Where to find Google Authenticator backup codes?

  • I'm slightly confused about obtaining Google Authenticator backup codes.

    I can find my Google Account backup codes at: https://myaccount.google.com/signinoptions/two-step-verification

    But have no idea if those are the ones I should use to restore Google Authenticator and recover all attached accounts in case I lose my phone.

    Thank you

    P.S. Feel free to suggest other services with better/enhanced security and easier (but secure nonetheless) backup procedure.

    For reference, here is Google's documentation about the backup codes: https://support.google.com/accounts/answer/1187538?hl=en

    When locked out of your account due to new or lost phone, use the backup code _in place_ of the Authenticator code on the website itself. This was not obvious. I though the backup codes restored the keys like a Bitcoin wallet. Or that there was a separate page to enter the backup code and get the key and QR code to scan. Notice that you can not ever get the keys back, either from the web site or the old phone. You can only ever add a new device with new QR code. (Unless you hack the old phone to extract the keys.)

  • Sas3

    Sas3 Correct answer

    3 years ago

    You need backup codes to "an account" not to Authenticator itself.

    Authenticator has one entry for each 2FA-enabled account of yourself - without needing an account for its own use. So the concept of backup codes for GA doesn't apply.

    If for example, you have an account (say GMail) that you've protected with GA-based 2FA, then you could generate backup codes for GMail, from GMail Account Management / Security menus. Since the backup codes need to be recognized by GMail, they are generated in GMail - not GA.

    Same logic applies for any other account that you need backup codes for.

    Edit: To backup all the accounts you have on GA, you need to backup the "App-specific secret" (usually a long hex string; or a QR Code that has the string) for each account/app. AFAIK, GA doesn't use online storage to backup your GA-enabled accounts.

    OK so let's say I have Amazon account protected by 2FA over GA. What happens if I lose my phone? Will I be able to recover my Amazon access? (I have backup codes to my Google Account)

    @AdnanDoric You would need to speak to Amazon about it - they will have some process for "I've lost my 2FA device". From a quick search, that process involves speaking to customer services, convincing them that you are the account holder, then they disable the requirement for 2FA to log in temporarily. Each service may have a distinct recovery method.

    I don't know about AWS, but most other accounts that I use it for have a "secret key" that you need to scan into (or type into) the Authenticator app. You can scan that into any number of devices (even if you don't lose one) and use for 2FA.

    OK thank you friends, I decided that Google Authenticator's lack of integrated backup was too much to handle for me. I needed a fully integrated, set and forget solution for 2FA and found Lastpass Authenticator which has cloud backup (I already use Lastpass service so it was a no brainer for me)

    Basically it you lose the QR Code (aka Secret Key) that is used to setup 2FA then you are screwed...unless the service provider (Amazon, to say with the example given) unlocks the account by disabling 2FA for you. Personally I am not comfortable with relying on them, so I backup my QR Codes securely when I am setting up 2FA - I save the codes to an encrypted external hard drive that I keep in a safe.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM