How to Safely Change Two-factor Authentication

A little planning is called for.

by

Changing two-factor authentication apps isn’t hard, but doing it incorrectly can lock you out of your accounts. Here’s a safe step-by-step approach to make the switch smoothly, protect your access, and keep your accounts secure.
two smartphones each displaying a two-factor app and code, with a floating arrow pointing from one smartphone to the other
(Image: ChatGPT)
Question: I’d love to hear your feedback about how to correctly move to a different 2FA app (on a mobile device). I’ve read that removing a 2FA account from an Authenticator app can cause issues, potentially locking you out of your account. If I wanted to move my 2FA codes/accounts to a different authenticator app, what is the recommended way to do this?

Safety, or more specifically not getting locked out of your account, is a common concern when it comes to switching your two-factor authentication app or technique.

Sometimes you can move an app-based 2FA from one app to another, but a) it’s not terribly common, and b) not everyone uses this type of two-factor app. When using SMS or other forms of two-factor authentication, there’s no secret key or anything to share even if you could.

The good news is that my approach is conceptually simple and works with all forms of two-factor authentication.

You just need a little preparation.

TL;DR:

Change two-factor authentication

To safely switch two-factor apps, sign in first, prepare recovery options, and be at a trusted location on a familiar device. Turn off your old 2FA and then turn it back on with the new app. Always save recovery codes so you’re never locked out.

“Have you tried turning it off and back on again?”

Here’s the approach I recommend.

  • Turn two-factor authentication off on the account, or, if you have more than one form of 2FA enabled, turn off the specific technique you want to move.
  • Turn two-factor authentication back on, this time using the app, device, or technique you want to move to.

But wait!

Before you run off and do that, there’s some important preparation to do so that nothing trips you up along the way. We do want to do this safely, after all.

Ask Leo! is temporarily Ad-Free!
Help make it permanent by becoming a Patron.

Related


I Lost My Phone With My Second Factor for Authentication. How Do I Recover?

 Losing your phone can lock you out of your accounts if it’s your second factor for authentication. Here’s how I recovered while traveling, the backup options that saved me, and the steps you can take now so you’re never stuck without access.
#145351

You must be signed in

I can’t stress this enough. Many people want to change their two-factor authentication method specifically because they can’t sign in; they’ve lost the old one, or it’s not working.

That’s not how this works. Your ability to sign in proves you have the right to make the change. If you can’t sign in, then for all the service knows, you’re some random hacker trying to break in. You know and I know you’re not, but the service has no way to confirm it unless you are able to sign in.

If you’re having trouble signing in, particularly due to your existing two-factor not working, you’ll need to use the account recovery techniques offered by whatever service you’re using. Once you’re signed in, you can (and should) set up a new two-factor mechanism.

Being signed in may not be enough

This might seem counterintuitive, but having successfully signed in may not be enough, at least to remove the existing two-factor authentication. Some services ask for additional confirmation that you are who you say you are.

Similarly, if you’re trying to make this change while traveling, the service may also think that suspicious and throw up additional authentication challenges.

Related


Two-Factor Might Be Hackable. USE IT ANYWAY!

 Another scare about two-factor authentication being hackable? DO NOT let that stop you from using it.
#69599

My recommendation:

  • Do this while you’re home.
  • Use a computer you’ve signed into recently, particularly one where you’ve used “remember me” or its equivalent.
  • Make sure you have access to all the account recovery methods associated with that account. This means access to all phone numbers and email addresses that might be used. In addition, if you have specific recovery codes associated with the existing two-factor authentication technique, make sure you have those within reach.
  • If you have another device that is currently signed into the account, have that nearby in case notifications are sent to it.

When you remove the existing two-factor, either of two things will generally be required:

  • You’ll be asked to provide a code shown by or sent to the existing two-factor technique.

Or, if you don’t have that available:

  • You’ll be asked to use one of the additional recovery techniques previously set up with your account.

If you can’t confirm that you are who you say you are with one of those techniques, you may not be able to remove the second factor. That could put you at risk of being locked out of your account.

My own recent experience

I recently went through this exact scenario. Proton introduced its own two-factor authentication application that works on both desktop and mobile. My prior tool, Authy, ended desktop support some time ago.

I’d moved all of my two-factor codes to 1Password (the convenience far outweighs a teeny tiny decrease in security, and it makes two-factor much easier to deal with). Unfortunately, I faced a chicken-and-egg scenario. My 1Password account is itself protected by two-factor authentication, but that’s one code that, while I can (and do1) store in 1Password, it’s impossible to use from there (the chicken and egg: you need the code to open 1Password, but you’d need 1Password to already be open to get the code). So, in addition, I’d kept Authy running on my phone specifically for that.

So, I:

  • Disabled two-factor in 1Password and removed its entry from Authy.
  • Re-enabled two-factor in 1Password, this time setting it up with Proton Authenticator.

The move went smoothly, and I can access the codes from my desktop once again if I need to.

Do this

Above all, use two-factor authentication. Make sure to save all the account and 2FA recovery information created or set along the way so as to make any future changes seamless.

Also, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Download (right-click, Save-As) (Duration: 8:56 — 8.3MB)

Subscribe: RSS

Related Video

Footnotes & References

1: I store it there anyway, but clearly not for actual use. It’s just another way for me to securely save the 2FA secret key.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.