Google Authenticator finally syncs your security codes between devices

Turn on the sync feature in the updated Google Authenticator app for iOS and Android to avoid a lockout crisis if you lose the device or buy a new one.

UPDATE (April 27, 6am PT): Mysk security researchers issued an advisory on Twitter, saying syncing doesn’t use end-to-end encryption. In other words, Google backs up your secrets stored on its servers in an unencrypted form, which exposes you to bad actors and decreases security. Mysk researchers advise turning the syncing feature off until Google resolves this. The original article continues below.

The cloud syncing prompt in Google Authenticator for iPhone
You must manually turn on syncing | Image: Christian Zibreg/iDB
  • The Authenticator app has been refreshed with the ability to synchronize two-factor authentication (2FA) codes between devices using your Google account.
  • Authenticator users are now much better protected from lockout because the app can optionally retain access to the saved passwords and 2FA codes.
  • The new feature requires Google Authenticator 4.0 on iOS.

You can now sync Google Authenticator across devices

With two-factor authentication, you must supply your username, password and a one-time security code sent via SMS or generated by an authenticator app.

This change is significant because losing your phone or deleting Authenticator no longer puts you at risk of being unable to access your online accounts.

View Google Authenticator in the App Store

Before, 2FA codes for each account in the app were saved locally on the device. They wouldn’t sync between devices, and you had to add the same online account to Google Authenticator on another device to access it from there.

iDownloadBlog has acknowledged this issue by creating a tutorial to walk users through transferring Google Authenticator 2FA codes from one iPhone to another.

Google Security Blog:

One major piece of feedback we’ve heard from users over the years was the complexity in dealing with lost or stolen devices that had Google Authenticator installed. Since one-time 2FA codes in Authenticator were only stored on a single device, a loss of that device meant that users lost their ability to sign in to any service on which they’d set up 2FA using Authenticator.

Further information is available in the Google Account Help.

Improved visuals and a new icon

The splash screen in Google Authenticator 4.0 for iPhone
You can also sync your passwords via iCloud Keychain | Image: Christian Zibreg/iDB

Aside from syncing, other new features in Google Authenticator include a new app icon and illustrations that Google describes as “modern and user-friendly,” with enhanced visuals making Authenticator “more visually appealing.”

Google’s description of the changes in Authenticator for iOS 4.0:

  • Cloud syncing: Your Authenticator codes can now be synced to your Google Account and across your devices, so you can always access them even if you lose your phone.
  • New icon and illustrations: The app has been updated with a new icon and illustrations that are more modern and user-friendly
  • Improved UX and visuals: We’ve made the app easier to use and more visually appealing

If you don’t want to sync 2FA codes, don’t log into a Google account when prompted. Doing so will let you continue using the app in a single-device mode. Just tap Use Authenticator without an account when prompted to disable sync.

How to sync Google Authenticator passwords and 2FA security codes

Signing in with a Google Account to the Authenticator app on iPhone
You can continue using Authenticator without signing in | Image: Christian Zibreg/iDB

Google Authenticator now supports backing up your passwords and 2FA codes in the cloud and syncing them across devices using a Google Account.

Sign into your Google account when prompted in the Authenticator app to turn on syncing. You must do this on any new device where you use the app.

Should you use authenticator apps at all?

Until recently, the answer to this question was a resounding yes.

On the other hand, the catastrophic LastPass breach has demonstrated that you should be wary of trusting third parties with your passwords and security codes. Now that LastPass is out of the picture, other apps like 1Password have maintained that their systems are secure. But wasn’t LastPass saying the same thing?

If you save all your online passwords and security codes in an app like 1Password—and it gets hacked—that’s also a potential disaster waiting to happen.

You’re wholeheartedly recommended to get rid of all those apps. Instead, take advantage of Apple’s built-in password manager and 2FA code generator to keep your secrets secure and in perfect sync across your iPhone, iPad and Mac.

Instead of setting up verification codes in apps like Authy or Google Authenticator, go to Settings > Passwords on your iPhone or iPad, choose the website or app account, hit Set Up Verification Code, then tap Enter Setup Key.

You must paste a setup key for a website or app in the Setup Key field, then copy the verification code and paste it on the website or app.

For further information, read our tutorial explaining how to set up and use Apple’s two-factor authentication code generator on your iPhone and iPad.

Google Authenticator dates back to 2010.