Coinbase Google Authenticator Backup Key Question?

[jerry0]

So I changed my coinbase account two factor authorization to google authenticator and use it on my iphone.


I had to scan the QR code on coinbase site to the google authenticator app on my iphone and it scanned.  But where is the backup key that I need to write down if something happens to my phone?  Could I install google authenticator on two devices at the same time?  Even if I could do that, I want a way to restore my coinbase for google authenticator.


How do I do this?  I thought there was a long key you need to write down on paper as your backup?  So if anything happens to your phone, you could just enter that long key to restore it... that isn't how it works with google authenticator?  Do you need to write down a backup key for this particular google authenticator on this phone that would restore all accounts?  Or would I need to write down a backup key for each specific site like coinbase?  If so, where is this?

[hosseinimr93]

I had to scan the QR code on coinbase site to the google authenticator app on my iphone and it scanned.  But where is the backup key that I need to write down if something happens to my phone?  

The best thing you can do is to keep the secret key coinbase gives you in a safe place. It will help you to recover the 2FA at any time.

You can also use the "Exports accounts" feature as a backup.
To do so, click on "3-dots: button at top right of the window. Select "Transfer accounts" and then "Export accounts".
Select any account you want to backup and tap on "Next".
After that, you will see QR code allowing you to import your account into another device in future.
Just note that, due to security reason, your phone won't allow you to take a screenshot. Take a photo from the QR code using a camera and keep it in a safe place.

Could I install google authenticator on two devices at the same time?  

Yes.

[jerry0]

Wait.  You can only take a picture of the QR code as a backup?  There isn't like a long key you need to write down like 68fdsalkjfksajf99sfda977098ambibasd to restore it?


And you cannot take a photo of it with your phone.  You need to use another device to take photo of the QR code?  So if your other device is an old phone and it has malware, then you compromise yourself then?  How is that exactly safe?


So basically anyone that has your QR code has access to your coinbase account?  But they still need your email and password for coinbase right?  


https://help.coinbase.com/en/coinbase/managing-my-account/get-back-into-my-account/restoring-2-factor-authentication-from-a-secret-seed



Isn't there a secret seed one could write down as mentioned in article above?  Or is that meant for coinbase wallet accounts and not coinbase accounts?

[Charles-Tim]

All you answers can still be gotten from this your topic: Best 2 Factor Authorization for Coinbase and Gemini

But where is the backup key that I need to write down if something happens to my phone?

I am not a Coinbase user, but the 16 character code should be along the QR code that was provided on Coinbase, that is the backup. You can also backup the QR code.

Could I install google authenticator on two devices at the same time? 

Even you can install google authenticator on many device and all would work appropriately but installing it on two or more devices will not be appropriate and reduce your safety, for security and safety reasons, best to just have the authentication app on a single device which should not be the device you used for your Coinbase account.

Even if I could do that, I want a way to restore my coinbase for google authenticator.

hosseinimr93 has provided enough information needed about that, you can follow what he posted above.

How do I do this?  I thought there was a long key you need to write down on paper as your backup?  So if anything happens to your phone, you could just enter that long key to restore it... that isn't how it works with google authenticator? 

I will advice you not to use Google authenticator because it is close source, but you can use the QR code export to backup as many as possible character codes which can be imported into another authentication app.

But if you need the 16 character code which can be used for recovery, you can import the google authenticator QR code on Aegis.

I will recommend you to use Aegis, it is open source and working perfectly.

The QR code is only recommended for exporting on another device which you can also be able to do it on Aegis. For backup, on Aegis, at the upper right corner -> click on the three dots -> settings -> scroll down and click on 'export'. The files can be exported to a particular file location of your choice on your device which you can backup offline and delete from the file location. It can be in .json which will be advisable to be encrypted. It can also be in .json or .txt in unencrypted format.

So far you just want to get the 16 character code, you can use the unencrypted, back it up offline and delete the text file on your device.

Or go to the exchange or wallet to change the authentication so it can generate new one for you that you can backup offline. You should be able to see the QR code and the 16 character code together.

