Backing Up Google Authenticator 2FA Keys
Google Authenticator is a 2FA app on Android. 2FA stands for two-factor authentication, which acts as an additional mechanism for verifying identity. It works by having users provide their username, password, and a 2FA code specific to that site. The code constantly changes because it generates from a hidden 2FA key, which the site provides when you set up 2FA on your account.
The Problem
Google intentionally prevents 2FA backups. The device stores the keys locally. If the device is lost or damaged, the 2FA keys are also lost. Google wants 2FA codes existing on one device at a time and not stored anywhere else. While this is the most secure design, recovering 2FA key data can be a real headache when the device is lost.
The process of replacing 2FA keys is painful — each account stays locked until the site authorizes you to replace your key.
What You Can Do
Option 1: Root your device (not recommended for most people)
For rooted Android devices, it is possible to use elevated privileges and the ADB CLI tool to back up the database holding the 2FA keys. Most people don’t root their Android, and there aren’t many compelling reasons to do it anymore.
Option 2: Export to a second device
The first device generates a QR code for scanning into a second device. Both devices then have identical keys and can generate 2FA codes.
Option 3: Photograph the QR code (the simplest option)
When you don’t have a second Android device: take a picture of the QR code with another device. You can not use the screen capture feature, as the app disables it — so use a physical camera or another phone’s camera app.
This photo is all you need to recover your keys. Make sure to:
- Encrypt the photo (see Encrypt Your Files)
- Back it up to cloud storage
That encrypted backup is your insurance policy against a lost or damaged phone.