The Google Authenticator app is the most popular “time-based one-time password” (TOTP) app on the market. It’s so popular that it’s often the default name used when talking about TOTP 2FA.
Not many people realize that Google Authenticator does not back up the items you have stored in it. Your Google Authenticator app is NOT tied to your Google account and if you lose or break your phone you lose what was in your Google Authenticator app.
In this post I want to show the easiest way to back up your Google Authenticator app and what you should do and use going forward.
Important: If you add a new account to the Google Authenticator app you’ll need to do a new backup each time. We go over easier options you can do later in this article.
1. Open The Google Authenticator App
Open the Google Authenticator app on your phone and select the 3 little dots as pointed out in the picture below.
2. Select Export Accounts
Then select export accounts from the menu.
3. Press Continue To Export Accounts
When you see the picture below press continue to export accounts.
If you have multiple accounts Google Authenticator will allow you to pick which ones you want to export.
4. Save The QR Code
The Google Authenticator app will show you an export QR code. If you have more than 10 items saved in Google Authenticator you will have multiple QR codes, it does the QR codes in batches of 10.
You need to save a picture of this QR code.
You can screenshot it on iOS, but on Android, taking a screenshot of this app may be blocked.
Another option is to use another phone or camera and take a picture of the QR codes.
Once you have the pictures of the QR codes, it’s best that you print them out and save them somewhere safe and secure. It’s not advised you keep these screenshots on your phone or saved in your photo library.
You could save them digitally to external media like a flash drive, SSD, M-Disc, and more, but you must store them securely. Avoid keeping these images on your everyday computer or phone if you want to maintain the security that 2FA provides.
5. Keep All Exported Accounts
When you have saved the export QR codes somewhere secure, the next screen will ask if you want to delete or keep the current codes.
It’s best you keep the current codes until you 100% confirmed they’re backed up and safe.
Import Into Other Apps
The images of the exported QR codes can be scanned by any other phone with the Google Authenticator app, and it will import the codes.
If you have Aegis, only for Android, you can also import the export QR codes.
Aegis is a TOTP app just like Google Authenticator but works better and allows for backups plus gives you more control over your data.
To import that export QR code into Aegis, just open the app, press the “Plus” button at the bottom like you’re going to add a new account and scan the export QR codes from Google Authenticator.
Other TOTP 2FA Apps
Google Authenticator is not the only TOTP app, there are actually many options.
Only Google Authenticator and Aegis can read the export QR codes from the Google Authenticator app, though more could add the feature later, but all TOTP apps can read the QR code that is shown when setting up the TOTP 2FA for a website.
Here is just a short list of TOTP apps that I consider better than Google Authenticator:
What’s In The Google Authenticator Export QR Code?
What’s inside the export QR Code looks like this:
otpauth-migration://offline?data=CkoKDZePmX7z8qHgFlH9yVcSIlRoaXNfaXNfYW5fRXhhbXBsZTplbWFpbEBlbWFpbC5jb20aD0V4YW1wbGVfV2Vic2l0ZSABKAEwAhABGAEgAA%3D%3D
What it basically means is that this string of text is OTP migration, and all your data is inside the gibberish of letters and numbers.
The Google Authenticator app or Aegis app can read this data and import your codes (10 at a time) at any time and without the need of an internet connection.
Why 10 Codes At A Time?
The Google Authenticator app will only export 10 accounts at a time when you export.
So if you have 32 accounts inside your Google Authenticator app you will have 4 QR codes, 3 will be for 1 to 30 and the 4th will be the last 2.
Google is not open about why they do this limit, but it would seem obvious that they do it because of the character limit QR codes have. You can only fit so much data inside the QR code, and limiting it to 10 is a safe number.
Backing Up Tips!
When setting up 2FA that uses Google Authenticator it’s best you avoid using Google Authenticator altogether and use Authy, Aegis, 2FAS, or any other TOTP 2FA app instead.
An even better idea is when you see the QR code to scan for Google Authenticator, you simply print that page out. The QR code you see when setting up Google Authenticator can be read by any TOTP 2FA app, and it does not expire.
Take that printed out page with the QR code and keep it somewhere safe in your home. When you lose or break your phone you can use any TOTP 2FA app to read that QR code and get back into your accounts.
Some websites will even show you a 16-digit random code that is often next to the QR code. That 16-digit code is called the “secret key” and is the most important part of what is stored inside the QR code. You should write down that secret key and store it somewhere safe when turning on 2FA, it’s also smart to write down what website that code if for.
To understand why TOTP 2FA works so well and what’s inside that QR code, we have a post that covers it here.
