Bitcoin Forum

Hello everyone,

I am trying to improve my online security by using 2 factor authentication through Google Authentication. I've set it up for MtGox and BTCT but I am concerned about what will happen if I lose my phone or it gets stolen. I will lose access to absolutely everything! Or I install  a ROM on top of the phone and lose all my data because I forget to backup.

What is a commonly accepted way of backing up one's Google Authenticator database? Ideally it would be a single file that I can load back into Google Authenticator or something that will be stored offline somewhere (putting it in cloud storage might not make sense in this case).

Thanks in advance.

Just create some backup codes and store them in a safe place, then if you lose your phone you can simply log in with backup code and turn off 2 factor. See here for instructions: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1187538

Yes, but that is only for Google accounts. What about MtGox and BTCT and others?

Whenever you register for 2FA you get something called "secret key" or "shared secret" etc.

That is what you need to take a backup of.

Without your phone this secret key can be put into a variety of different apps/scripts etc. to generate the OTP just like your phone would have done it.

One example of such a simple authenticator would be this one: https://github.com/mclamp/JAuth

Thanks. So the QR code that I scan is the backup itself? Good to know. However you can't copy the MtGox one for some reason. I'll have to take a screenshot or something.

TBH I don't know what different websites put into their QR codes, probably depends on the website.

With MtGox what you need to make a backup of (copy/paste, screenshot etc.) is called "Secure Private Key".

If you use the authenticator I used as an example above, you can then generate the OTP with "java -jar JAuth.jar -secret=YOURSECUREPRIVATEKEY".

For other websites and/or authenticator apps it's basically the same procedure. So in essence you don't need a phone at all, if you don't want to use one.

The QR code contains the shared secret (which is what synchronizes the codes on your smartphone and the site's backend server.  Same shared secret + same time means both you and site generate the same code in sync.   The shared secret is simply a number.  The QR code also contains some less important information like "display name".

So if you have a backup of the QR code you use it to "setup" another smartphone

1) When you setup 2FA before you scan the QR code print it out.  
2) Instead of scanning the QR code on screen scan the printout (this verifies the printout was correct, no printing errors rending it unreadable).  
3) Complete the 2FA setup.
4) Now just label the printout.
5) Store the all your labeled google authenticator QR codes in a safe place (like fireproof safe or safety deposit box).

You can use titanium backup free to back up the data for the google authenticator android app to your sd card.  be careful with the backup though- it's best to store it somewhere else password protected vs. on your phone.

Will only work if his phone is rooted.

You can also not only backup the code, but as well as run google authenticator on your windows pc.

http://code.google.com/p/gauth4win/downloads/list

Hi, what if I've already completed point 3 before even thinking about doing 1/2? Thanks!

@glon Well depending on the site you may have options.
If the site still shows the authenticator code you can print it after the fact.
If the site allows you to change the authenticator code you could change it and in doing so completing the steps above.
If the site allows you to disable the authenticator code then do so and then enable it completing steps above.
If the sties doesn't allow you to change, disable, or show you the authenticator code you probably will need to request the admin remove authenticator from your account.

Won't this defeat the purpose to have 2FA in the first place?

Yes unless what he means is a dedicated offline machine used for nothing but generating the authentication codes.

You often aren't given the secret key to copy and paste so a common way is to screenshot that qrcode or take a photo. The thing is, you have to remember to do this on logon and you're punching an unencrypted backup through the system.

The whole thing is a disaster waiting to happen. It got me when my phone got stolen and it's caught many others out too. There should be an encrypted backup solution for Google Authenticator. It's just because it's intended for use with Google and usually gmail - there you have all the backup options - paper codes, phone, SMS.

Using Google Authenticator for third party things is fine but really I think gox and all these sites should tell people they should backup and print or backup and encrypt the qrcode.

Thank you for this valuable post. I have just reset all my authenticator settings and now have a nice stack of printouts to put away in a safe.

why is that? if you get hacked you are lost anyways (shouldn't run Windows at all).
2FA is to protect you against password hacks

And wouldn't you know it Google has just updated their Authenticator iphone app and all my tokens are gone after the update. WTF????????????????????????????

Anyone else?

only afected I-Phone...there is a topic here (with recover manual) search it

Yes I said it's an iphone app issue. Care to make yourself useful and post a link to the topic "with recover manual"?

Print the QR code and store it in a safe place. Before activating 2-fa check that the QR you printed can be scanned by GA.

google is your friend:

https://bitcointalk.org/index.php?topic=287459.msg3077955#msg3077955

No they're not. :D

Titanium Backup on Android, OpenBackup (or other) on iOS.

only if you're rooted

Use this program https://code.google.com/p/winauth/ Then make sure after you add all your secrets to it, then back up the winauth.xml file which houses our your secrets from %appdata%\winauth
Also has password/encrypted option and allows you to tie to the PC in question if so desired.

As others have said backup the secrets or QR code and you can also use another phone or tablet to house your info in Google Authenticator or Authy < which you can set to backup your data. Authy also allows you to set a pin # for the program, GA doesn't but you can download a 3rd party app to do the same.

This is the best simple solution to keep a backup. You can also take a photo and store your photos on Evernote or similar cloud service.

I wouldn't recommend Evernote or a similar cloud service - you would be trusting your very valuable backup to the servers of a third party (in this case Evernote), and thus you have to assume that at some point somebody could hack their servers and access the information you stored on them.

If storing the backup on the cloud is a "must", then I would definitely recommend to use strong encryption to protect the backup before uploading it. The attack vector that lead to one of the biggest thefts in BTC's history (allinvain's 25k BTC theft (https://bitcointalk.org/index.php?topic=16457.0)) was very probably an unencrypted wallet.dat stored on dropbox.

Hey Folks,

i was in the following situation. Had mt.gox changed to 2f authentication and didn't backed up my secret. Now i got me a new phone and have moved all the other stuff with no problem. My old phone is a nexus 4 which is rooted and my new phone is a samsung galaxy s5. I don't want to root my s5 atm so titanium is a no go. Helium backup does no backup for google authenticator. mt.gox is not usable atm moment and might not be in the next time. So here is what i did:

• adb shell to my nexus with a terminal
• enter "su"
• allow root from phone
• "cd /data/user/0/com.google.android.apps.authenticator2/databases"
• "sqlite3 databases"
• "select * from accounts;"

And there it was. There should be a line like this:
1|MtGox-USER-TOTP#553617|BLAHBLAHBLAH|0|0|0||MtGox-USER-TOTP#553617

On the new phone just enter "BLAHBLAHBLAH" in the GA App instead of scanning a QR code. Done!

I hope this will help someone

Greetings, lateman.

Google authenticator isn't tied to your google account... it's an open API that anyone can use (which is why the PAM module even exists)

Thanks! I lost my iPhone someday ago, now I can continue my work. thanks ;)

this one is very helpful for me,, thanks you  ;)

This is a very useful information. Thanks for sharing.