I recently became aware of ‘two-factor authentication‘ (2FA). This is a means by which one can add another level of protection to online accounts. There are several apps that provide this service: I opted for the Google Authenticator (GA), as it was already installed on my own phone. But then, after looking into it some more, I realised that there was a potential problem: if my phone were to become lost, broken, or stolen, or if the app were to cease to function, I could potentially be locked out of the services on which I’d enabled 2FA — since it’s not possible to back up the codes in GA.
One solution to this conundrum would be to use an authenticator like Authy, which does provide back-ups. However, it backs up to ‘The Cloud’ — and I don’t (yet) trust that. (What if the Cloud back-up were to be compromised?)
After much investigation and cogitation, I found a solution. Unfortunately, it’s one that requires a bit of preparation.
The problem is that the ‘QR codes‘ that are generated whenever one sets up 2FA in a service account are one-time-only: as soon as you navigate away from the page that shows the QR code, the code is lost forever. This may well be by design, as the codes should remain secret.
The solution is simple: before navigating away from that page, take a screenshot of the code and save it somewhere. Unfortunately, for some reason I’ve yet to fathom, the PrtSc button on my keyboard no longer works. But on Windows systems, there’s an alternative: the ‘Snipping Tool‘ application, which facilitates partial screen capture. And since all we need to do is to copy the QR code, that’s perfect:
Capture the QR code for each account on which 2FA is set up, paste each one into a document, save the document somewhere safe: and, bingo! If the phone is lost or broken, or if the app fails for some reason and needs to be reinstalled: simply re-scan the QR codes into the new installation of Google Authenticator, and you’re all set to go again :)
A couple of caveats:
- You may want to consider encrypting the file(s) containing your QR codes, perhaps using a tool like Gpg4win.
- If your phone is stolen, it may be worth considering setting up new codes in GA anyway, as the originals would be compromised. They’re no good without the passwords to the accounts, but better safe than sorry.