How do I back up Google Authenticator?
I'm starting to use Google Authenticator for more and more things now, but I've just realized that if I lose my phone, or if I need to wipe and restore it to install new firmware, I will lose all of my codes.
Is there anyway to back them up please? Or some kind of fallback that means I can restore it to a new device?
I don't understand... A code is to be used only once, they aren't stored anywhere on your phone, if you need to enter a code on a site, you have to use a new code, even if you already put one on this site some time ago.
Thank you, but as I understand it, if I lose my phone now, I won't even be able to login to the site, let alone setup a new Google Authenticator code
If you need a code to log-in while your phone is lost, you can use one of the backup method (SMS, Call, printed codes...). It is highly recommended to setup at least one of these alternative method to overcome this kind of situation :)
I've always wanted to fork Google Authenticator to add this feature. I'm hoping somebody will do it before I have the time.
@Shywim Google Authenticator is not just for Google accounts. There are many other services that do not have backup codes and SMS etc.
This kind of half-assed security thinking is why every company in the United States has been broken into in the past five years. For every security measure, there is someone who wants to break those measures to make them "easier to use." Those authenticator codes are designed to be hard to copy. If you lose your phone, you lose your codes, and you of course go to your backup authentication scheme that you've carefully put into place to regenerate those codes.
The following method will only work rooted Android devices.
adb pull /data/data/com.google.android.apps.authenticator2/databases/databases /AFolderOnPC
adb pull /data/data/com.google.android.apps.authenticator2/databases/databases C:\AFolderOnPC
Note that the folder on the PC has to already exist.
This will copy the authenticator database files with the main keys, from which the One Time Passwords are generated, to the PC. The file can then be restored to the same location, on Android devices, or read with an sqlite database viewer to extract the keys.
When copying to a new device, make sure the `databases` folder and `databases` file both have 755 permissions. I tried 700, and GA kept crashing. Kind of concerning that it requires full permissions. Maybe that's NSA's requirement.
You need to `adb root` before you do this, or you will get `remote object '/data/data/com.google.android.apps.authenticator2/databases' does not exist`
Note that if you have SELinux enabled, even with the correct permission bits the Authenticator app can crash. To fix this, run `restorecon -F /data/data/com.google.android.apps.authenticator2/databases/databases` after you put back the database file. (source)
Rooting your device makes it *less secure*. If you're using 2FA then presumably you want more security. For the risks: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Dangers_of_Jailbreaking_and_Rooting_Mobile_Devices#Technical_Controls
You don't need to back up the Google Authenticator app/data as you can create a list of 'Backup codes' which you can use to log in without requiring a authentication code on the same page that you configure 2-step authentication.
Why print or download backup codes?
Backup codes are especially useful for people who travel, have problems receiving SMS or voice calls, or cannot use the Google Authenticator mobile app.
Recommendation: You should print or download backup codes
Store these in a safe place (or print them out) and if you lose your phone you can use one of these codes to log into your account and set up a new device with the Authenticator app.
Whilst this applies to Google's 2-step-authentication, any other sites you have configured to use the Google Authenticator app should offer a similar option, or another way to receive codes (e.g. Facebook supports Google Authenticator, their own app and sms as methods to receive codes).
Many thanks, so effectively I could create my own backups then, by saving a copy of the QR code used to setup Google Authenticator for each site too?
I don't know... I expect that they are time/use limited so wouldn't work more than once or after a period of time.
Oh I see, thank you - I've just checked the sites that I've used Google Authenticator for and none of them have a backup option, so it seems like (unfortunately) my best option is to actually disable it and use stronger passwords, I guess.
For the sites that don't offer it then i'd say that your only option is to use a strong unique password without 2 step authentication. Out of interest, what sites don't offer a backup option? Dropbox, Facebook, LastPass, Wordpress all do (those are the other sites I use 2 step authentication with).
Thanks, unfortunately the sites I'm using probably aren't very popular with 2step auth and as such don't support it very well, mostly Bitcoin sites and the like
@Nick: Saving the QR code that Google or other sites provide and adding them back into Authenticator on another device **does** work. I have done this a few times myself. However you should make sure that the time is correct and up to date constantly on both devices (if you intend on keeping using both of them) otherwise authentication might fail.
Thanks so much Andris, I've just confirmed with one site owner that I use auth on that this works, so will go through and re-configure everything, and ensuring I have a paper print out of the QR codes etc :)
The two-factor authentication "one-time" password is generated with two things: the current time, and a secret shared between the server and the app during the initialization. In your case, the secret is the QR code. As long as another instance of the authenticator app shares the same secret and the same time (the same 30s frame), both apps will generate *the same* passwords.
You need to backup your Google Authenticator app because not all websites offer alternative sign in methods.
You might still want to back it up when you are going to reset your phone, so you don't have to spend an hour going to every site you use authenticator for, entering a backup code and resetting the authenticator setup.
This is only true for Google's 2-step authentication. Google authenticator works with many other sites, and some don't have a way to create a list of backup codes. Some use SMS, some give you a single one-time-use backup code, and some don't have any backup option at all. Even when every site has a backup option, having to restore all of the many keys when getting a new phone is a huge hassle.
Doesn't work if you're only using Authenticator for non-Google websites. The first thing Google wants you to do when you hit the page you linked is set up 2FA on your Google account. From what I can tell, it doesn't let you manage squat until you've done that. Move along to one of the other answers (e.g. Titanium or manually extracting from the SQLite database).
I had the exact same problem.
It turns out that original tokens (usualy represented to the user as qrcodes) are stored in sqlite database inside /data/data/com.google.android.apps.authenticator2/databases folder and can be extracted from the device.
