Last Updated on November 17, 2020 by uzma
Ever lost the Google authenticator codes? Wanna recover google authenticator codes? Let’s have one more simple way.
I have discovered this clean little trick on how to regain your access to a Google Authenticator (GA) secured account if I have lost the Google Authenticator data suddenly for whatever reason (i.e lost phone or had to reinstall the app on a new device).
- First of all, take a screenshot of all the barcodes on your Google Authenticator enabled accounts, yes that is correct, the same QR Codes in your account settings which you have scanned to enable 2FA on your account.
- Then save and store those QR Code screenshots somewhere where they are safe (those QR Codes do not change until you change it manually so if anyone else manages to get a hold of your QR Codes from your accounts, then they can scan them on their GA app and use it to authenticate the 2FA authentication on your account and it will surely work).
- Rename each screenshot file according to the correct site and/or account it was taken from so that you do not get the QR Codes mixed up.
- Now that you have backed up your QR Codes, if you lose your GA app data unexpectedly at some point in time, then just reinstall the app, and then re-scan and you should be able to successfully verify the 2FA authentication on your accounts again by using the correct 6 digit code.
- Create a backup of those QR Codes as soon as you can before its too late.
What is Google Authenticator?
Google Authenticator is a software-based authenticator developed by Google which implies two-step verification services by using the Time-based One-time Password Algorithm (TOTP, specified in RFC 6238) and HMAC based One-time Password Algorithm (HOTP, specified in RFC 4226) for the authentication of the users of software applications.
When you are logging into a website which is supporting Authenticator (containing Google services) or by using Authenticator supporting third party applications such as password managers or file hosting services.
The Authenticator generates a six to eight-digit one-time password which the users have to enter in addition to their usual login details.
The previous versions of the software were open source but from 2013 the releases are proprietary.
To use the Authenticator, the app is first installed on a smartphone. It has to be set up for each site with which it is to be used, the site offers a shared secret key to the user over a secure channel, to be stored in the Authenticator app. This secret key will be used for all of the future logins to that website.
Now to log into a website or service which uses two-factor authentication and supports Authenticator, the user gives username and password to the website, which then computes (but it does not display) the required six-digit one-time password and it asks the user to enter it.
The user runs the Authenticator app, which then independently computes and displays the same password, which the users have typed in, authenticating their identity.
How to Recover Google authenticator codes?
With this type of two-factor authentication, mine knowledge of username and password is not enough to break into a user’s account, the attacker will also need the knowledge of the shared secret key, or the physical access to the device which is running the Authentication app.
- An alternative way of attack is a man-in-the-middle attack.
If the PC which is used for the log in is compromised by a virus Trojan, then a username, password, and one-time password can be captured by the Trojan, which can start its own login session to the website or monitor and then modify the communication between the user and site.
During the setup, the service offers and generates an 80-bit secret key for each user. This is transferred to the Authenticator app as a 16, 26, or 32 character base 32 string or as a QR code.
Later, when the user opens the Authenticator app, it calculates an HMAC-SHA1 hash value by using the secret key. The message which is HMAC-ed can be:
- The number of 30 seconds periods since the Unix epoch (TOTP),
- A counter is incremented with each new code (HOTP)
A part of the HMAC is pulled out and displayed to the user as a six-digit code.
This was a detailed review of the Google Authenticator app and it also tells you how to recover the Google Authenticator codes.