Today many big online services provide a way to protect your account with an additional security measure other than the classic password. The so called multi-factor authentication ensures an additional check after you have typed your correct username and password. This third verification system may consist in typing a temporary code sent via SMS or email, generated through a specific authentication app (there are apps that can be even used for directly approving or denying sign-in requests without going through OTPs) or using a hardware device like a USB token, that is essentially a digital key you can bind to your accounts in order to ensure a total level of safety. The idea of authenticating the user with an additional security measure after the common username and password data was once mostly applied only to online banking services and internal corporate networks: today this technology is offered and even encouraged by many of the online services we use everyday: Google, Facebook, Twitter, Instagram, TikTok and WordPress are examples of high tech realities that offer this service.
Why is it important to enable multi-factor authentication?
Multi-factor authentication provides an additional security layer that strongly decreases the eventuality of your account getting compromised: in fact, even if a potential attacker may get to know your login data, without this additional step they wouldn’t be able to gain access. Even if there is no 100% secure system, multi-factor authentication is still something that makes it very hard to compromise an account: social engineering or security vulnerabilities in the web service may be the most common ways to bypass even this powerful authentication method.
Using Google Authenticator for generating one time passwords
As written before, OTP is one of the possible multi-factor authentication methods and it can be sent as a SMS or email. Still, there are also apps like Google Authenticator that let you generate disposable codes that change every minute and that are associated to a specific token provided by your web service: this token can be copied and pasted or scanned via QR code and it is essentially the main key that, associated with your local time, is used by the app to generate the disposable codes. Google Authenticator is safe to use and removes the steps involving waiting for SMSs or email messages containing your OTP. Still, there is something that Google Authenticator does not allow you to do, compared to other similar apps: backing up your tokens on the cloud so that you can safely restore them in case you lose your phone or it gets damaged. What to do if you want to use Google Authenticator but also don’t want to risk to lose access to your accounts in case your phone gets lost, stolen, damaged and you were not able to recover your tokens? This article is going to provide some advices so that you will know how to retrieve Google Authenticator tokens in case you can‘t use your phone anymore.
1.) Keep your backup codes
The first advice is maybe the most obvious, still it is important to print and keep in a safe place the emergency backup codes you can use at any moment to gain access to your accounts in case you can’t generate OTPs anymore. These codes are essentially alternative disposable passwords you can use instead of those generated at the moment through the apps or sent via SMS or email. Most online services generally give the ability to print 10 backup codes and to eventually revoke them and generate other ones in case you have already used some of your previous backup codes and want to restore them.
2.) Have an alternative multi-factor authentication option
This is another recommendation that may sound obvious, still it may be a good idea to associate more than one authentication methods to your accounts: for example you can bind an app and a mobile phone number to generate codes or receive them via SMS as a secondary option (in case you lose your phone you will only need to get a SIM card replacement to receive SMSs on another device), otherwise you may use a USB token and the app so that, in case you lose your phone, you still have that token.
3.) Backup your Google Authenticator on Google Drive
While the two steps before don’t exactly describe how to retrieve Google Authenticator tokens in case your phone gets lost, stolen or you can’t use it anymore (still they provide advices to not lose access to your accounts protected by multi-factor authentication), this last step is what may get you able to effectively backup your Google Authenticator data and retrieve it in the future. Note that this is an unofficial trick that is not recommended in any case by Google, as they have not officially implemented, at this time, a way to backup your tokens (maybe because they find it safer not to store tokens on the cloud).
In order to backup your tokens through this unofficial way you can use your Google Drive, so that everything stays in your Google Account (be aware that, if your Google Account is one of those protected by multi-factor authentication, you will need another device already logged in to Google to retrieve your backup, otherwise it is better to store it in another account). The procedure consists in using the export feature of Google Authenticator: it allows you to save your single tokens (or even multiple or all the tokens you have) as a QR code that can be then read by the same app on another device. So the export feature is meant to transfer tokens to another device, not to backup them on the cloud. By saving all your tokens in a single QR code and storing it in a cloud account, you are unofficially using the export feature to have a backup copy you can always retrieve in the future. This is, at the fact, the only way to store your Google Authenticator on the cloud and retrieve it in a future, through an unofficial but working procedure. Be aware that tokens are still a sensible information, as they may be used to generate OTPs for your accounts, so you should still store them in a very safe cloud service or offline backup if you decide to go through this way.
This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.
© 2021 Alessio Ganci