Adding 2-step verification (not sure why they just can’t call it what it is: 2 factor authentication) to Google accounts is one of the smartest things the company has ever done. Anything as central to one’s identity as an e-mail account should be protected with the utmost vigilance. That’s not to say that it’s a) easy, or b) perfect. It isn’t. On the ease of use front – few people other than the most geeky of my friends have bothered to implement it. Two factor authentication is difficult for some people to understand, but most people get along just fine with the RSA tokens issued to them by their work or bank (although they aren’t exactly sporting the best security record this year). The complication for Google comes in the way that they’ve decided to implement per-application passwords. But no matter; this has been reviewed to death. The fact is that 2-step verification adds a TON of security to your Google account, and no matter how difficult it is to use, just use it.
My issue with the system is that there are a couple of traps that are easy to fall into; and the only way out is to go through the process of setting up 2-step verification all over again; loosing any per-application passwords you’ve created (which in my case is a lot). Once you’ve got your barcode or key once to set up a mobile Authenticator app – you can’t get it again. One shot, no do-overs. Need to move your Google Authenticator to a new mobile device? Tough. I find this hugely annoying and would like to save others the wasted time I have spent on a couple of occasions now, starting from scratch. The crux of the issue is that the Google Authenticator app gives you no easy way to retrieve the hidden key, or move it to another device. Changing the device on the Account Security page forces you to remove and re-enable 2-factor authentication. So I’m going to show you 3 ways to move the key yourself.
Method 1 – For the brand new user
First off, if you’ve never set up Google Authenticator before, here’s a crucial tip – when you are prompted to scan the barcode containing your account key by the Android app – do a screenshot ! Keep that screenshot very safe; you can easily use it to set up a different device in the future. Or if you want – just copy the “Key” that’s listed if you click the + beside “Can’t scan the QR code”. It’s just as good. You’re done; be thankful folks like me have wasted our time blazing the trail so you can walk along it.
Method 2 – For the rooted user (Android only)
If you’re rooted – fear not, Titanium Backup will easily backup and restore the Google Authenticator user data; and along with it let you restore that onto a new device. Potential caveat – if you’re backing up and restoring on totally different versions of Android (say 2.2 to 2.3) this may not work correctly. In which case – go for method 3 below
Method 3 – Manually extracting your key (Android only)
Perhaps you’re not perm-rooted, or you’re moving between major version of Android. The time eventually came for me when I made the mistake of installing Google Authenticator on a device I hadn’t yet rooted – my new HTC Thunderbolt. Due to the instability of ROMs currently available for the Thunderbolt – I decided to stay stock, until the Gingerbread update appeared (which it has not). To my dissapointment the rooting methods available for the Thunderbolt all require wiping your entire device by downgrading the firmware to an engineering build. So much for getting Titanium Backup working. In this case – we must fallback to temp-root shell methods Thankfully even most locked down devices are usually able to get a temporary root shell with things like “psneuter” – look it up. That’s all we need!
Step 1)
Get a root shell or root adb.
Step 2)
Enter the following command:
for adb
$ adb pull /data/data/com.google.android.apps.authenticator/databases/databases
for root shell
# cp /data/data/com.google.android.apps.authenticator/databases/databases /sdcard/
This will give you the databases file – either locally in the case of adb; or on the sd/external storage partition of your Android device – just copy it locally.
Step 3)
The databases file is just an sqlite database. Open that file up with a GUI sqlite editor or the command line sqlite3 program. I’ll assume you’re going the command line route
$ sqlite3 ./databases sqlite> select * from accounts; 1|user.name@gmail.com|key|0|0
The key column contains your key.
Step 4)
Setup Google Authenticator on a new device
Instead of scanning a barcode – add the account manually, with the key you just retrieved in Step 3.
Pat yourself on the back – you’ll never have to deal with setting up 2-step verification from scratch again.
{ 8 comments… read them below or add one }
In Step 3.
I had to do:
select * from accounts;
Using an ‘*’ instead of a ‘$’
Good call, I’ve updated the post – that was a lousy typo on my part.
Thanks a lot, method 3 saved my day!
By the way, when using the root shell method, I had to replace
sqlite3 ./databases
with
sqlite3 /sdcard/databases
I also had to “su” before copying the database files…
Erik
Did you at some point move the app to SD card? That might account for the location difference.
Even better, using “Root Explorer” you can navigate right to the database, and view it using the built in DB viewer and copy the key right out. That sucker’s going in my KeePass so I don’t have to worry a couple years from now when I move to a new phone again
Yes, that’s the easy, GUI way to do it!
I had some issues with my Desire. I tried cp/mv/scp, but none of the commands existed. A mate suggested I try dd, and it existed and saved my arse
Also, no need to write the sql query, just type .dump and it’ll dump out the entire contents of the database.
Cheers for that.
You’re right.. those commands aren’t necessarily on every single phone. And regarding the SQL query, I included it in there in case future versions of the app store more data, but .dump does do a good job currently.
{ 1 trackback }