How to backup Google Authenticator?

[nii236]

Hello everyone,

I am trying to improve my online security by using 2 factor authentication through Google Authentication. I've set it up for MtGox and BTCT but I am concerned about what will happen if I lose my phone or it gets stolen. I will lose access to absolutely everything! Or I install  a ROM on top of the phone and lose all my data because I forget to backup.

What is a commonly accepted way of backing up one's Google Authenticator database? Ideally it would be a single file that I can load back into Google Authenticator or something that will be stored offline somewhere (putting it in cloud storage might not make sense in this case).

Thanks in advance.

[Endgame]

Just create some backup codes and store them in a safe place, then if you lose your phone you can simply log in with backup code and turn off 2 factor. See here for instructions: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1187538

[nii236]

Yes, but that is only for Google accounts. What about MtGox and BTCT and others?

[Jasmin68k]

Whenever you register for 2FA you get something called "secret key" or "shared secret" etc.

That is what you need to take a backup of.

Without your phone this secret key can be put into a variety of different apps/scripts etc. to generate the OTP just like your phone would have done it.

One example of such a simple authenticator would be this one: https://github.com/mclamp/JAuth

[nii236]

Thanks. So the QR code that I scan is the backup itself? Good to know. However you can't copy the MtGox one for some reason. I'll have to take a screenshot or something.

[Jasmin68k]

TBH I don't know what different websites put into their QR codes, probably depends on the website.

With MtGox what you need to make a backup of (copy/paste, screenshot etc.) is called "Secure Private Key".

If you use the authenticator I used as an example above, you can then generate the OTP with "java -jar JAuth.jar -secret=YOURSECUREPRIVATEKEY".

For other websites and/or authenticator apps it's basically the same procedure. So in essence you don't need a phone at all, if you don't want to use one.

[DeathAndTaxes]

The QR code contains the shared secret (which is what synchronizes the codes on your smartphone and the site's backend server.  Same shared secret + same time means both you and site generate the same code in sync.   The shared secret is simply a number.  The QR code also contains some less important information like "display name".

So if you have a backup of the QR code you use it to "setup" another smartphone

1) When you setup 2FA before you scan the QR code print it out.  
2) Instead of scanning the QR code on screen scan the printout (this verifies the printout was correct, no printing errors rending it unreadable).  
3) Complete the 2FA setup.
4) Now just label the printout.
5) Store the all your labeled google authenticator QR codes in a safe place (like fireproof safe or safety deposit box).

[trigeek]

Hello everyone,

I am trying to improve my online security by using 2 factor authentication through Google Authentication. I've set it up for MtGox and BTCT but I am concerned about what will happen if I lose my phone or it gets stolen. I will lose access to absolutely everything! Or I install  a ROM on top of the phone and lose all my data because I forget to backup.

What is a commonly accepted way of backing up one's Google Authenticator database? Ideally it would be a single file that I can load back into Google Authenticator or something that will be stored offline somewhere (putting it in cloud storage might not make sense in this case).

Thanks in advance.

You can use titanium backup free to back up the data for the google authenticator android app to your sd card.  be careful with the backup though- it's best to store it somewhere else password protected vs. on your phone.

[Lohoris]

You can use titanium backup free to back up the data for the google authenticator android app to your sd card.  be careful with the backup though- it's best to store it somewhere else password protected vs. on your phone.

Will only work if his phone is rooted.

[pekv2]

You can also not only backup the code, but as well as run google authenticator on your windows pc.

http://code.google.com/p/gauth4win/downloads/list

[glon]

The QR code contains the shared secret (which is what synchronizes the codes on your smartphone and the site's backend server.  Same shared secret + same time means both you and site generate the same code in sync.   The shared secret is simply a number.  The QR code also contains some less important information like "display name".

So if you have a backup of the QR code you use it to "setup" another smartphone

1) When you setup 2FA before you scan the QR code print it out.  
2) Instead of scanning the QR code on screen scan the printout (this verifies the printout was correct, no printing errors rending it unreadable).  
3) Complete the 2FA setup.
4) Now just label the printout.
5) Store the all your labeled google authenticator QR codes in a safe place (like fireproof safe or safety deposit box).

Hi, what if I've already completed point 3 before even thinking about doing 1/2? Thanks!

