Four ways to backup your Google Authenticator

What is Two-Factor Authentication?

Two-Factor Authentication (2FA) is an extra verification step that protects the privacy of your personal information. You will encounter it more often online, especially when using cryptocurrency exchanges, banking apps, and other services that handle sensitive data.

At your bank, you probably already use this as an SMS code or a separate device to keep your account safe. This form of extra security has become essential. Hacks, scams, and data breaches happen almost daily and your password may have leaked already. If 2FA is enabled on a website or app, an attacker still cannot get in with just your password.

Criminals are always looking for ways into your account, but with 2FA you can make it very hard for them.

Google Authenticator

Google Authenticator is the most widely used 2FA mobile app in the cryptocurrency world. Every reputable exchange, wallet, app, or website will encourage you to set up 2FA when registering an account. Protecting accounts is in their interest too: it prevents support tickets, reputational damage, and the loss of customers or investors.

If someone knows your email address and password, they can access your personal information, including your bank account. With 2FA enabled, that person also needs physical access to your phone to log in. If a website supports 2FA, you should use it. Google Authenticator is a popular option, but there are alternatives. Protecting multiple accounts in one app is straightforward. The app is available for iOS (iPhone) and Android devices.

This is an example of the Google Authenticator app, which generates the 2FA codes:

How to Activate 2FA Using Google Authenticator

When you turn on 2FA on a website, a QR code is displayed for you to scan with the Google Authenticator app. Usually there is also a code you can enter manually as an alternative. After entering the response code from the app on the website, 2FA is activated.

Here is an example:

Google Authenticator Cloud Backup

In April 2023, Google introduced a major update to the Authenticator app: cloud sync and backup. This feature lets you back up your 2FA codes to your Google Account and sync them across multiple devices.

How cloud backup works

When you enable cloud sync:

• Your 2FA codes are automatically backed up to your Google Account.
• You can access your codes on multiple devices (phones, tablets) signed in to the same Google Account.
• If you lose your phone or get a new one, signing in restores all your codes instantly.
• The app received a colorful new icon with this update.

How to enable cloud sync

1. Update Google Authenticator to the latest version.
2. Open the app and tap on your profile icon.
3. Sign in with your Google Account.
4. Your codes will automatically sync to the cloud.

Important security warning

While cloud backup is convenient, there is a significant security concern to be aware of: Google Authenticator’s cloud sync does not use end-to-end encryption (E2EE).

What does that mean?

• Google can technically see your 2FA secrets stored on their servers.
• If someone gains access to your Google Account, they could potentially access all your 2FA codes.
• Security researchers have advised caution when using this feature.

Google has stated it plans to add end-to-end encryption in the future, but at the time of writing this has still not been implemented.

Should you use cloud backup?

Use cloud backup if:

• Convenience is your priority.
• You have strong security on your Google Account (strong password plus 2FA on Google itself).
• You have lost access to accounts before due to a broken phone.

Consider manual backups instead if:

• You handle highly sensitive accounts (large crypto holdings, business accounts).
• Maximum security is your priority.
• You are uncomfortable with Google having access to your 2FA secrets.

The good news: cloud sync is optional. You can still use Google Authenticator without signing in or syncing, and manage your backups manually using the methods described below.

Manual Backup Options (Recommended for Maximum Security)

Whether you choose not to use cloud sync, or you want an additional backup layer, these four manual methods are the most secure way to protect your 2FA codes.

Before you finally activate 2FA by entering the response code, it is important to back up the QR code and the written secret. Here are four backup options with their advantages and disadvantages.

#1 Screenshot

Take a screenshot of the QR code and the written secret (if shown). With a new phone, you can rescan or re-enter the code to regain access.

Making a screenshot on Windows can be done with the ‘print screen’ button on your keyboard to paste it into Microsoft Paint (mspaint.exe), or with the Snipping Tool, which can be found in the Start menu.

Making a screenshot on Apple (macOS) can be done by pressing COMMAND+SHIFT+3 for a full-screen screenshot, or COMMAND+SHIFT+4 for a selection. The files are usually stored on your desktop with a file name like ‘Screenshot + date.PNG’.

Advantage: It is easy and quick.

Disadvantage: The secret code is stored on your computer, where a hacker or virus could find it.

Tip: Move the files to a USB stick and store it securely.

#2 Print

Print the page where the QR code and the written secret are displayed. Scan the QR code from the paper to test that it works. Keep the printout in a safe and dry place.

Advantage: The secret code is no longer present on the computer, which solves the disadvantage of option 1.

Disadvantage: You need a printer. Fewer and fewer people own one these days. You also have to store the printed page somewhere secure and dry to prevent unauthorized access and to keep it readable.

#3 Extra Mobile Phone

Do you still have a second mobile phone at your disposal? For example, one from work, your partner’s, or an old one lying around? You can use that phone to scan the QR code or enter the secret manually as well.

Advantage: You are back up and running quickly. It is also very practical if you want to log in: just grab whichever phone is nearby.

