I just upgraded to a new phone and now my Google Authenticator codes are missing. I can’t log in to a few important accounts because they’re still tied to the old device. What’s the safest way to move or recover my 2FA codes onto this new phone without getting locked out of anything?
This bites, but you have a few clear paths. Safest way depends on whether you still have the old phone and whether you had backup/recovery options set up.
I’ll break it down step by step.
-
If you still have the old phone and it still works
• Install Google Authenticator on the new phone.
• On the old phone, open Google Authenticator.
• Tap the three dots menu.
• Choose “Transfer accounts” or “Export accounts.”
• Select the accounts you want.
• It shows a QR code.
• On the new phone, in Google Authenticator, tap “Get started” or “Import existing accounts.”
• Scan the QR from the old phone.Test one login before deleting anything on the old device.
Do not wipe or reset the old phone until you confirm codes on the new one work for every important account. -
If the old phone is dead or wiped, start with the account provider
For each site where you are locked out, go one by one:A) Check for backup methods you already set
• Try backup codes. Many services gave a TXT or PDF with 8–10 one time codes.
• Try SMS 2FA if you had it enabled as a backup.
• Try email 2FA if the site supports it.
• Some password managers store TOTP secrets, so check those too.B) If you have no backup methods, use account recovery
Common examples:• Google account
- Go to https://accounts.google.com/signin/recovery
- Sign in with password.
- Choose “Try another way” until you see options that do not need Authenticator.
- Use backup codes or SMS if you see them.
- If not, follow their identity verification flow. It asks things like last password, recovery email, phone, etc.
• Microsoft, Facebook, Instagram, Twitter, etc
- Look for “Trouble logging in” or “Lost 2FA device.”
- Fill the recovery form.
- They often ask for ID or proof of account ownership.
Expect this to take time. Sometimes support responds in a day, sometimes several.
-
If you use password managers
If you ever scanned a QR code for 2FA into a password manager like 1Password, Bitwarden, Dashlane:• Open the entry for the account.
• See if there is a 6 digit code field that updates every 30 seconds.
• If yes, you already have TOTP there and do not need Google Authenticator for that account.
• Use those codes to log in, then reconfigure 2FA to your new phone if you want. -
Rebuild 2FA from scratch where needed
After you regain access to each account:• Turn off 2FA on that account.
• Turn it back on.
• When it shows you a QR code, scan it with the new phone’s Google Authenticator.
• Also download or print backup codes and store them offline.
• Add a backup method like SMS or a second authenticator app if the service supports multiple. -
For your Google account specifically
If Authenticator was tied to your Google account sync, newer versions support syncing codes to your Google account.
If you enabled that feature before:• Install Google Authenticator on the new phone.
• Sign in with the same Google account.
• Codes should appear automatically after sync.If they do not show, then they were only stored locally on the old device and you need the recovery steps above.
-
Things to set up for next time
Once you get back in:• Always save backup codes for each site. Store them offline.
• Add a second factor where allowed, like SMS or a second authenticator app.
• Consider a password manager that supports TOTP.
• Before you trade in or wipe a phone, confirm 2FA codes work on the new device.
If you say which accounts are blocking you (Google, Steam, Discord, banking, etc), people here can walk you through the exact recovery pages and what to expect from each support team.
Couple of extra angles that might help on top of what @espritlibre already laid out:
-
Double‑check whether you actually used Google Authenticator for all of those
A lot of sites call everything “Google Authenticator” even when they support any TOTP app. If you used something like Authy, Microsoft Authenticator, or 1Password/BItwarden for even one account, that can give you a foothold.
• Install those on the new phone and sign in.
• If any of them show 6‑digit codes rotating every 30 seconds, use those to get back in and then re‑set 2FA. -
Check if your Google Authenticator was syncing
I slightly disagree with the idea of just “sign in and codes will appear” being reliable. In practice, lots of people think they turned sync on but didn’t.
• On the old phone (if you still have it), open Google Authenticator and check if there is a little cloud icon with a check on each account. If not, they were local only.
• If sync was on, just signing into the same Google account on the new phone should bring them back. If they still don’t show, try:- Force close the app
- Clear cache (not data)
- Toggle airplane mode or Wi‑Fi to kick the sync
-
Use your logged‑in browser sessions
This is underrated:
• If you are still logged into any of those accounts on a laptop or old device browser, do not log out.
• Go straight to the account’s security settings from that logged‑in session.
• Add a new 2FA method (new authenticator QR, SMS, security key, whatever they support).
• Scan the new QR with Google Authenticator on the new phone.
