How to move Google Authenticator to a New Unrooted Android Phone

June 12th, 2014

Moving Google Authenticator OTP settings between Android devices isn't easy. Here's how to do it by stealth.

I just picked up a new Galaxy S4, since they're going cheap now that the S5 is out.

I've had my trusty S2 for a number of years, and it's been hacked around, rooted, had Cyanogenmod on it and everything else you do to a phone that's out of warranty.

But now it's time to move all of my data to the new phone, I see the problem of moving Google Authenticator between devices still hasn't been made easy.

For clarity, if you're just using Authenticator for Google itself, and you only want one device at a time to use it, then it is indeed pretty easy, and Google makes the process fairly straightforward. I however use Authenticator for 2FA on a number of services, and I have it installed on both my phone and tablet, so my use case is different.

Note that if you can root your new device, it's far easier just to install Titanium Backup on your old and new device and move your Authenticator settings between the two. I however can't root my S4 yet because I don't want to void its warranty by tripping Knox.

So here's what you need on your old phone. I'll assume you know what the following terms mean. Google or xda-developers will help you out if you don't:

  • The phone must be rooted
  • Developer options enabled
  • USB debugging enabled
  • Android Debug Bridge (adb) installed on your PC/Mac
  • A USB connection between the computer and phone, with adb shell able to connect

On your computer, you'll need sqlite3 installed. Mac users can install it using Homebrew (recipe: sqlite). Everybody else, you can figure it out.

Now, grab your Authenticator database off of the old phone:

dan@Dans-MacBook-Pro ~ $ adb pull /data/data/com.google.android.apps.authenticator2/databases/databases

Note that if the above step fails with a permission denied error, it's because your phone is locked down (kinda like my new unrooted S4), so you're outta luck.

Now open the database locally on your computer:

dan@Dans-MacBook-Pro ~ $ sqlite3 databases
SQLite version 3.7.11 2012-03-20 11:35:50
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
accounts          android_metadata
sqlite> select * from accounts;
1|Google|aaaabbbbccccdddd|0|0|0||
2|Dropbox|aaaabbbbccccdddd|0|0|0||
3|Facebook|aaaabbbbccccdddd|0|0|0|Facebook|Facebook

You'll see the keys for each of your authenticator accounts shown in the list (shown above as aaaabbbbccccdddd).

Now, grab your new phone, open Authenticator, and one at a time add each account, selecting the "Enter provided key" option.

Once you're done with each account, compare the time code generated on the new device with your old one. If they don't match, you made a typo.

Now of course, since in the past few years Google, Samsung et al have made it progressively harder to get to this information, it might be an idea to back up these codes somewhere safe so that next time you upgrade you've got something to refer to!

I hope that helps someone.


android

authenticator