[hosseinimr93]

Wait.  You can only take a picture of the QR code as a backup?  

Yes.
Note that if you want to have a backup, as I already said, the best thing you can do is to keep the secret key Coinbase gives you in a safe place.
The "Export accounts" feature on Google Authenticator has a different purpose. But if you don't have access to your secret key anymore, I think that's the only thing you can do to have a backup.

There isn't like a long key you need to write down like 68fdsalkjfksajf99sfda977098ambibasd to restore it?

As far as I know, No.

And you cannot take a photo of it with your phone.  You need to use another device to take photo of the QR code?  So if your other device is an old phone and it has malware, then you compromise yourself then?  How is that exactly safe?

Yes, it can be compromised if that device is not safe.

Edit:
I just remembered you asked exactly the same question last year and I answered you in that thread too.
May I ask you why you don't read the replies instead of asking the same questions again and again?

[JeromeTash]

I am not a Coinbase user, but the 16 character code should be along the QR code that was provided on Coinbase, that is the backup. You can also backup the QR code.

For some reason, coinbase does not provide the 16 character code. All you see if the QR code that you need to scan. At least that what I saw when I was activating 2FA via my Device's browser

OP you could also try taking a screenshot of the QR code page via computer. I managed to do that on my Linux. But be warning taking screenshots of such codes is a very bad security practice

[jerry0]

There is no character code in my coinbase account for me to write down.  If there was, then I would do this as I prefer it this way.


Coinbase seem to only allow me to use google authenticator or Duo and those are the only two options.  I cannot use Aegis because I use IOS.


So what are my options now?  I do not want to take a picture of QR code as the backup because if I do that with my other old iphone, if it has malware, then isn't my QR code at risk as the other person mentioned?  Taking a picture just does not seem safe to me if the device you are taking it with might be compromised now or compromised later on.  My old iphone is a backup iphone I have.  I use my primary iphone to install authy and google authenticator.  Now if coinbase allowed authy, i would do that but they don't support it.


Could I install another two factor authenticator for coinbase and if so, which one?


Also I would prefer the backup to be a code I write down.  With Authy, I created an authenticator backup passphrase which is my password in case something happens to my device.  What other IOS programs allow this with coinbase?

[Charles-Tim]

@jerry0, so far JeromeTash said it can not be seen, let me explain two ways you can get it.

On Google 2FA, click on the three dots at the top right corner -> click on transfer accounts -> export accounts -> uncheck the ones you do not want to import (only check Coinbase if it is the only one you want to export and get its secret code) -> click next.

On Aegis, click on the + (plus) icon in red and click on 'scan QR code.

Scan the QR code from Google 2FA app on Aegis. After, try any of these two:

First
As mentioned above

For backup, on Aegis, at the upper right corner -> click on the three dots -> settings -> scroll down and click on 'export'. The files can be exported to a file location on your device which you can backup offline and delete from the file location. It can be in .json which will be advisable to be encrypted. It can also be in .json or .txt in unencrypted format.

You can use the unencrypted .txt, you can use an app that open text files to open it, you will see the file there. Check the 16 secret code there. Backup the code offline and delete the .txt file.

Second method
On Aegis, long press on the codes that are changing every 30 seconds, click on the QR code icon seen at the upper right most side, use a scanner to scan the code. You will be able to see the 16 secret code.

Note: the code is 16 character for you to be able to easily identify it. Use a recommended scanner which is open source, the reason I will prefer the first method which do not need any app rather than text file.

[jerry0]

I open google authenticator on my iphone.  I click on the three dots, it shows


Edit
Export Accounts
Settings



There is no transfer accounts.  You mean click on Export Accounts?


Aegis is not supported by IOS...


You said


Even you can install google authenticator on many device and all would work appropriately but installing it on two or more devices will not be appropriate and reduce your safety, for security and safety reasons, best to just have the authentication app on a single device which should not be the device you used for your Coinbase account.



