Update 2012-12-06: As has been mentioned in the comments, there’s now support from Google for attaching 2-step verification to a new device and removing it from the current device. That process should be used going forward, however the info here is still interesting from a historical perspective.
Adding 2-step verification (not sure why they just can’t call it what it is: 2 factor authentication) to Google accounts is one of the smartest things the company has ever done. Anything as central to one’s identity as an e-mail account should be protected with the utmost vigilance. That’s not to say that it’s a) easy, or b) perfect. It isn’t. On the ease of use front – few people other than the most geeky of my friends have bothered to implement it. Two factor authentication is difficult for some people to understand, but most people get along just fine with the RSA tokens issued to them by their work or bank (although they aren’t exactly sporting the best security record this year). The complication for Google comes in the way that they’ve decided to implement per-application passwords. But no matter; this has been reviewed to death. The fact is that 2-step verification adds a TON of security to your Google account, and no matter how difficult it is to use, just use it.
My issue with the system is that there are a couple of traps that are easy to fall into; and the only way out is to go through the process of setting up 2-step verification all over again; loosing any per-application passwords you’ve created (which in my case is a lot). Once you’ve got your barcode or key once to set up a mobile Authenticator app – you can’t get it again. One shot, no do-overs. Need to move your Google Authenticator to a new mobile device? Tough. I find this hugely annoying and would like to save others the wasted time I have spent on a couple of occasions now, starting from scratch. The crux of the issue is that the Google Authenticator app gives you no easy way to retrieve the hidden key, or move it to another device. Changing the device on the Account Security page forces you to remove and re-enable 2-factor authentication. So I’m going to show you 3 ways to move the key yourself.
Method 1 – For the brand new user
First off, if you’ve never set up Google Authenticator before, here’s a crucial tip – when you are prompted to scan the barcode containing your account key by the Android app – do a screenshot ! Keep that screenshot very safe; you can easily use it to set up a different device in the future. Or if you want – just copy the “Key” that’s listed if you click the + beside “Can’t scan the QR code”. It’s just as good. You’re done; be thankful folks like me have wasted our time blazing the trail so you can walk along it.
Method 2 – For the rooted user (Android only)
If you’re rooted – fear not, Titanium Backup will easily backup and restore the Google Authenticator user data; and along with it let you restore that onto a new device. Potential caveat – if you’re backing up and restoring on totally different versions of Android (say 2.2 to 2.3) this may not work correctly. In which case – go for method 3 below
Method 3 – Manually extracting your key (Android only)
Perhaps you’re not perm-rooted, or you’re moving between major version of Android. The time eventually came for me when I made the mistake of installing Google Authenticator on a device I hadn’t yet rooted – my new HTC Thunderbolt. Due to the instability of ROMs currently available for the Thunderbolt – I decided to stay stock, until the Gingerbread update appeared (which it has not). To my dissapointment the rooting methods available for the Thunderbolt all require wiping your entire device by downgrading the firmware to an engineering build. So much for getting Titanium Backup working. In this case – we must fallback to temp-root shell methods Thankfully even most locked down devices are usually able to get a temporary root shell with things like “psneuter” – look it up. That’s all we need!
Step 1)
Get a root shell or root adb.
Step 2)
Enter the following command:
for adb
$ adb pull /data/data/com.google.android.apps.authenticator/databases/databases
for root shell
# cp /data/data/com.google.android.apps.authenticator/databases/databases /sdcard/
This will give you the databases file – either locally in the case of adb; or on the sd/external storage partition of your Android device – just copy it locally.
Step 3)
The databases file is just an sqlite database. Open that file up with a GUI sqlite editor or the command line sqlite3 program. I’ll assume you’re going the command line route
$ sqlite3 ./databases sqlite> select * from accounts; 1|user.name@gmail.com|key|0|0
The key column contains your key.
Step 4)
Setup Google Authenticator on a new device
Instead of scanning a barcode – add the account manually, with the key you just retrieved in Step 3.
Pat yourself on the back – you’ll never have to deal with setting up 2-step verification from scratch again.
By Uppgraderat mobilen. | Fredrikhimlen.se August 1, 2011 - 10:20 pm
[...] som var viktigast att fixa tillbaks. Lyckligtvis hittade jag en guide för hur jag skulle göra, http://cadince.com/3-ways-to-move-google-authenticator/ och det slutade i att jag lyckades dra igång med rätt inställningar. Underbart. En annan vinst [...]
