24

I'm slightly confused about obtaining Google Authenticator backup codes.

I can find my Google Account backup codes at: https://myaccount.google.com/signinoptions/two-step-verification

But have no idea if those are the ones I should use to restore Google Authenticator and recover all attached accounts in case I lose my phone.

Thank you

P.S. Feel free to suggest other services with better/enhanced security and easier (but secure nonetheless) backup procedure.

a.s.t.r.o
  • 343
  • 1
  • 2
  • 6
  • For reference, here is Google's documentation about the backup codes: https://support.google.com/accounts/answer/1187538?hl=en – Highly Irregular Sep 27 '17 at 21:52
  • When locked out of your account due to new or lost phone, use the backup code _in place_ of the Authenticator code on the website itself. This was not obvious. I though the backup codes restored the keys like a Bitcoin wallet. Or that there was a separate page to enter the backup code and get the key and QR code to scan. Notice that you can not ever get the keys back, either from the web site or the old phone. You can only ever add a new device with new QR code. (Unless you hack the old phone to extract the keys.) – Chloe Apr 12 '19 at 17:14

3 Answers3

19

You need backup codes to "an account" not to Authenticator itself.

Authenticator has one entry for each 2FA-enabled account of yourself - without needing an account for its own use. So the concept of backup codes for GA doesn't apply.

If for example, you have an account (say GMail) that you've protected with GA-based 2FA, then you could generate backup codes for GMail, from GMail Account Management / Security menus. Since the backup codes need to be recognized by GMail, they are generated in GMail - not GA.

Same logic applies for any other account that you need backup codes for.

Edit: To backup all the accounts you have on GA, you need to backup the "App-specific secret" (usually a long hex string; or a QR Code that has the string) for each account/app. AFAIK, GA doesn't use online storage to backup your GA-enabled accounts.

Sas3
  • 2,638
  • 9
  • 20
  • 3
    OK so let's say I have Amazon account protected by 2FA over GA. What happens if I lose my phone? Will I be able to recover my Amazon access? (I have backup codes to my Google Account) – a.s.t.r.o Aug 16 '17 at 07:50
  • 3
    @AdnanDoric You would need to speak to Amazon about it - they will have some process for "I've lost my 2FA device". From a quick search, that process involves speaking to customer services, convincing them that you are the account holder, then they disable the requirement for 2FA to log in temporarily. Each service may have a distinct recovery method. – Matthew Aug 16 '17 at 08:43
  • 2
    I don't know about AWS, but most other accounts that I use it for have a "secret key" that you need to scan into (or type into) the Authenticator app. You can scan that into any number of devices (even if you don't lose one) and use for 2FA. – Sas3 Aug 16 '17 at 09:59
  • 3
    OK thank you friends, I decided that Google Authenticator's lack of integrated backup was too much to handle for me. I needed a fully integrated, set and forget solution for 2FA and found Lastpass Authenticator which has cloud backup (I already use Lastpass service so it was a no brainer for me) – a.s.t.r.o Aug 16 '17 at 21:27
  • 1
    Basically it you lose the QR Code (aka Secret Key) that is used to setup 2FA then you are screwed...unless the service provider (Amazon, to say with the example given) unlocks the account by disabling 2FA for you. Personally I am not comfortable with relying on them, so I backup my QR Codes securely when I am setting up 2FA - I save the codes to an encrypted external hard drive that I keep in a safe. – SamAndrew81 Apr 17 '19 at 15:31
7

I agree with you that the "philosophy" behind Google Authenticator's "only one device" is profoundly broken, because in as much as it tries to avoid "copying" the keys, it exposes you to the risk of a broken device. Electronic devices can fail. You need a backup. Happily, Google Authenticator's keys can be extracted: http://eduncan911.com/technology/hardware/google-authenticator-databases-move-copy-fix.html

entrop-x
  • 1,017
  • 6
  • 9
  • I assume this is not possible for iPhone...?? – SamAndrew81 Apr 17 '19 at 15:32
  • Frankly, that is a hack. A site *should* give you recovery codes, and you can also back up the TOTP rsp. HOTP secret as text the moment you sign up (they are usually provided as text, at least on demand, and even if not, it's just a standard QR code containing a URI). IOW, you should try not to get into a situation where you need this tool. – Arne Vogel Sep 17 '19 at 14:05
1

SO i found out lots of people lost their GA id, can't open their accounts I found out the easy way to crack it down.

First you need to download DB BROWSER FOR SQLITE and if you had android reset and had backed up the android data files in your computer (which you must do before resetting).

Move to FILE MANAGER\ANDROID\DATA\com.google.android.apps.authenticator2\DATABASE\DATABASE file in your backed up files (before resetting).

If you had installed custom ROM then you can get file by going into file manager\twrp\data\com.google.android.authenticaitr2\database\database file and copy that file and save it some where else or on desktop. Now open that downloaded software DB BROWSER FOR SQLITE.

Open that database file using software move to database structure select ID file then move to browse data at right site tab, voila you get your id and even backup code (16 digits)

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Arun
  • 31
  • 1