With today’s modern world where we should all be using password managers and authentication apps to further enhance our online security presence, it’s easy to fall into the trap of not being able to recover Google Authenticator if your device is lost or stolen.
Whilst this sounds like a “it won’t happen to me”, never say never. Mobile devices are highly sought after in today’s world, and given that virtually everything we do online is from a mobile phone or tablet, it’s easy to become complacent. Sure, it’s available immediately if you need it, but what if you lose it ?
What could happen ?
Well, for one, you’ll be without your device meaning that if you rely on that same peripheral to access a password manager, or generate TOTP based 6 digit codes, you’re going to be in something of a “hole” to say the least. You can get access to most password managers via an online vault, but if that account you need to access was secured with 2FA or push authentication, and you no longer have the associated device, then you’re in for quite a rough ride without a means of recovery.
This is where (for example, but not limited to) Google Authenticator will make you immediately fall on your sword if you don’t have copies of the backup codes, or the secure password seed used to create the pairing in the first place. Be honest - do you keep a record of backup codes ? I’m guessing you don’t
It’s not actually possible to quickly and easily backup Google Authenticator, or the codes generated by it. It’s a simple process to transfer to another phone, but ONLY if you have the old device. If your phone or tablet is lost or stolen, and you have no means of proving who you are, then you are, for want of a better phrase, royally screwed.
DON’T rely on Google Authenticator. Yes, it’s free. Yes, it’s simple, but if you lose your device, then you’ll quickly find out just how much of an inconvenience this is. I switched away from Google Authenticator years ago in favor of AUTHY (now known as Twillo). Not only can you have multiple devices, but there is a recovery mechanism whereby you can get access to your data on another device by simply going through the recovery process. The one caveat here is that the recovery requests need to be manually reviewed and approved.
I went through this same exercise around 4 years ago when my phone literally froze up, then died. I sent the phone back to the manufacturer who informed me that the device was completely dead (it was an LG - never again) and that they would be shipping a replacement. Great, but what about the 2FA codes etc ? As it’s an Android device, I simply pulled all of the settings back from my Google Account. However, getting the codes back into AUTHY meant I needed to go through the recovery steps.
These are pretty simple, but you need to be able to answer security questions in order to proceed. Another great addition in AUTHY is that you are periodically requested to enter the backup passcode so that backups of all your accounts can easily be taken
A bit more information around that can be found here
This article is from the same bunch who developed the Shield Security plugin for WordPress, and they provide the same stark warning as I do here
Transferring out of Google Authenticator is a simple process, but requires re-enrolling your device via AUTHY (or another product) in each application or account you have secured.
BitWarden and others have the ability to incorporate 2FA generation and security in their password manager apps for mobile devices. The huge benefit here is that this is replicated into the online vault, meaning the codes are also generated there, and you can still access your accounts without your phone. More info about that here
Don’t get caught out by sticking with Google Authenticator