Backup and Restore Codes

[npmccallum]

Reported by stephenjudge on 8 Mar 2014 17:44 UTC Many sites that offer two factor authentication offer a method to recover access to your account should you loose your authentication device, this is usually SMS authentication or a set of printable codes. However some sites and OTP implementations don't have such a feature and if you loose your authentication device, you loose access to your account.

An example of this is if you add the Google Authenticator plugin to a self-hosted Wordpress blog. The plugin does not provide a secondary method of authentication. In their FAQ there is this question:

"'''Can I create backupcodes'''?

''No, but if you're using an Android smartphone you can replace the Google Authenticator app with Authenticator Plus. It's a really nice app that can import your existing settings, sync between devices and backup/restore using your sd-card. It's not a free app, but it's well worth the money.''"

This proprietary app, Authenticator Plus, does look very nice and has some nice features, but the most beneficial I think is its ability to backup and restore codes.

This could be a huge addition to FreeOTP and I would like to request that someone considers this feature and looks at a way of implementing it. I am not able to code myself.

[tripolskypetr]

At this moment I'm using https://2fa-pwa.github.io due to the lack of a token export feature. The source code is in public domain. Might be useful

[bazichs]

Thanks for pointing the app out. In the end the email provider reset the access and the problem was solved with the situation I mentioned.

[fizzlifax2]

I am a little bit shocked!? - Is there really no option in this app to make an encrypted backup from the app!? - Do I always have to use the commandline? - Or did I understand this wrong? - A ascii-file on a smartphone as backup seems me too dangerous!?, since the access is often tricky. I personally would like to put the datafile on my cloud-device like dropbox - where I could do by simple copy any backup myself. But the frickeling on a Android device makes me completely moonstruck since with every version and subversion there are changing the access-rights and I wants never have to do with such a bloody nonsense... - With this solution I could access from anywhere I would need the app and have access to my accounts. And so I would get access from a computer to print the codes for supplemental security also. Thanks a lot in advance for taking the ideas of some special user in consideration. fi

[michaelCTS]

It's a real pity this app doesn't support backups/exports. A simple password protected archive could be the solution.

Are there any alternative opensource apps that do support backups/exports?

[williamdes]

It's a real pity this app doesn't support backups/exports. A simple password protected archive could be the solution.

Are there any alternative opensource apps that do support backups/exports?

Sure ! use andOTP It works great and has backups

Ref: https://github.com/freeotp/freeotp-android/issues/20#issuecomment-636231569

[michaelCTS]

Thanks @williamdes . I also found FreeOTP+ which does all that and more :)

[keinstein]

I just came across this site. The App doesn't promise anything except:

• The person who adds a code can be sure that nobody else can extract it. This is not a promise to the server and not a promise to the employer of the person.

This promise makes only sense, if the code is added in a controlled environment. Many other apps make a similar promise allowing backups. Their promise is: Only the person who installed the app can decrypt the backup. Actually a higher level of security cannot be achieved as the codes are stored on the server and also server admins have the means to get the secret in clear text.