I am confused with this.  So you want me to have google authenticator installed only on one device.  Okay.  But I should not have the authenticator app on the device that is used for my coinbase account?  Did you make a mistake with this statement?  I cannot imagine someone who use coinbase and use google authenticator for it... and the google authenticator app they use is on another phone of theirs and not their primary phone?

[moderator's note: consecutive posts merged]

[BitMaxz]

I am confused with this.  So you want me to have google authenticator installed only on one device.  Okay.  But I should not have the authenticator app on the device that is used for my coinbase account?  Did you make a mistake with this statement?  I cannot imagine someone who use coinbase and use google authenticator for it... and the google authenticator app they use is on another phone of theirs and not their primary phone?

It's for safety purposes but if you know how to protect your device from any threats why not have both your Coinbase and Google authenticator installed on the same device.
There is no problem having them both on the same device make sure you are only using the phone for this activity, not for other activities like browsing to an unknown website or infected website.

Mine I use Google authenticator on my PC and the Coinbase app is installed on my phone it helps to lessen the risk if any of these devices are under attack they can't control both devices and hack your account. 

[jerry0]

Well most people will be using coinbase on their pc.  Yes you could use coinbase on the iphone but that isn't comfortable.


It would make sense to have google authenticator on your primary phone that you use.


So you do not use coinbase on the pc?  


Is there a way for take a photo of the QR code on my primary phone right now or not?  


Could I find the QR code on coinbase.com on the computer?


Can you still use authy for coinbase or not?  I am reading mixed reviews on this.  What about Tofu?


So you are saying if i set it up again and instead use the authy app or Tofu app to scan the QR code instead of google authenticator, this would work?


How can I use authy with coinbase?


Do I scan the QR code with the authy app as oppose to google authenticator app and that would work?



So as of now, I need to uninstall google authenticator as my two factor authentication and then scan a new QR code but this time scan with Authy?  So that means authy will display a 6 digit code each time when trying to log in coinbase?  Authy is 7 numbers isn't it so how would that work with coinbase?  Who here still uses authy with coinbase?

[OmegaStarScream]

-snip-

I can't comment on Tofu since I never used it but yes, you should be able to use Authy. It works the same way as the Google Authenticator app, you either scan the QR code given to you by Coinbase or manually add an account using a code. The former is obviously a better and more convenient solution.

The code gets generated every a few seconds (whether you're connected to the internet or not) and not when you try to log in, and no, it's not 7 digits, it's actually 6. It should work just fine.

[jrrsparkles]

Can you still use authy for coinbase or not?  I am reading mixed reviews on this.  What about Tofu?


So you are saying if i set it up again and instead use the authy app or Tofu app to scan the QR code instead of google authenticator, this would work?


How can I use authy with coinbase?


Do I scan the QR code with the authy app as oppose to google authenticator app and that would work?



So as of now, I need to uninstall google authenticator as my two factor authentication and then scan a new QR code but this time scan with Authy?  So that means authy will display a 6 digit code each time when trying to log in coinbase?  Authy is 7 numbers isn't it so how would that work with coinbase?  Who here still uses authy with coinbase?

Authy is available for IOS and it is comparatively provides better security while comparing with Google Authenticator because of features like saving your passwords on cloud so even if you lose the device your can retrieve it back but it is not possible with Google Authenticator if I am not wrong.

Authy encrypts the data and enable security pin to login to the app so extra bit of layer as security.

[Charles-Tim]

When I was new on this forum, o_e_l_e_o mentioned some open source authenticators for Android and iOS, but I am an Android user to test Aergis and andOTP which were open source and excellent, this gives me confidence that Tofu will be a good 2FA app as it also always post even excellently unique posts on this forum.

Most of these are not open source and do not allow proper encrypted back ups. Google Authenticator in particular is awful from the regard. FreeOTP is no longer in development. Here are the apps you should be using:
Android - Aegis or AndOTP
iOS - Tofu or Authenticator

I will recommend Tofu or Authenticator as mentioned in the quote above by o_e_l_e_o.

