Using an authenticator app for two-factor authentication (2FA) is more secure than SMS messages, but what if you switch phones? Here’s how to move your 2FA accounts if you use Microsoft Authenticator.
Previously, we looked at moving 2FA accounts in Google Authenticator to a new phone. We found that there’s no way to export all your accounts, and then import them onto a new phone. You have to re-create your 2FA accounts on your new phone manually.
Fortunately, Microsoft Authenticator provides a backup and recovery option. Note that 2FA is designed to make it extremely hard to access an account unless you have the 2FA code. Most accounts provide backup codes you can use if you’ve lost or damaged your phone.
Make sure you have a copy of the backup codes for each account before you attempt to change your authenticator device. You’ll then be able to use those if you experience any issues when trying to recover your accounts.
Turn on the Backup Option on Your Old Phone
If you need to recover your accounts on a new phone, you’ll have to turn on the backup option on your old one. To do this, open Microsoft Authenticator. Tap the three vertical dots at the top right, and then tap “Settings.”
In the “Backup” section, toggle-On “Cloud Backup” on an Android phone, or “iCloud Backup” on an iPhone.
Your accounts will then be backed up to the Microsoft account you used when you first set up Microsoft Authenticator. iPhones also require that you have an iCloud account.
If you’re concerned about what’s actually backed up, it’s pretty straightforward. Your account and usernames, verification code, and various metadata, such as the time at which the backup was created, will all be included.
Authenticator creates an encrypted JSON Web Encryption blob (JWE) file using AES-256. It then hashes the data using SHA-512, and adds it to the JWE before storing the whole file and Key ID in your account. A detailed explanation of the backup and storage process is available if you want to dive a little deeper.
Using the Recovery Option on Your New Phone
Next, you’ll need to install Microsoft Authenticator on your new phone. Download it from the Google Play for Android or the Apple App Store for iPhone. Don’t set up any accounts using Microsoft Authenticator until after you’ve used the Recovery tool because it will overwrite matching site accounts.
For example, say you set up 2FA on the Gmail account firstname.lastname@example.org in Authenticator on your new phone. However, Authenticator on your old phone contains the Gmail account email@example.com. The Recovery tool will overwrite the firstname.lastname@example.org account you added to Authenticator on your new phone with the email@example.com account that exists in your backup.
To use the Recovery tool, open Microsoft Authenticator on your new phone, and then click “Begin Recovery.”
You’ll be asked to sign in to the Microsoft account you used for the backup on your old phone. Your accounts will then automatically be added to Microsoft Authenticator on your new one.
Revalidate on the New and Remove From the Old
Some accounts will require you to revalidate, either by signing in to those accounts or scanning a QR code. Microsoft Authenticator will display a message if you need to do this. It’s essentially the same process you went through when you set up the account originally.
It’s also important to remove the accounts from your old phone. However, don’t do this until you’ve tested and made sure you can access these accounts on your new phone via Microsoft Authenticator.
To remove an account from your old phone, open Microsoft Authenticator on it. Tap the account you want to remove, and then tap “Remove Account.”
You should also open all your 2FA accounts and see if your old phone is still shown as a valid authentication device; if it is, remove it.
Once you’ve removed all the accounts from Authenticator on your old phone, you can remove the app, as well. From this point onward, only your new phone will provide 2FA codes for you.