Quick Links

Key Takeaways

  • Enable cloud backups in Microsoft Authenticator on your old phone to transfer your 2FA accounts to your new phone easily.
  • Make sure to have backup codes for each account before changing your authenticator device for added security.
  • Revalidate and remove accounts from your old phone after successfully transferring them to your new phone using Microsoft Authenticator.

Using an authenticator app for two-factor authentication (2FA) is more secure than SMS messages, but what if you switch phones? Here's how to move your 2FA accounts if you use Microsoft Authenticator.

Previously, we looked at moving 2FA accounts in Google Authenticator to a new phone. We found that there's no way to export all your accounts, and then import them onto a new phone. You have to re-create your 2FA accounts on your new phone manually.

Fortunately, Microsoft Authenticator provides a backup and recovery option. Note that 2FA is designed to make it extremely hard to access an account unless you have the 2FA code. Most accounts provide backup codes you can use if you've lost or damaged your phone.

Make sure you have a copy of the backup codes for each account before you attempt to change your authenticator device. You'll then be able to use those if you experience any issues when trying to recover your accounts.

Turn on the Backup Option on Your Old Phone

If you need to recover your accounts on a new phone, you'll have to turn on the backup option on your old one. To do this, open Microsoft Authenticator. Tap the three vertical dots at the top right, and then tap "Settings."

Tap the three dots, and then tap "Settings."

In the "Backup" section, toggle-On "Cloud Backup" on an Android phone, or "iCloud Backup" on an iPhone.

Toggle-On Microsoft Authenticator's "Cloud Backup" option.

Your accounts will then be backed up to the Microsoft account you used when you first set up Microsoft Authenticator. iPhones also require that you have an iCloud account.

If you're concerned about what's actually backed up, it's pretty straightforward. Your account and usernames, verification code, and various metadata, such as the time at which the backup was created, will all be included.

Authenticator creates an encrypted JSON Web Encryption blob (JWE) file using AES-256. It then hashes the data using SHA-512, and adds it to the JWE before storing the whole file and Key ID in your account. A detailed explanation of the backup and storage process is available if you want to dive a little deeper.

Using the Recovery Option on Your New Phone

Next, you'll need to install Microsoft Authenticator on your new phone. Download it from the Google Play for Android or the Apple App Store for iPhone. Don't set up any accounts using Microsoft Authenticator until after you've used the Recovery tool because it will overwrite matching site accounts.

For example, say you set up 2FA on the Gmail account abc@gmail.com in Authenticator on your new phone. However, Authenticator on your old phone contains the Gmail account xyz@gmail.com. The Recovery tool will overwrite the abc@gmail.com account you added to Authenticator on your new phone with the xyz@gmail.com account that exists in your backup.

To use the Recovery tool, open Microsoft Authenticator on your new phone, and then click "Begin Recovery."

Click "Begin Recovery" in Microsoft Authenticator.

You'll be asked to sign in to the Microsoft account you used for the backup on your old phone. Your accounts will then automatically be added to Microsoft Authenticator on your new one.

Revalidate on the New and Remove From the Old

Some accounts will require you to revalidate, either by signing in to those accounts or scanning a QR code. Microsoft Authenticator will display a message if you need to do this. It's essentially the same process you went through when you set up the account originally.

It's also important to remove the accounts from your old phone. However, don't do this until you've tested and made sure you can access these accounts on your new phone via Microsoft Authenticator.

To remove an account from your old phone, open Microsoft Authenticator on it. Tap the account you want to remove, and then tap "Remove Account."

Tap "Remove Account" in Microsoft Authenticator.

You should also open all your 2FA accounts and see if your old phone is still shown as a valid authentication device; if it is, remove it.

Once you've removed all the accounts from Authenticator on your old phone, you can remove the app, as well. From this point onward, only your new phone will provide 2FA codes for you.