Skip to main content

How to Retrieve Google Authenticator in Case of Lost Phone

Alessio has reported security vulnerabilities to Google and Apple. He also has a past as a web developer and web server administrator.

Google Authenticator for a lost phone

Google Authenticator for a lost phone

How to Recover Google Authenticator

Today, many primary online services provide a way to protect your account with another layer of security in addition to the classic password. The so-called multi-factor authentication ensures an additional check after typing your correct username and password.

This verification system typically involves entering a temporary code sent via SMS or email generated through a specific authentication app (some apps even directly allow approving or denying sign-in requests without going through one-time passwords). Verification can also be conducted through a hardware device like a USB token that is essentially a digital key you can bind to your accounts to ensure a total level of safety.

The user's authentication with an additional security measure after entering the username and password was initially the leading choice by online banking services and internal corporate networks. Today, this technology is offered and even encouraged by many online services we use every day. Google, Facebook, Twitter, Instagram, TikTok, and WordPress are examples of websites and applications that offer this service.

Why Is It Important to Enable Multi-Factor Authentication?

Multi-factor authentication provides an additional security layer that strongly decreases the possibility of your account’s violation. Even if a potential attacker does get a hold of your login data, they wouldn’t be able to gain access to your account without this additional step.

Even if there is no 100% secure system, multi-factor authentication makes it very hard to compromise an account. Social engineering or security vulnerabilities in the web service may be the most common ways to bypass this powerful authentication method.

The USB token, an alternative way to authorize access to an account protected by multi-factor authentication

The USB token, an alternative way to authorize access to an account protected by multi-factor authentication

Using Google Authenticator to Generate One-Time Passwords (OTP)

An OTP is a multi-factor authentication method that involves sending a code via SMS or email. There are also apps like Google Authenticator that let you generate disposable codes that change every minute and are associated with a specific token provided by your web service.

This token can be copied and pasted or scanned via a QR code. It is essentially the primary key used by the app to generate the disposable codes associated with your local time. Google Authenticator is safe to use and removes the steps involved in waiting for SMS or email messages containing your OTP.

Still, there is something that Google Authenticator does not allow you to do, compared to similar apps: back up your tokens on the cloud to restore them if you lose your phone or it gets damaged. What should you do if you want to use Google Authenticator but don't want to risk losing access to your accounts if your phone gets lost, stolen, or damaged, and you're unable to recover your tokens?

This article provides advice to help you retrieve Google Authenticator tokens if you can't use your phone.

Scroll to Continue
A screen of the initial page from which you can start to add accounts to Google Authenticator. Google and the Google logo are trademarks of Google LLC.

A screen of the initial page from which you can start to add accounts to Google Authenticator. Google and the Google logo are trademarks of Google LLC.

1. Keep Your Backup Codes

The first piece of advice is maybe the most obvious; still, it is essential to print the emergency backup codes and keep them in a safe place where you can find them at any moment to gain access to your accounts if you're no longer able to generate OTPs.

These are alternative disposable passwords you can use instead of the codes generated immediately through the apps or sent via SMS or email. Most online services give the ability to print ten backup codes and eventually revoke them and get new ones if you have already used some of your previous backup codes and want to restore them.

2. Have an Alternative Multi-Factor Authentication Option

This recommendation may sound obvious, but it's a good idea to associate more than one authentication method with your accounts. For example, you can bind an app and a mobile phone number to generate codes or receive them via SMS as a secondary option (in case you lose your phone, you will only need to get a SIM card replacement to receive SMSs on another device). Otherwise, you may use a USB token and the app so that, if you lose your phone, you still have that token.

3. Back Up Your Google Authenticator on Google Drive

The two previous steps don't precisely describe how to retrieve Google Authenticator tokens if your phone gets lost, stolen, or you're unable to use it anymore. They do provide advice on how to avoid losing access to your accounts protected by multi-factor authentication). Still, this last step may enable you to effectively back up your Google Authenticator data and retrieve it in the future.

Note that this is an unofficial trick that is not recommended by Google, as they have not officially implemented, at this time, a way to back up your tokens (maybe because they find it safer not to store tokens on the cloud).

To back up your tokens through this unofficial method, you can use your Google Drive so that everything stays in your Google account. Be aware that if your Google account is one of those protected by multi-factor authentication, you will need another device already logged in to Google to retrieve your backup; otherwise, it is better to store it in another account.

Export as a QR Code

The procedure consists of using the export feature of Google Authenticator. It allows you to save your single tokens (or even multiple or all the tokens you have) as a QR code that the same app can then read on another device. So the export feature is meant to transfer tokens to another device, not backup them on the cloud.

By saving all your tokens in a single QR code and storing the code in a cloud account, you are unofficially using the export feature to have a backup copy you can always retrieve in the future. it is, though unofficial, the only way to store your Google Authenticator on the cloud and retrieve it in the future.

Be aware that tokens are still sensitive information, as they may be used to generate OTPs for your accounts, so you should still store them in a secure cloud service or offline backup if you decide to utilize this method.

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2021 Alessio Ganci

Related Articles