[DeathAndTaxes]

@glon Well depending on the site you may have options.
If the site still shows the authenticator code you can print it after the fact.
If the site allows you to change the authenticator code you could change it and in doing so completing the steps above.
If the site allows you to disable the authenticator code then do so and then enable it completing steps above.
If the sties doesn't allow you to change, disable, or show you the authenticator code you probably will need to request the admin remove authenticator from your account.

[01BTC10]

You can also not only backup the code, but as well as run google authenticator on your windows pc.

http://code.google.com/p/gauth4win/downloads/list

Won't this defeat the purpose to have 2FA in the first place?

[DeathAndTaxes]

You can also not only backup the code, but as well as run google authenticator on your windows pc.

http://code.google.com/p/gauth4win/downloads/list

Won't this defeat the purpose to have 2FA in the first place?

Yes unless what he means is a dedicated offline machine used for nothing but generating the authentication codes.

[jago25_98]

You often aren't given the secret key to copy and paste so a common way is to screenshot that qrcode or take a photo. The thing is, you have to remember to do this on logon and you're punching an unencrypted backup through the system.

The whole thing is a disaster waiting to happen. It got me when my phone got stolen and it's caught many others out too. There should be an encrypted backup solution for Google Authenticator. It's just because it's intended for use with Google and usually gmail - there you have all the backup options - paper codes, phone, SMS.

Using Google Authenticator for third party things is fine but really I think gox and all these sites should tell people they should backup and print or backup and encrypt the qrcode.

[gambitv]

Thank you for this valuable post. I have just reset all my authenticator settings and now have a nice stack of printouts to put away in a safe.

[capoeira]

You can also not only backup the code, but as well as run google authenticator on your windows pc.

http://code.google.com/p/gauth4win/downloads/list

Won't this defeat the purpose to have 2FA in the first place?

Yes unless what he means is a dedicated offline machine used for nothing but generating the authentication codes.

why is that? if you get hacked you are lost anyways (shouldn't run Windows at all).
2FA is to protect you against password hacks

[glon]

You often aren't given the secret key to copy and paste so a common way is to screenshot that qrcode or take a photo. The thing is, you have to remember to do this on logon and you're punching an unencrypted backup through the system.

The whole thing is a disaster waiting to happen. It got me when my phone got stolen and it's caught many others out too. There should be an encrypted backup solution for Google Authenticator. It's just because it's intended for use with Google and usually gmail - there you have all the backup options - paper codes, phone, SMS.

Using Google Authenticator for third party things is fine but really I think gox and all these sites should tell people they should backup and print or backup and encrypt the qrcode.

And wouldn't you know it Google has just updated their Authenticator iphone app and all my tokens are gone after the update. WTF?

Anyone else?

[capoeira]

You often aren't given the secret key to copy and paste so a common way is to screenshot that qrcode or take a photo. The thing is, you have to remember to do this on logon and you're punching an unencrypted backup through the system.

The whole thing is a disaster waiting to happen. It got me when my phone got stolen and it's caught many others out too. There should be an encrypted backup solution for Google Authenticator. It's just because it's intended for use with Google and usually gmail - there you have all the backup options - paper codes, phone, SMS.

Using Google Authenticator for third party things is fine but really I think gox and all these sites should tell people they should backup and print or backup and encrypt the qrcode.

And wouldn't you know it Google has just updated their Authenticator iphone app and all my tokens are gone after the update. WTF?

Anyone else?

only afected I-Phone...there is a topic here (with recover manual) search it

[glon]

You often aren't given the secret key to copy and paste so a common way is to screenshot that qrcode or take a photo. The thing is, you have to remember to do this on logon and you're punching an unencrypted backup through the system.

The whole thing is a disaster waiting to happen. It got me when my phone got stolen and it's caught many others out too. There should be an encrypted backup solution for Google Authenticator. It's just because it's intended for use with Google and usually gmail - there you have all the backup options - paper codes, phone, SMS.

Using Google Authenticator for third party things is fine but really I think gox and all these sites should tell people they should backup and print or backup and encrypt the qrcode.

And wouldn't you know it Google has just updated their Authenticator iphone app and all my tokens are gone after the update. WTF?

Anyone else?

only afected I-Phone...there is a topic here (with recover manual) search it

Yes I said it's an iphone app issue. Care to make yourself useful and post a link to the topic "with recover manual"?