FAQs
Does Google Authenticator Back Up To The Cloud?
The Google Authenticator app was updated to back up to the cloud, but it’s not encrypted.
I suggest you do your own backups, as a 2FA app without end-to-end encryption for backups is just silly.
What If I lost Access To My Phone That Has Google Authenticator?
If you don’t have your phone with Google Authenticator on it and did not do any backups or have any backup codes, then you’re screwed depending on the service.
You’ll need to go to every account that you set up Google Authenticator 2FA on and follow the steps they provide to disable 2FA and get back in your account.
This is most often a very time-consuming process as the website doesn’t know whether you’re the legit user or some hacker trying to get in.
If you used a crypto wallet that uses Google Authenticator 2FA, and you did not back that up, then you’re more than likely screwed if the wallet doesn’t support a wait time to reset 2FA.
There are some websites and services that are sticklers about 2FA, and if you don’t have your 2FA device or the backup codes, then there is nothing you can do. One example is Discord. Like it or hate it, this is the proper way to do 2FA because if you can turn 2FA off, then what’s the point of even having it?
See the backing up tips above so this doesn’t happen to you again.
Does Having Multiple Backups Of Google Authenticator Affect The Authentication Rights Of Other Devices?
Transferring or adding your Google Authenticator codes to other devices does not affect the devices that also have the same code.
There is no limit to how many devices can have the same codes for the same website. So you can share the code with multiple people and no one will lose access.
The code and information is all done offline, they don’t know about each other and will never know.
Does Google Authenticator Have A Seed Phrase?
The Google Authenticator app does not have a seed phrase like you expect from a crypto wallet.
There is not one code that can restore all the accounts you have stored in your Google Authenticator app.
There is a “secret key” that people may confuse with a seed phrase but it’s not the same thing.
Every account inside the Google Authenticator app will have a secret key and that key can be used to restore the codes if you back it up beforehand. This means your Twitter account, Coinbase account, Google account will have its own unique secret key.
Don’t confuse the secret key you have for your Google account as being a “master key” or a “seed phrase” that will unlock your Twitter, Coinbase, and other accounts stored in the Google Authenticator app. The secret key for your Google account only works for your Google account and does not relate to anything else. Also, remember that your Google account doesn’t relate to your Google Authenticator app, they do not know about each other.
What Are Backup Codes?
Once you’ve set up the Google Authenticator for an account they may give you the option to write down or print “backup codes” or also called “recovery code”.
The backup codes don’t relate to the QR code when setting up Google Authenticator.
Backup codes offer a way for you to get into your account in case you don’t have your 2FA device. So if you lost your phone that has your Google Authenticator codes in it you can still get into your account so long as you have the backup codes.
Websites often give you many backup codes that can only be used once. Some just give you one long code. Then some don’t give you any backup codes and want you to talk to support. Another option a website may give for a backup code is to simply give you the secret key that is used for Google Authenticator.
It can get confusing, but if you’re given a code, make sure to write it down along with what it’s for and keep that somewhere secure.
What’s Better Than Google Authenticator?
Using a physical hardware key, like the YubiKey (Ad), is better than using Google Authenticator.
You’ll need to have more than one hardware key, one will be a backup, and you also need to make sure you write down any backup or recovery codes a website may give you when turning on 2FA.
Not every website throws a flashing banner telling you to save your backup codes, so make sure to look for them!
Even Google themselves have moved on from Google Authenticator for internal use and use their own hardware security keys called Titan Security Keys.
The only drawback to hardware keys is that not every website or service supports them.
Can I Use An Old Phone?
The Google Authenticator app will run on just about any phone, it’s not a complex app.
So if you have an old phone lying around, you could use it as a backup for your Google Authenticator.
It’s certainly better than nothing, but I would personally prefer a physical print out of the export QR code. Paper has better reliability than electronic devices, but everyone’s situation is different.
Can I Store Google Authenticator In My Password Manager?
A lot of password managers can store and generate the TOTP 2FA code just like Google Authenticator.
Bitwarden, 1Password, and KeePassXC just to name a few can do this.
This does open a whole new debate if this is smart to do, and we have our opinion on it here, but it’s up to you.
For YubiKeys owners I recommend Yubico Authenticator. The Yubico Authenticator has safety and convenience advantages over other authenticators. The secret key is safely stored on your Yubikey and when you use the desktop version you can easily copy and paste the TOTP code. Every time when I set up a TOTP for a new account I save the secret key on both my YubiKeys. Additionally I save the secret key in the KeepassXC database, which is designated only for TOTP secrets and recovery codes.