Alessio enjoys writing about cell phones, apps, and other technology and the way they can help making everyday life easier.
Extra Security With Google Authenticator
Today, many major online services provide a way to protect your account with another layer of security in addition to the classic password. The so-called multi-factor authentication ensures an additional check after typing your correct username and password.
This verification system typically involves entering a temporary code sent via SMS or email generated through a specific authentication app (some apps can be used for directly approving or denying sign-in requests without going through one-time passwords). Verification can also be conducted through a hardware device like a USB token that is essentially a digital key you can bind to your accounts to ensure a total level of safety.
The authentication of the user with an additional security measure after the username and password data has been entered was originally primarily utilized by online banking services and internal corporate networks. Today, this technology is offered and even encouraged by many online services we use every day. Google, Facebook, Twitter, Instagram, TikTok, and WordPress are examples of websites and applications that offer this service.
Why Is It Important to Enable Multi-Factor Authentication?
Multi-factor authentication provides an additional security layer that strongly decreases the possibility of your account being compromised. In fact, even if a potential attacker does get a hold of your login data, they wouldn’t be able to gain access to your account without this additional step.
Even if there is no 100% secure system, multi-factor authentication is still something that makes it very hard to compromise an account. Social engineering or security vulnerabilities in the web service may be the most common ways to bypass even this powerful authentication method.
Using Google Authenticator to Generate One-Time Passwords (OTP)
An OTP is a multi-factor authentication method that can be sent via SMS or email. There are also apps like Google Authenticator that let you generate disposable codes that change every minute and are associated with a specific token provided by your web service.
This token can be copied and pasted or scanned via QR code, and it is essentially the main key used by the app to generate the disposable codes associated with your local time. Google Authenticator is safe to use and removes the steps involved in waiting for SMS or email messages containing your OTP.
Still, there is something that Google Authenticator does not allow you to do, compared to similar apps: back up your tokens on the cloud to restore them if you lose your phone or it gets damaged. What should you do if you want to use Google Authenticator but don't want to risk losing access to your accounts if your phone gets lost, stolen, or damaged, and you're unable to recover your tokens?
This article provides some advice to help you retrieve Google Authenticator tokens if you can't use your phone.
1. Keep Your Backup Codes
The first piece of advice is maybe the most obvious; still, it is important to print the emergency backup codes and keep them in a safe place where you can find them at any moment to gain access to your accounts if you're no longer able to generate OTPs.
These codes are essentially alternative disposable passwords you can use instead of the codes generated immediately through the apps or sent via SMS or email. Most online services give the ability to print ten backup codes and eventually revoke them and generate new codes if you have already used some of your previous backup codes and want to restore them.
2. Have an Alternative Multi-Factor Authentication Option
This is another recommendation that may sound obvious, but it's a good idea to associate more than one authentication method to your accounts. For example, you can bind an app and a mobile phone number to generate codes or receive them via SMS as a secondary option (in case you lose your phone, you will only need to get a SIM card replacement to receive SMSs on another device). Otherwise, you may use a USB token and the app so that, if you lose your phone, you still have that token.
3. Back Up Your Google Authenticator on Google Drive
The two previous steps don't exactly describe how to retrieve Google Authenticator tokens if your phone gets lost, stolen, or you're unable to use it anymore. They do provide advice on how to avoid losing access to your accounts protected by multi-factor authentication), but this last step is what may enable you to effectively back up your Google Authenticator data and retrieve it in the future.
Note that this is an unofficial trick that is not recommended by Google, as they have not officially implemented, at this time, a way to back up your tokens (maybe because they find it safer to not store tokens on the cloud).
To back up your tokens through this unofficial method, you can use your Google Drive so that everything stays in your Google account. Be aware that if your Google account is one of those protected by multi-factor authentication, you will need another device already logged in to Google to retrieve your backup; otherwise, it is better to store it in another account.
The procedure consists of using the export feature of Google Authenticator. It allows you to save your single tokens (or even multiple or all the tokens you have) as a QR code that can be then be read by the same app on another device. So the export feature is meant to transfer tokens to another device, not to backup them on the cloud.
By saving all your tokens in a single QR code and storing the code in a cloud account, you are unofficially using the export feature to have a backup copy you can always retrieve in the future. This is, though unofficial, the only way to store your Google Authenticator on the cloud and retrieve it in the future.
Be aware that tokens are still sensitive information, as they may be used to generate OTPs for your accounts, so you should still store them in a secure cloud service or offline backup if you decide to utilize this method.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2021 Alessio Ganci