Two-factor authentication has become an essential security precaution for many people, but it can also be a source of anxiety. When you change or upgrade phones, Google Authenticator doesn’t migrate codes automatically—you need to do that manually.
Thankfully, it’s not difficult to move Google Authenticator codes from one phone to another, although, admittedly, it can be somewhat cumbersome and time-consuming. Google intended this, more or less, by design. It shouldn’t be too easy to retrieve authentication codes from anywhere except the device you’re using for your two-factor authentication, or the whole value of 2FA would be moot.
Nonetheless, here’s what you need to know to get Google Authenticator (and all of your authentication codes) from an old phone to a new one. Whether you’re jumping platforms or staying within your iOS or Android universes, the process is the same.
Move Google Authenticator to a New Phone
First of all, don’t do anything to the copy of Google Authenticator on your old phone. Leave it be for now, or else you might get caught without a way to enter 2FA codes before the new phone is set up. Start by installing Google Authenticator on your new device—either Google Authenticator for iPhone or Google Authenticator for Android.
Next, you’ll need your computer. Open Google’s 2-Step Verification page in a browser and log into your Google account when it asks you. In the “Authenticator app” section of the page, click “Change Phone.”
Choose the kind of phone you are migrating to and click “Next.”
You should now see the “Set up Authenticator” screen, complete with barcode. Open Google Authenticator on the new phone and follow the prompts to scan the barcode. Tap “Setup,” and then “Scan a Barcode.”
After the scan, you’ll want to enter the one-time code to verify it’s working.
Transfer Your Google Authenticator Codes for Other Sites
Congrats! You’ve now moved Google’s authentication code to the new phone, but that’s all; the only service you’ve set up is Google. You probably still have a slew of other apps and services connected to Google Authenticator—perhaps Dashlane, Slack, Dropbox, Reddit, or others. You’ll need to migrate each of these, one at a time. This is the time-consuming part we alluded to earlier.
But the overall process is straightforward, even if you need to hunt around a bit for the settings. Pick a site or service that’s listed in your old copy of Google Authenticator (on the old phone) and log into its website or open the app. Find that site’s 2FA setting. It’s probably in the account, password, or security section of the website, although, if the service has a mobile or desktop app, it might be there instead. Case in point: The 2FA settings for Dashlane are found in the desktop app, not the website, while Reddit puts the 2FA controls on the site in the “User Settings” menu, on the “Privacy & Security” tab.
Once you find the right controls, disable 2FA for this site. You’ll probably need to enter the password for the site, or possibly the authentication code, which is why you’ll want to have the old phone and its copy of Google Authenticator handy.
Finally, re-enable 2FA, this time scanning the QR code with Google Authenticator on the new phone. Repeat that process for each site or service listed in your old copy of Google Authenticator.
Enable 2FA on More Than One Device at a Time
In a perfect world, 2FA allows you to confirm your credentials using a mobile phone or some other device that you carry with you all the time, which only you have access to. This makes it very hard for hackers to spoof the system, because (unlike getting codes via SMS, which is not especially secure) there’s no easy way for bad guys to get their hands on a second-factor authorization delivered via a local app that exists only in your pocket.
Here’s what’s happening behind the scenes. When you add a new site or service to Google Authenticator, it uses a secret key to generate a QR code. That, in turn, informs your Google Authenticator app how to generate an unlimited number of time-based, one-time passwords. Once you scan the QR code and close the browser window, that particular QR code can’t be regenerated, and the secret key is stored locally on your phone.
If Google Authenticator were able to sync across multiple devices, then the secret key or its resulting authentication codes would have to live in the cloud somewhere, rendering it vulnerable to hacking. That’s why Google doesn’t let you sync your codes across devices. However, there are two ways to maintain authentication codes on multiple devices at once.
First, when you add a site or service to Google Authenticator, you can scan the QR code onto multiple devices at once. The website that generates the QR code doesn’t know (or care) that you’ve scanned it. You can scan it into any number of additional mobile devices, and every copy of Google Authenticator you scan from the same barcode will generate the same six-digit code.
We don’t recommend doing it this way, though. First of all, you’re proliferating your authentication codes to multiple devices that can be lost or stolen. But, more importantly, since they’re not really in sync, you run the risk of getting the various devices out of sync with each other. If you need to turn off 2FA for a particular service, for example, and then only re-enable it on one device, you may no longer know which device has the most current and correct authentication codes. It’s a disaster waiting to happen.
Use Authy to Make This Easier
It is possible to sync your authentication codes across devices—you just can’t do it with Google Authenticator. If you want the flexibility of having all of your 2FA codes on multiple devices, we recommend Authy. It works with all the sites and services that use Google Authenticator, and it encrypts the codes with a password you provide and stores them in the cloud. This makes multiple devices and migration much easier, and the encrypted cloud-based sync offers a balance of security and convenience.
With Authy, you don’t need to set up two-factor authentication for all your devices every time you move to a new phone. We recommend making the switch from Google Authenticator to Authy to make the new-phone migration process easier in the future.