It might be easier, but it’s available only once.
So you’ve set up two-factor authorization for your most important accounts — good for you! Then you realize that if you lost your phone (or whatever device you use for the 2FA), you wouldn’t be able to use it to prove you are you, and you could get locked out of those very important accounts.
In a previous article, I described how losing that second factor for a two-factor authorization (2FA)-enabled account isn’t even close to a disaster. In that case, you go through the inconvenience of an account recovery, disable and re-enable two-factor, and you’re good to go.
If you’re using Google Authenticator-based two-factor, there’s an even easier way — but you need to plan ahead, as the technique relies on something that is available exactly and only once.
Become a Patron of Ask Leo! and go ad-free!
Losing your Google Authenticator-compatible 2FA
If you prepare ahead of time, losing your Google Authenticator-compatible device is only a minor inconvenience. Screenshot the QR code or save the secret string during setup and store it safely for future use. This allows you to easily set up on a new device while keeping your accounts secure.
Setting up TOTP 2FA
- The account you’re setting up displays a QR code or a longish string of letters and numbers representing a “secret”.
- You use your phone to scan the QR code, or you copy/paste or enter the secret string into the Google Authenticator-compatible application, which then begins showing six-digit numbers that change every 30 seconds.
- You enter one of those numbers to confirm that the relationship has been set up properly.
- You’re done. Two-factor authentication is set up for that account.
Pretty simple, except that after you’re done — in fact, often before you’re done — the QR code or secret string is nowhere to be seen.
And they’re not recoverable.
Of QR codes & secrets
That QR code often looks like this.
Or, if a string/secret code is shown, it might look like this.
They represent the same thing. In fact, the QR code is just a different encoding of the secret string.
Once set up, that “secret” is a cryptographic number that’s associated with your account. The secret is used to create a six-digit number that can be verified by your account sign-in process to belong to you and only you because you set it up on your two-factor device.
Your one two-factor device: typically your smartphone. The one you’re worried you might lose.
Did I say one? Not if you plan ahead.
One code to enable them all
Here’s the “trick”. While it’s displayed, screenshot the QR code. Or, while it’s visible, copy/paste that secret string somewhere. Or (as I do more and more), do both.
Then continue to set up your two-factor device.
Now, at any time, you can set up an additional two-factor device simply by scanning that QR code you saved1 or by entering the string you saved. It’ll display the same codes as your original two-factor device. Try it — it’s kinda fun to watch.
As far as your account sign-in is concerned, the two devices are indistinguishable from one another. They both display the correct code, so you must be you.
In theory, you could add as many two-factor devices as you like using this same secret code. They’ll all display the same code you need at sign-in time. Any of them will prove you are you.
I don’t recommend setting up a bunch, but I do have some recommendations.
Secret means secret
The reason the code normally disappears after you set up the first device is that it’s a secret then known only to that device. This is the most secure.
If you keep a copy of the code — be it by taking a screenshot or by copying the secret string — you must now keep that information secure. Anyone with access to it could set up their own two-factor device with the code for your account. Obviously, that’s not something you want.
I keep mine in an encrypted location only I have access to.
And I don’t need it often. Ideally, I’ll never need it, but stuff happens — which leads to my second recommendation: don’t set up a second two-factor device until you need to.
Here’s the scenario everyone worries about: they lose their smartphone with the two-factor app on it. No problem! You replace your phone, install the 2FA app of your choice, rescan your saved QR code (or enter the secret text), and you’re back in business, simple as that.
Save your two-factor setup codes. Either screenshot the QR code or save the secret text string. Whichever you do, store it somewhere secure you can access later should you ever need to.
Hopefully, you’ll never need to, but it’ll make life just a little easier if you do.
Looking for more security tips and safety nets? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: And yes, that’s a real account QR code in the example you could scan. It’s no longer associated with any account, so it’ll do you no good, but you could.