That bypasses the whole “I lost my codes” situation for that specific service. -
Check email for old QR / secret keys
Sometimes, especially for dev / self‑hosted tools, people email themselves the TOTP secret or a screenshot of the QR code.
• Search your email for “2FA”, “two‑factor”, “authenticator,” “one time code,” “TOTP,” and the name of the service.
• If you find a QR or a string likeJBSWY3DPEHPK3PXP, you can re‑add that into Google Authenticator manually. -
When you start recovering, don’t re‑use the same mistake
I’m going to be a bit blunt: relying on a single phone as the only 2FA device is asking to repeat this. When you regain access, do this for each important account:
• Add a second factor:- A security key (YubiKey, Titan, etc.) if supported, or
- A second authenticator app on a tablet / spare phone
• Print or write backup codes and store them somewhere boring and physical (drawer, safe, etc.).
• If the site lets you register multiple authenticators, add both your phone and something else, not just “move” it.
-
If a service support team asks for ID, be prepared
@espritlibre mentioned recovery forms, but practically:
• Some services will straight up ask for a photo of government ID plus a selfie holding it.
• For domains / hosting / crypto exchanges, they may also ask for old invoices, transaction IDs, or last 4 digits of a card.
Have those handy before you start the recovery process so you’re not stuck searching mid‑form.
If you list which specific services are blocking you (like “Google, Steam, Discord, bank”), the exact recovery options vary a lot, and some are way more forgiving than others.
Skip repeating the “export from old phone / use backup codes” routes that @mike34 and @espritlibre already covered. Here are some extra angles that often get missed:
- Use “trusted devices” and active sessions
If you are already logged in on a laptop or tablet for any of those accounts, that session is basically your golden ticket.
• Do not log out. Do not clear cookies.
• Go straight to the account’s security or login settings.
• Add a new 2FA method on the spot:
- New authenticator QR for your new Google Authenticator
- Security key
- SMS or email code, if allowed
Once that new factor works, you can safely remove the old Google Authenticator entry that is tied to your dead / old phone.
I actually put this above account recovery forms, because it is much faster than the “prove who you are” flow in many cases. @mike34 mentioned this but I would prioritize it before trying long support forms.
-
Check if you accidentally split your 2FA across apps
A lot of people think everything is in Google Authenticator, but half the codes live in:
• Authy
• Microsoft Authenticator
• A password manager with TOTP
Before diving into painful recovery, install or open each of those on the new phone and see if any of them show rotating 6 digit codes. One workable code for one account lets you get back in and rebuild your 2FA setup cleanly. -
Use alternative login flows that temporarily bypass the code
Some services offer:
• “Log in with device prompt” (push to an existing logged in phone or in‑app approval)
• “Log in with security questions” or a backup email link
• “Use your recovery email only this time”
These options are sometimes buried behind “Try another way” or similar text. The others already pointed at recovery, but it is worth explicitly trying all secondary methods before starting a full support ticket. -
For dev or self‑hosted tools, re‑seed from config, not from memory
If any of the locked accounts are:
• Self‑hosted services
• Dev tools like Git hosting, CI dashboards, internal admin panels
you might still have the raw TOTP secret in:
• App config files
• Env variables
• Password vaults or encrypted notes
If you see a string of all caps letters and numbers likeJBSWY3DPEHPK3PXP, that is your factor secret. In Google Authenticator, you can add it manually instead of scanning a QR. -
Planning for next time: do not rely on a single phone again
Here I slightly disagree with how “just re‑enable 2FA and save backup codes” was put. It is necessary, but not sufficient. Do at least two of these per important account:
• Add a hardware security key (YubiKey, Titan, etc.) as a primary factor.
• Register a second authenticator app on a second device.
• Store printed backup codes in a place that is hard to accidentally throw away.
• Use a password manager with integrated TOTP for an additional copy of the secret. -
About Google Authenticator itself
You mentioned “safest way.” Google Authenticator is fine but has tradeoffs. Briefly, pros & cons:
Pros:
• Simple interface, low friction.
• Works offline.
• Widely supported anywhere TOTP is accepted.
Cons:
• Historically single‑device oriented, easy to lose everything with one phone.
• Sync behavior is not always clear, and people often assume it is backing up when it is not.
• No strong export / multi‑device management compared with alternatives like Authy or some password managers.
@espritlibre and @mike34 already gave solid recovery paths. Treat those as “how to survive this incident.” Use the points above to make sure the next phone upgrade is boring rather than a mini‑disaster. If you list which specific services are blocking you, people can outline the exact “other way to sign in” paths for each one.