By John V August 4, 2011 - 2:58 pm
In Step 3.
I had to do:
select * from accounts;
Using an ‘*’ instead of a ‘$’
By dan August 5, 2011 - 7:18 pm
Good call, I’ve updated the post – that was a lousy typo on my part.
By Erik September 9, 2011 - 12:57 am
Thanks a lot, method 3 saved my day!
By the way, when using the root shell method, I had to replace
sqlite3 ./databases
with
sqlite3 /sdcard/databases
I also had to “su” before copying the database files…
Erik
By dan December 20, 2011 - 12:25 pm
Did you at some point move the app to SD card? That might account for the location difference.
By Ken October 21, 2011 - 5:56 am
Even better, using “Root Explorer” you can navigate right to the database, and view it using the built in DB viewer and copy the key right out. That sucker’s going in my KeePass so I don’t have to worry a couple years from now when I move to a new phone again
By dan December 20, 2011 - 12:25 pm
Yes, that’s the easy, GUI way to do it!
By Rob October 24, 2011 - 6:11 pm
I had some issues with my Desire. I tried cp/mv/scp, but none of the commands existed. A mate suggested I try dd, and it existed and saved my arse
Also, no need to write the sql query, just type .dump and it’ll dump out the entire contents of the database.
Cheers for that.
By dan December 20, 2011 - 12:24 pm
You’re right.. those commands aren’t necessarily on every single phone. And regarding the SQL query, I included it in there in case future versions of the app store more data, but .dump does do a good job currently.
By giopas January 19, 2012 - 9:21 am
Thank you. I’ve just discovered this too late, but now the code is backed-up and safe on KeePass (with Root Explorer was even too simple to do)!
By Harald February 13, 2012 - 3:24 am
It’s not necessary anymore. You can simply switch phones by temporarily disabling two step authentication, your application specific passwords will be restored after you have re-enabled it and set up your new phone.
By dan March 13, 2012 - 10:00 am
That’s good news.
By Ilya July 5, 2012 - 5:58 pm
Your application-specific passwords are restored, but the configuration of your Authenticator is lost, so you have to pair it again.
Some of us use Google Authenticator for more than Google log-ins (e.g. pam_google_authenticator), so we have even more pairing to do. That’s why backing up the database is a good idea.
By Kevin Cox October 30, 2012 - 2:31 pm
Google does restore the app passwords but things like dropbox or the pam module don’t.
By Samsung Galaxy SII and ICS 4.0.3 | frl1nuX February 18, 2012 - 10:04 am
[...] Before I forget, a nice article on how to restore your google authenticator keys to the new ROM the manual way: http://cadince.com/3-ways-to-move-google-authenticator/ [...]
By john June 8, 2012 - 1:08 am
You don’t need root. If you move authenticator to sdcard, the database will be at /sdcard/databases which is world readable.
By Bart Dorlandt June 15, 2012 - 12:33 pm
Recently Google Authenticator has been updated, so you can sync the internal clock. This way you can even have it running on 2 devices. Or switch between ICS and Gingerbread and doing a sync of the internal clock of the Authenticator APP afterwards.
Just tested it and it works. (timers are almost in sync between 2 devices)
By Sam June 15, 2012 - 6:23 pm
Hello,
thank you for this wonderful article. But, I need your help in my case which is slight different.
I had setup Google 2-step authentication in my iPhone and uninstalled it from there without taking backup of my secret key.
Now I am trying to setup this on android phone. Is there any luck for me ?
Thank you once again!
By Kevin Cox October 30, 2012 - 2:35 pm
You have probably solved it already but I will post this for others.
No. If have an apple dev whatever they call it you might have a chance. But Google will let you login and create a new seed, if you don’t have a trusted computer you will have to use the backup codes that you printed out (you printed them out right?) when you enabled 2FA initially.
By DM June 23, 2012 - 9:21 am
Brilliant. Thanks.
By Ilya July 5, 2012 - 5:59 pm
Take note that in the new version of Google Authenticator, the path is /data/data/com.google.android.apps.authenticator2/databases/databases.
(Note the added ’2′.)
By Jayprog July 12, 2012 - 4:12 am
Why do you need to go all this way?
