you can open it and see the keys using these sqlite editor commands:
select * from accounts;
Now you have your secret keys and can add them to your new device.
Two-phase authentication is a reliable and reasonable way to shield your invaluable personal data. Whether you use a hardware token or apps like Google Authenticator or Protectimus Smart, you now know how to stay safe even if you change devices or lose your smartphone.
We showed you easy ways like Google backup codes and making screenshots of the secret keys. And we showed you more secure option like the Protectimus Slim NFC hardware token.
You also know now how to extract the Google Authenticator data manually, transfer Google Authenticator to another phone and even shut off the two-factor verification if you happen to need to.
So now you do not have any excuses not to protect your info better. All that is left to do is come up with proper user passwords which are not the name of your cat!
Read the original article over at Protectimus.com.