Using the authenticator application for two-factor authentication (2FA) is safer than SMS messages, but what if you change your phone? Here’s how to move your 2FA account if you use Microsoft Authenticator.
Previously, we saw the transfer of a 2FA account on Google Authenticator to a new cellphone. We found that there is no way to export all of your accounts, and then import them to a new phone. You must manually re-create your 2FA account on your new cellphone.
Fortunately, Microsoft Authenticator provides backup and recovery options. Note that 2FA is designed to make it very difficult to access your account unless you have the 2FA code. Most accounts provide a backup code if your phone is lost or damaged.
Make sure you have a copy of the backup code for each account before you try to change your authenticator. You can then use it if you experience problems while trying to recover your account.
Activate Backup Options on your Old Phone
If you need to restore your account in a new phone, you must activate the backup option in the old one. To do this, open Microsoft Authenticator. Tap the three vertical dots on the top right, then tap “Settings.”
In the “Backup” section, enable “Cloud Backup” on Android phones, or “iCloud Backup” on iPhone.
Your account will then be backed up to the Microsoft account that you used when you first set up Microsoft Authenticator. iPhone also requires that you have an iCloud account.
If you are worried about what is actually being backed up, it’s quite easy. Your account and username, verification code, and various metadata, such as when to back up, will all be entered.
Authenticator makes encrypted JSON Web Encryption blob (JWE) files using AES-256. Then hash the data using SHA-512, and add it to JWE before saving all the files and Key IDs in your account. A detailed description of the backup and storage process is available if you want to dive a little deeper.
Use Recovery Options on your New Phone
Next, you must install Microsoft Authenticator on your new mobile. Download from Google Play for Android or Apple App Store for iPhone. Do not set up any account using Microsoft Authenticator until after you use the Recovery tool because it will overwrite a suitable site account.
For example, you set 2FA in the Gmail account email@example.com in Authenticator on your new phone. However, Authenticator on your old cellphone contained a Gmail account firstname.lastname@example.org. The Recovery Tool will overwrite the email@example.com account that you added to Authenticator on your new phone with the firstname.lastname@example.org account that is in your backup.
To use the Recovery tool, open Microsoft Authenticator on your new cell phone, then click “Start Recovery.”
You will be asked to log into the Microsoft account that you used to backup on your old cellphone. Your account will then be automatically added to Microsoft Authenticator on your new account.
Revalidate the New and Delete From the Old
Some accounts will ask you to validate, either by logging into the account or scanning the QR code. Microsoft Authenticator will display a message if you need to do this. This is basically the same process that you go through when you set up your initial account.
It is also important to delete the account from your old cellphone. However, don’t do this until you have tested it and make sure you can access this account on your new cellphone through Microsoft Authenticator.
To delete an account from your old cell phone, open Microsoft Authenticator on it. Tap the account that you want to delete, then tap “Delete Account.”
You also need to open all your 2FA accounts and see if your old cell phone is still displayed as a valid authentication device; if yes, delete it.
After you delete all accounts from Authenticator on your old cellphone, you can delete the application too. From this moment onwards, only your new phone will give you a 2FA code.