Just go to Google Account settings and generate application specific password, setup the Google Authenticator app on your new phone manually, key in the code from Google highlighted in yellow.
You are done.
If you are using any Android device its time you install this backup app called App Backup & Restore from Google Play. It works wonders.
You can restore all your apps after a complete flash, the other good thing is that you save on data because you do not have to have every app re-updated after a complete flash because App Backup & Restore keeps the recent updates on your SD card. You can also choose to have two versions of every app on your phone auto saved.
Direct link https://play.google.com/store/apps/details?id=mobi.infolife.appbackup&feature=search_result#?t=W251bGwsMSwyLDEsIm1vYmkuaW5mb2xpZmUuYXBwYmFja3VwIl0.
By Jason Matsoukas July 13, 2012 - 7:59 am
I did that once and at some part of the process, it showed me the QR code to scan.
Now I am trying to re-authenticate (fresh install) but I cannot find anywhere the QR code that needs to be scanned.
Any help??
By Mover el Google Authenticator a otro celular « khoyot3 July 25, 2012 - 6:26 am
[...] http://cadince.com/3-ways-to-move-google-authenticator/ [...]
By Perno July 25, 2012 - 8:06 am
Can’t you just add an appliction-specific password for Authenticator? That’s what I just did, and it seems to be working.
By Ilya August 25, 2012 - 4:46 pm
If you’re new Android device isn’t rooted, you can still easily import your database — use my script to re-generate QR codes out of your ‘database’ file:
https://github.com/ikonst/authenticator-import
This script it completely local, and doesn’t send your info to me. If you want to be secure, , download the Zip and use it locally.
By Dmitri Kononchuk December 14, 2012 - 1:58 am
Ilya,
Nice tool. Working like a charm…
By Backing up Google Authenticator Data August 29, 2012 - 6:14 pm
[...] 49 3 Ways To Move Google Authenticator To A New Device [...]
By piCool13 September 12, 2012 - 9:50 pm
Nice job man but u have to more informative on applying commands. Nice tutorial for experts but for a newbie it wud have be much difficult to get the result.
Anyway its works for me nd retrieved my key.
Thanks.
By Nikhil September 25, 2012 - 11:36 pm
Awesome stuff! Thanks a ton.
Tried the GUI way. I had no clue database viewing was this simple!
By Kevin Cox October 30, 2012 - 2:42 pm
Everything is that simple, you eventually stop thinking about it.
“What! You need to use the command line to do a find and replace? Linux is so hard!”
“Did you want to open up 50 files and run the find and replace individually?”
Replace “linux” and “find and replace” with any action and well designed system.
By Kweesong Chua October 22, 2012 - 6:09 am
Dear Sir,
I had reformatted my iphone. Now I re-install the google authenticator.
How can I get the “key”
Thanks.
Regards
William Chua
By Jason Matsoukas November 5, 2012 - 12:34 am
So what happens if you installed it on a device and then had that device lost/formatted or whatever?
No way for a new install?
By Matteo December 2, 2012 - 3:16 am
Many thanks!
It works!
I have modified position in:
/data/data/com.google.android.apps.authenticator2/databases/databases
By Stephanie Harris December 3, 2012 - 11:12 am
I installed and activated the Google 2-Step authenticator on my android device. I’ve since gotten an iPhone and when I go to open Google Authenicator up it’s prompting me to enter a “key”. I have no idea what this is. I am very frustrated as I cannot access me email on desktop or my new phone!!! What do I need to do?
By How to Move Your Google Authenticator Credentials to a New Android Phone or Tablet - Phone Fair December 7, 2012 - 5:30 am
[...] to Dan over at cadince for inspiring much of this post! Android, Gadgets, Google, Mobile [...]
By How to recover your google auth database | frl1nuX January 25, 2013 - 2:07 pm
[...] I seem to be forgetting this all the time so there you go, linked from another article: http://cadince.com/3-ways-to-move-google-authenticator/ [...]
By Sargate February 2, 2013 - 6:31 am
Backdrop root is an app that resolves the issue
By Google Authenticator without a phone | Onions are delicious March 19, 2013 - 11:32 pm
[...] have the SD card and a nandroid backup. From this backup, I can recover the secret key. I followed this very helpful blog post, and here are the commands I [...]