I automated and explained the recovery process here: https://github.com/dchapkine/extract-google-authenticator-credentials
This project extracts original tokens, then generates a web page with qrcodes you can rescan on a new device.
Feel free to contribute.
This just saved me logging into all of my 2FA accounts and switching the phone manually. Many thanks!
This is exactly what I was looking for. A quick and easy way to re-scan all of the QR codes.
Thanks for this but my device is not rooted. Do I understand correctly that I have a "Catch 22" situation on my hand where rooting my device will wipe it clean?
@dchapkine For devices with no root method available, is there any other method to access the .db? Like with SetEdit with elevated permissions via ADB? Or (assuming the allow_backup flag is enabled through manifest), any way to take an ADB backup and decompress manually (no data encryption configured)? I'm on an SM-N950UZKATMB stock, Android 9
@Arctiic you need to be root to access app's data folder, i am not aware of any other method
@dchapkine AFAIK, when an app's manifest grants the `allow_backup` flag, ADB is able to access root directories to backup files from, e.g., `\data\data\com.package.example\...` via the `backup` function, even when the user doesn't have root access. Personally, I've successfully taken backups of a game data file before to decompress and restore onto an emulator, so I'm wondering if it can be applied in a similar manner in this case.
Titanium Backup (link to Google play store) will backup any android app, including Google Authenticator. However, you must root your phone for this to be a viable option.
I would also recommend printing the Google backup codes too. This isn't quite backing up the Google Authenticator app, but they would allow you to reset the authenticator if necessary. This would only help for regaining access to your Google account though.
Backing up the app with Titanium Backup is the most complete option, in my opinion. It's saved me on a number of occasions.
Had to settle for this because I couldn't adb pull the databases directory, couldn't copy to /sdcard and take it - chmod 777 did nothing.
Worth mentioning, in order not to re-root the new phone. After backup click on the `backup/restore` tab -> choose `Authenticator` app -> slide right for `special features` tab -> choose `Explore` -> choose `accounts` under `[DATABASE]`. then you'll get all the account in your app in a .csv file. use the `secret` column to restore the accounts to the new phone.
The easiest way to handle this is to take a screenshot of the QR code whenever you setup a new Authenticator for a site and save it in an encrypted location.
If you need to reinstall or add the Authenticator for that site to another phone, simply add the account in Authenticator by scanning the QR code in the screenshot just as if you were setting up a new site.
Before you negativoids say this won't work, yes it does, and you CAN have the same Authenticator on multiple devices.
I would like to explain why this works, both the website and your device will share a simple string of characters, "the code", set in the QR code, and they will endlessly use it to create new 6 digit codes from, based on the current date and time. Therefore, you only need to have this code to generate new codes. The website has no way of checking who or what created the 6 digit code, it only needs to be correct.
Try Authenticator Plus, it supports backup/restore functionality with sync across devices, if you have a phone/tablet, this app syncs all accounts between them flawlessly, it even support Android wear.
It has logos support too
Authy looks awesome! Much better than google's, **except it's not opensource**. I can live with it.
Doesn't this sound like a bad idea? The whole point of the Time-based One-time pad protocol (TOTP aka rfc6238, which is what authy/google authenticator, et al implement) is that you and only you have the ability to generate the codes. If you let some 3rd party store those codes, they become a huge target for attacks, nevermind having to trust everybody that works for this service and how they've implmented it.
You can save the QR codes when you setup or renew your 2FA. You can save the QR by making a screenshot. Or using the context menu 'save image as' but this is not always available. (Make sure to give the images a corresponding name with the account and backup in a secure location). For restoration just rescan the QR codes in Google Authenticator.
As a preface this is an approach for configuring MFA ahead of time so that it is always backed up, not recovering or backing up existing codes.
I just went through this process after my Nexus 6P stopped connecting to data and I had to setup all my MFA again on a Pixel. I realized that if I lost my phone or did the factory data reset I'd have been totally borked.
The simplest solution I came up with is to ignore the QR code based setup and just use the token based setup itself (it's the "manual" option in most authenticator apps). Every service I've used so far allows you to opt for the token-based setup rather than QR.
Rather than going through the trouble of taking screen shots of the QR codes, labeling them appropriately and then GPG encrypting them and securely storing them somewhere I just store the tokens in an encrypted vault and setup my MFA manually.
I verified that you can setup clones of the authenticator using the same key on independent devices running simultaneously. Thus, so long as you securely control the tokens, you can configure MFA on any device.
I'm satisfied with this result as I didn't have to do anything more than reconfigure MFA (I had to do this anyway in my circumstances) and simply add all the tokens to lastpass. Now I'm covered in the case of phone loss and can configure other devices if need be.
There are a lot of advice for rooted phones. But it isn't recommended to root your device if you don’t want to make it vulnerable. Two-factor authentication provides an additional layer of protection and by rooting you bring it to naught since different viruses could get an access to protected memory areas.
Only small amount of services offer backup codes (particularly Google). For these services, you should save backup codes.
The best solution is to save the QR codes (or the secret keys) in the moment of token enrollment and keep them in some safe place. Then if you lose your phone you could restore tokens in Google Authenticator on your new device.
Also, you can use hardware tokens. They can be in the form of key fob or credit card. Have a look at this article on the blog of Protectimus (the company where I work) to get more information how to backup Google Authenticator: How to Backup Google Authenticator or Transfer It to a New Phone.
* Disclosure: I work for the website linked above.
On a rooted phone you can use the "Amaze" file manager (https://play.google.com/store/apps/details?id=com.amaze.filemanager&hl=en). Go to the root /data/data/com.google.android.apps.authenticator2/database directory. Open the database file as a database. Select accounts. You will have 3 columns _id, email, and secret. Copy the "secret" value. When you need to restore just add, select "Enter a provided key", give it a name and paste in the value.