Last week, at least three months ahead of expectations, Google leaked the design for its upcoming Pixel 4 phone. Why the tech giant prematurely exposed its plans isn’t entirely clear. What the design itself does make clear is that when security-minded consumers upgrade their devices, they will have to take a few extra steps to migrate their two-factor authentication apps.
Two-factor authentication, also known as 2FA, works in several ways, all of which result in delivering to the user a one-time, second password or passcode for accessing accounts. It’s like using a debit card with a PIN, but the PIN, which changes each time, can be used with a wide range of services from companies including Google, Apple, Facebook, Amazon.com, Microsoft, PayPal, Slack, Twitter, Dropbox, Nintendo, and Twitch.
The most basic (and least secure) of this method of securing accounts involves sending the one-time code over text message or email. The most secure method today trusts a USB key that generates new codes when you lightly press your finger against it.
Somewhere between the two methods stands a middle ground: Use an app on your mobile device to generate that one-time code. Several apps do this for multiple services, and they all function in similar fashion. Once installed, you associate the app with the account, and the app generates a one-time code that expires within minutes.
While many services (such as Facebook, Twitter, and Yahoo) offer their own in-app one-time code generator, some people prefer the convenience of using one code-generating app that supports multiple services. One of the more apparent benefits of these apps is that they work even when your phone is in the non-transmitting Airplane Mode or otherwise offline. Google (download for Android or iOS) and Microsoft (download for Android and iOS) each make one, as does password manager LastPass, which offers a one-tap authentication option; and Authy.
Because these apps tie themselves to a specific device, you can’t simply move the app to a new phone or tablet and expect it to work. There are a few steps you need to take first. Here’s how the migration process works for the most popular two-factor authentication apps.
- On your computer, log in to the Google two-step authentication page.
- Scroll down to the Authenticator App section, and click Change Phone.
- A pop-up window will ask you to select which type of mobile operating system you are using, Android or iOS.
- Switch to your new device. Install and open the Google Authenticator app, then tap Begin setup and Scan barcode.
- Use the new device to scan the barcode, then enter the code on the screen, and click Verify.
- Each service for which you use the app to authenticate your identity must be manually switched to Authenticator on the new device by going to the service’s two-factor authentication page.
- Delete each service from Authenticator on the old device, then uninstall the app.
- Log in to your Microsoft account on your computer, then click “Security” and then “More security options.”
- Select “Set up identity verification app,” then “Set up different verification app.” A barcode will appear on your screen.
- Switch to your new device, install the Microsoft Authenticator app, and scan the barcode.
- Enter the code that appears on your computer.
- As with Google Authenticator, you’ll need to manually add each service for which you use Microsoft Authenticator on the old device to the app on the new device.
- Delete the services from the app on the old device, then uninstall the app.
There are two ways to move the LastPass Authenticator to a new device. Similar to Google and Microsoft’s authentication apps, you can install the app on your new phone or tablet, verify it with the service, and manually switch your accounts before removing the old app. LastPass offers a cloud backup service for its Authenticator to make migration to a new device easier—but it requires using the LastPass Password Manager app as well.
- On the old phone or tablet, open the LastPass Authenticator, and tap the three-line Options menu.
- Enable the option Backup to LastPass.
- Once LastPass Authenticator has been backed up, switch to the new phone or tablet, install the app, and log in.
- Tap “Restore from backup.”
- Delete the app from the old device.
As with LastPass, Authy offers a synchronization feature for moving already-registered authentication security tokens to new phones or tablets.
- In the Authy app on the old device, tap Settings, then the Devices tab, then “Allow multi-device.”
- Switch to the new phone or tablet, and install the app. Authy bases your account on your phone number and will request that you enter it into the new device.
- Authy will ask to verify your account in one of three ways: using your old device, by phone, or by SMS. Select Use Existing Device, if the option is available. Tap the pop-up window on the old device to approve it. (On an Android, the pop-up window will offer “Accept” or “Deny”; on an iPhone, you will have to type the word “Yes” into the text field and tap OK.)
- Accounts on Authy will now appear with a red padlock next to them. To unlock each account, tap on the red padlock, then enter your Authy password.
- If you plan on getting rid of the old device, repeat step 1 to deactivate multi-device use on the new phone or tablet.
- Delete the app from the old device.