Disadvantage: If you often have both phones together, they can be stolen or destroyed in the same incident.

#4 Write It Down

Write the code down the good old-fashioned way with pen and paper.

Advantage: You do not need a printer or a second mobile phone, and it is 100% offline secure.

Tip: Double-check that you have written the code down correctly, and make sure you can read your own handwriting.

Disadvantage: Some websites only display the QR code. Those cannot be written down. Fortunately, more and more websites show both versions: QR and secret code.

My Phone is Broken, Now What?

If you have enabled cloud sync, recovering your codes is easy: install Google Authenticator on your new phone, sign in with your Google Account, and all your codes will be restored automatically.

If you have not enabled cloud sync and have no backup, you will lose access to every site where you have activated 2FA. You will then need to prove your identity per website through their support to reactivate Google Authenticator. With crypto exchanges, this can sometimes take weeks.

This is why having at least one backup method in place is so important.

Activated 2FA, but Forgot to Backup or Lost It?

If 2FA with Google Authenticator is fully set up on a website, you will need to deactivate and reactivate it to make a backup. Most websites do offer the option to turn 2FA off, but only while you still have access to the mobile phone that is connected to it.

When you turn it off, you will be asked for the code generated on your mobile, just like when you log in. After this you can re-activate 2FA and make the backup using the options mentioned above.

Transfer Google Authenticator to a New Phone (Android)

For Android users, there is a built-in method to transfer all your 2FA codes to a new phone. This is a convenient feature that saves time because it moves all your codes at once.

Alternatively, if you have cloud sync enabled, your codes will automatically appear when you sign in on your new device.

How does the manual transfer work? The app generates a special QR code containing all the 2FA backup codes you choose to transfer. Once you scan this QR code on the new Android phone, the codes will be moved over.

Step-by-step guide (Android)

1. First, download the Google Authenticator app on your new phone.
2. Open the Google Authenticator app on your old phone.
3. Go to the settings, which usually look like 3 dots or 3 lines (hamburger menu).
4. Choose the option ‘Transfer accounts’ (see screenshot below).
5. Select the option ‘Export accounts’.
6. You might be asked to verify it is you by entering your phone’s PIN code or fingerprint.
7. Now select the accounts you want to transfer and tap ‘Next’.
8. On your new phone, go to settings like in step 3 and choose ‘Import accounts’.
9. Finally, scan the QR code on your old phone and the selected codes will be transferred.

Accounts Exported Warning

You might see a notification on your old phone saying ‘Accounts were recently exported’. This warns you because if you did not do it yourself, someone else now has all your codes.

Although they still need your password for each website or app to access it, you need to take action. The best approach is to change your password and reset 2FA everywhere.

Transfer Google Authenticator to a New iPhone

Note: If you have cloud sync enabled, simply sign in with your Google Account on your new iPhone and your codes will appear automatically. The following instructions are for manual transfer or for your Google account specifically.

It is rather easy to move your Google Authenticator to another phone via their website.

For all the other accounts, you will need to go through the process of disabling and re-enabling 2FA (unless you use cloud sync).

Step-by-step guide (iPhone)

1. First, go to the Google 2FA page.
2. Click the ‘Get started’ button.
3. Choose the Google account you want to use and enter your password.
4. Find the section ‘Authenticator app’ and click ‘Change phone’ (see the screenshot below).
5. Now either scan the QR code on your new phone to finish, or enter the ‘secret key’ that appears after clicking ‘Can’t see it?’

Step 4:

Step 5:

WARNING: All of the above operations are at your own risk, so take your time, double-check everything, and test what you are doing.

Alternatives to Google Authenticator

If you are looking for an alternative authentication app, especially one with stronger security features, here are two popular choices.

Authy

Authy is often recommended by security experts because it offers end-to-end encryption for cloud backups. This means even Authy itself cannot see your 2FA secrets, unlike Google Authenticator.

Key features:

• End-to-end encrypted cloud backups.
• Multi-device sync.
• Available on iOS, Android, Windows, Mac, and Linux (desktop version).
• Free to use.

Microsoft Authenticator

Microsoft Authenticator offers similar features to Google Authenticator, including cloud backup and one-time password generation.

Key features:

• Cloud backup to a Microsoft account.
• Approving login requests via notification.
• Available on iOS and Android.
• Free on the App Store and Google Play.

Which should you choose?

Our recommendation: If security is your top priority, consider Authy for its end-to-end encryption. If you are already deep in the Google ecosystem and want convenience, Google Authenticator with cloud sync is a solid choice, as long as your Google Account itself has strong security.

Summary: Best Practices for 2FA Backup

1. Always create a backup before finalizing your 2FA setup.
2. Use cloud sync for convenience, but understand the security trade-offs.
3. Consider manual backups (screenshot, print, extra phone, or write it down) for maximum security.
4. Secure your Google Account with a strong password and 2FA if you use cloud sync.
5. Test your backup to make sure it works before you need it.
6. Consider Authy if end-to-end encryption is important to you.

Stay safe out there!