oauth-2.0openid-connectgoogle-authenticationgoogle-authenticatorauthy

What happens if someone loses their phone with Google Authenticator or Authy on it?


If someone is using their phone with Authy or Google Authenticator and they lose their phone, can they logon to Google or Authy via another device in order to get an authentication token?


Solution

  • So there are a things you can do here:

    1. Save the QR code / Secret Code at setup.

    When you set up Google Authenticator it always generates the QR code (and Secret code) that you scan to add the entry to you app. The best practice is to actually save the QR code (take a screenshot) and save that somewhere in your password manager or somewhere safe so that if you loose your phone you can add the account again on a new device. I go one step further and actually take a screenshot of the QR and also click on "I cant scan" and then I also save the initial setup code.

    1. Generate and save the Backup codes.

    Google authenticator on most platforms allows you to set up some backup codes, you can set these up and save them, if you then do no have you phone you can use these backup codes to log in and then re-setup Google Authenticator on your new devices.

    1. Use a Two Factor app that actually syncs to the Cloud.

    I personally like to use Authenticator + (links below) - you can set this up to sync an encrypted database of all your entries to many different cloud services like Dropbox, Google Drive etc. If you then move to a new phone you simply download the app, install Dropbox and set up the sync once again to sync with you old database.

    https://itunes.apple.com/sg/app/authenticator-plus/id963496421?mt=8 https://play.google.com/store/apps/details?id=com.mufri.authenticatorplus&hl=en