Using an authenticator app for two-factor authentication (2FA) is more secure than SMS messages, but what if you switch phones? Here’s how to move your 2FA accounts if you use Microsoft Authenticator.
Fortunately, Microsoft Authenticator provides a backup and recovery option. Note that 2FA is designed to make it extremely hard to access an account unless you have the 2FA code. Most accounts provide backup codes you can use if you’ve lost or damaged your phone.
Make sure you have a copy of the backup codes for each account before you attempt to change your authenticator device. You’ll then be able to use those if you experience any issues when trying to recover your accounts.
Pasi de urmat
If you need to recover your accounts on a new phone, you’ll have to turn on the backup option on your old one. To do this, open Microsoft Authenticator. Tap the three vertical dots at the top right, and then tap “Settings.”
In the “Backup” section, toggle-On “Cloud Backup” on an Android phone, or “iCloud Backup” on an iPhone.
Your accounts will then be backed up to the Microsoft account you used when you first set up Microsoft Authenticator. iPhones also require that you have an iCloud account.
If you’re concerned about what’s actually backed up, it’s pretty straightforward. Your account and usernames, verification code, and various metadata, such as the time at which the backup was created, will all be included.
Authenticator creates an encrypted JSON Web Encryption blob (JWE) file using AES-256. It then hashes the data using SHA-512, and adds it to the JWE before storing the whole file and Key ID in your account.
Next, you’ll need to install Microsoft Authenticator on your new phone. Download it from the Google Play for Android or the Apple App Store for iPhone. Don’t set up any accounts using Microsoft Authenticator until after you’ve used the Recovery tool because it will overwrite matching site accounts.
To use the Recovery tool, open Microsoft Authenticator on your new phone, and then click “Begin Recovery.”
You’ll be asked to sign in to the Microsoft account you used for the backup on your old phone. Your accounts will then automatically be added to Microsoft Authenticator on your new one.
Some accounts will require you to revalidate, either by signing in to those accounts or scanning a QR code. Microsoft Authenticator will display a message if you need to do this. It’s essentially the same process you went through when you set up the account originally.
It’s also important to remove the accounts from your old phone. However, don’t do this until you’ve tested and made sure you can access these accounts on your new phone via Microsoft Authenticator.
To remove an account from your old phone, open Microsoft Authenticator on it. Tap the account you want to remove, and then tap “Remove Account.”
You should also open all your 2FA accounts and see if your old phone is still shown as a valid authentication device; if it is, remove it.
Once you’ve removed all the accounts from Authenticator on your old phone, you can remove the app, as well. From this point onward, only your new phone will provide 2FA codes for you.