@jerry0, you can try to see if you can get the backup on your device to write down the 16 character code, or making use of scanner to know if the 16 character will be displayed as I explained above after you export it from Google 2FA app to Tofu or Authenticator (some apps like FreeOTP on Android was unable to export such but not in development, maybe the reason)

If other fails, reset the authentication. Your email, mobile number and your present (Google) 2FA may all be required to reset the 2FA. Reset it, get another 2Fa on Tofu. If the 16 code is not displayed by Coinbase as JeromeTash stated, then try to backup and see if you can extact the backup from the file location it is stored on your device. Or try to use a scanner to see if you will get the 16 character code. Like I mentioned before, scanners can be close source which is also a disadvantage, use open source apps. You can disconnect your device from internet connection during the process, extract the 16 character code, backup the code and uninstall the scanner.

Never use Authy, it stores your information on cloud, backup is better offline for security.

[o_e_l_e_o]

We need to stop recommending Authy on this forum. It is the worst possible 2FA you can use. It is as insecure as SMS 2FA in that someone who can spoof your phone number can access your account, it spies on your activity and information and shares that with third parties, and it can unilaterally lock you out of all your 2FA codes and demand KYC. See my post here for more information: https://bitcointalk.org/index.php?topic=5385388.msg59326683#msg59326683

Good 2FA apps such as Aegis allow you to go in to each individual account and view the back up code so you can write it down if you forgot to when you set it up or if the service didn't display it at all. Also note that you can always just decode the QR code and extract the code from it.

[jerry0]

Oeleo i know you mentioned authy isn't good.  But with gemini for example, that is apparently the only two factor they allow that isn't a yubikey.


For coinbase, I wanted to google authenticator but the issue is the backup requires you to take a picture of the QR code.  I do not like this because I would need to use another iphone to take the picture right?  Could i take the picture with my primary iphone which the google authenticator is installed in?  I have two phones but the other phone is an older iphone and if it has malware or virus, I don't want to risk taking a picture with it.  Or would you say there isn't a risk.


The other issue if even after taking the picture, where do I even store it?  I hear people say make copies of it.  Well that would require a printer and if your device is compromised, aren't you compromising your QR code as well?  Thus its similar to like dont type your seed on a computer or any device and print it out?  Since essentially the QR code is like a seed phrase for a wallet?  Or is it not that extreme?  Because I heard the QR code is basically the backup?  But someone would still need your username/password for coinbase for this?


I wanted to go with Authy for coinbase because it works fine with gemini.


Now do you have any opinion on Raivo OTP?  I believe you mentioned for IOS ... go with Tofu right?  The issue with tofu is I read there isn't a backup key that you can write down on paper and you have to scan a QR code as the backup... is that correct?  If so, I don't like that because you are taking a picture of the QR code and it can be compromised easily right?  I hear people say they print the QR code out or store it on a flash drive.


But with Raivo OTP, I read its open source... but you could actually back it up easily because it gives you a long key to write down and that is your backup?  If that is the case, wouldn't that be the best option for IOS than Tofi?  I see lot of good reviews about Raivo OTP for IOS and many seem to say its the best. 

[Charles-Tim]

Oeleo i know you mentioned authy isn't good.  But with gemini for example, that is apparently the only two factor they allow that isn't a yubikey.

You can use any authenticator, because a site recommend an authenticator does not mean another authenticator can not work, you can use any authenticator. But reputed open source ones which does not store your backups online are recommended.

[jerry0]

Okay I understand that.  So because of that, I want to use Raivo OTP.  Does anyone here use this one?


Thing is when I first try to set it up, it ask me


Choose a storage provider that you want to synchronize and backup your tokens to


None (offline)
Personal ICloud



Which one do I choose?  After this, it also ask me for a master password.  Now do I need to enter this master password each time I log in?  Or its something I need to write down as a backup in case something happens to my iphone?


Also if something happens to my iphone after setup, what do i need as the backup?  Will they give me a key to write down and make sure I have that?  Is it that key and also the master password I create so I need both of them?


I want to have a backup where I write it down on paper and not scan a QR code.  Can anyone who uses Raivo OTP answer this?