Never set up two-factor authentication without making a backup. Here’s how
Recently, my phone was stolen. At first, I didn’t think this would be such a big deal: Thank goodness I had encrypted everything on it, so nobody could wreak havoc with my data. A few of my pictures were lost, but that was mostly my fault for not turning on some kind of cloud synchronisation.
What eventually backfired was my blind enthusiasm for two-factor authentication. I had set up my phone as a second factor to log into all of my main accounts: email, banking, web hosting; even that old Tumblr I stopped using a long time ago. While it occurred to me that this might be a problem in case I ever lost or broke my phone, I put it off as an unlikely scenario. Even so, I could always use my backup codes (for the handful of services that support them) or hassle customer support.
Well, several months later I’m finally back to normal and I wish it hadn’t been so stressful. Especially now that I know how easy it is to save and restore your TFA codes, no matter if the service in question gives you a dedicated list of backup codes or not. Here’s how.
- When setting up two-factor authentication with Google Authenticator, Authy or any other app that uses the Time-based One-time Password algorithm (TOTP), you will be presented either with a QR code or with a sequence of characters you have to copy to your phone.
- If you are shown a QR code, try to do a right click or long tap and save the image on your (preferably encrypted) device. In case that doesn’t work, take a screenshot. I would strongly recommend to only do this on your own device; even after deleting the image from a borrowed device, it may still be restorable.
- Print the QR code.
- Finish the setup by scanning the printed version of the QR code with your phone. Your print could be smudged or low resolution; this will show you if it really works.
- If you are shown a sequence of characters, write them down on a piece of paper. Then copy that sequence from the piece of paper to your phone to see if you got it right. Finish the setup.
- In case you can choose between QR code and string of characters, pick the former if you prefer convenience and the latter if you prefer security. The barcode usually contains your username and the name of the issuing service, for example Gmail (you can generate an example code here). The raw string doesn’t contain any personal information.
- In case you have already enabled two-factor authentication, turn it off and on again to create a backup.
Lastly, some disclaimers. This method will allow you to use Google Authenticator (or any such app) on more than one phone. It obviously won’t work with 2FA via SMS, which is horribly insecure and inconvenient anyway. That being said, using a password and SMS is still better than just using a password, so please sign up regardless and simultaneously shame your service for not implementing Time-based One-time Passwords.
Many thanks to the commenter on Stack Exchange who opened my eyes to this.