Question What happens if you use Google Authenticator for 3rd party services and lose your phone?

[Red Squirrel]

I use google authenticator for 2 factor auth for a couple things, but what happens if I lose my phone or it dies or otherwise lose the entries in the app? I can't seem to find much on Google about this, because all I get is results to recover a google account that uses 2 factor auth, and that's a different thing. I assume the authenticator app must have some kind of key that I just need to backup or something, and then I would put that on the new device.

There's also not much settings/config available in the app itself.

 

[Carfax83]

I've sorta had this happen to me, but I didn't lose my phone. I got a new phone, but forgot to disable the authenticator and I had already shipped it off. What I ended up doing was having to log into Google and disable the authenticator service for my Google account, and then for any app that used it (for example Uplay), I had to log into that account and disable it as well. Then once I removed the authenticator protections from my previous device, I simply reenabled them on my current one. A bit of a headache really, if you lose your phone or buy a new one.

 

[Red Squirrel]

But how did you log in to the Uplay account without the code? If there's a way to bypass it doesn't it defeat the whole purpose?

For example right now I use google authenticator for my ethereum trading account, but if something happens to my phone I won't be able to login to it.

Is there a way to setup authenticator on more than one device, like a computer? I would feel much better if I could also set it up on a normal computer running a normal OS like Linux, then I can just make sure I have good backups of the config or whatever is involved (guessing a key) for the authenticator to work.

 

[ChronoReverse]

I migrated all my 2fa to Authy for this reason

 

[Red Squirrel]

Hmm yeah that one looks better. I only have a couple services on google authenticator, I'll have to check if they support Authy as well and switch them over.

 

[Carfax83]

But how did you log in to the Uplay account without the code? If there's a way to bypass it doesn't it defeat the whole purpose?

It was with recovery codes

Is there a way to setup authenticator on more than one device, like a computer? I would feel much better if I could also set it up on a normal computer running a normal OS like Linux, then I can just make sure I have good backups of the config or whatever is involved (guessing a key) for the authenticator to work.

To my knowledge, no there isn't. The Authenticator app is tied to Android or iOS, so it's mobile only. But after signing into my Google account, it seems there is an option for backup codes like what Uplay uses. So maybe you could try that?

 

[Red Squirrel]

Oh wait so the google recovery codes would work for the 3rd party services as well? They arn't clear on that, they make it sound like it's only to login to the google account itself.

Like say I lose my phone, and go to login to my ethereum trading account which uses google authenticator, when it asks for the google authenticator code, I would use the recovery one?

Also how do I migrate the google authenticator data to a new device?

I'm working on moving more things to 2 factor auth but I just don't want to put myself in a stuck situation where I'm screwed if something happens to my phone or I want to upgrade it.

 

[Red Squirrel]

Just tested and it looks like those codes are only for the google account itself.

There's got to be a way to have some kind of backup of the google authenticator tokens. I want to be prepared and not end up losing all my crypto if I lose my phone or my phone dies or whatever.

Is there a way to virtualize a phone? I would love to be able to run a fake android phone off my own home network so I can run authenticator off that. At least that way it will be included in the routine backups etc and be in a safe spot.

And again to clarify I'm not worried about being able to login to the actual google account, but rather 3rd party accounts that use google authenticator. Ex: bitcoin exchanges.

 

[rumpleforeskin]

I screenshot the QR codes when setting up 2FA for this reason. I store the screenshots in an encrypted RAR file on a USB stick in my safe at home.

Then I can setup the codes again if I need to

 

[Red Squirrel]

Where do you get this QR code?

Ex: say I lose my phone right now, and I need to login to QuadrigaCX which used Google auth, what do I do? (let's pretend QuadrigaCX was still working, just using it as an example)

 

[rumpleforeskin]

Where do you get this QR code?

Ex: say I lose my phone right now, and I need to login to QuadrigaCX which used Google auth, what do I do? (let's pretend QuadrigaCX was still working, just using it as an example)

Depends on the website, for example, LastPass has an option to show the QR code for 2FA under the security settings.

Other sites/apps you may need to generate a new QR code to get it shown as they have no option to see the QR code after its initial generation

 

[Red Squirrel]

Oh so it's site specific? I was thinking maybe Google had something. Like is there not some kind of file on the phone I can backup or something? Like say I got a new phone, how do I make the 2FA work on the new one?

 

[Aikouka]

I usually just add the 2FA code to both Google Authenticator and 1Password. You could also just create the 2FA with the secret code instead of the QR code (the QR code is just the secret code and name information), and save said secret code somewhere safe.

 

[Red Squirrel]

Where do you get this code? The one you get on Google's site is only to login to Google I think. Once I can get that sorted out then I'll probably just print it and put it somewhere physical within the house or something. I just need to figure out how I would login to 3rd party services like crypto exchanges that use google auth, should I lose my phone. right now I don't have much stuff using 2FA as I'm reluctant to do it until I can sort this out and have a contingency plan.

It's too bad there's not an easy way to just run the phone OS with the authenticator app in some kind of VM then I can just backup the whole VM.

 

[thilanliyan]

Where do you get this QR code?

Ex: say I lose my phone right now, and I need to login to QuadrigaCX which used Google auth, what do I do? (let's pretend QuadrigaCX was still working, just using it as an example)

I think you can screenshot (and store in some form...electronic, paper, etc) the QR code to be used in the authenticator app, and then you just rescan the QR code on the new phone.

Also, DO NOT TRUST YOUR CRYPTO AT EXCHANGES!!! Keep them in a hardware wallet such as a Ledger Nano S.

 

[Red Squirrel]

Ok but where do I get this QR code, and in the event that I lose my phone, how do I use it to gain back access to the account?

And yeah I don't store anything in crypto exchanges but I still want to make sure that I'm not locked out if I lose my phone.

Is there a way I can just backup the data off the phone that generates the codes? Like is it some kind of file somewhere on the phone?

 

[thilanliyan]

The QR code is given when you make the 2FA account on each website you are using it for.

If you save the QR code somehow, you can rescan it on a new phone and have access to that account again. I don't know about any other backup method.

 

[Red Squirrel]

Oh so it's a per site thing? I guess I will have to pay more attention to that next time I create an account with 2FA.

 

[thilanliyan]

Oh so it's a per site thing? I guess I will have to pay more attention to that next time I create an account with 2FA.

Yes, it's per site. I think every site I have set up with 2FA have shown the QR code on initial signup.