I just upgraded to a new phone and now my Google Authenticator codes are missing. I didn’t back anything up and I’m locked out of a few important accounts that use 2FA. What’s the safest way to move or recover Google Authenticator onto my new device without losing access to those accounts or breaking security best practices?
Oof, been there. Short version. You do not move codes from the old phone now, you recover each account one by one.
Step 1: Check if you still have the old phone
If the old phone still works and has Google Authenticator with codes:
- Connect it to WiFi.
- Install the latest Google Authenticator on it from Play Store or App Store.
- Open Authenticator, tap your profile icon.
- Turn on “Sync to Google Account”.
- On the new phone, install Authenticator, log in with the same Google account, wait a bit.
- Your codes should sync.
If that works, you are done. You do not need any backup codes.
Step 2: If the old phone is gone or wiped
Now it is account recovery territory. You need to do this per service.
Common options:
-
Backup codes
- Check email inboxes for subjects like “backup codes” or “two-step verification backup”.
- Many services show backup codes at signup. If you saved them as a file, screenshot, or printout, use one of those codes to log in and reset 2FA.
-
SMS or phone fallback
- Some sites use your phone number as a backup.
- Try “Use a different method” or “I do not have my authenticator app” on the login page.
- If they offer SMS or call, use it and then reconfigure 2FA on the new phone.
-
Email fallback
- Some services send a link to your email when you say you lost your 2FA device.
- Look for a “Try another way to sign in” or “Lost your device” link.
-
Recovery codes or security keys for your Google account
For your Google account itself:- Go to https://accounts.google.com/signin/recovery
- Follow prompts. They might ask for: last password, when you created the account, recovery email, or phone.
- If you had backup codes or a security key, use those.
Step 3: If none of that works
You need to open support tickets with each service.
General pattern:
- Go to the site’s help or support page.
- Search for “lost 2FA” or “lost authenticator”.
- Fill their form. They sometimes ask for:
- ID photo
- Last 4 digits of card used
- Recent invoice or transaction ID
- Old usernames, emails, old passwords
- Expect delays. Some services respond in hours, some in days.
Data point. On average it takes from a few minutes (if you have backup codes) to several days (if support involvement is needed). Some financial platforms refuse access if you fail verification, so focus on those first.
Step 4: After you get back in
Do this for every recovered account:
- Disable old 2FA.
- Turn 2FA on again and scan the QR with your new authenticator app.
- Save backup codes in at least two safe places.
- Screenshot the QR or secret key and store it encrypted or offline.
- Consider a more backup friendly app like Aegis (Android) or 1Password / Bitwarden with 2FA, which allow encrypted export or sync.
Hard truth. If an account only used Google Authenticator, had no backup phone, no backup codes, and no support path, access is usually gone. Focus on accounts that have some recovery option first.
Couple of extra angles that complement what @ombrasilente said, especially since you didn’t back anything up and the codes are just… gone.
-
Don’t treat this as a “move Google Authenticator” problem
This trips people up. The app itself is basically a dumb code calculator. The real “keys” live on each site (Google, PayPal, Discord, whatever). So you’re not migrating GA, you’re re-enrolling 2FA on every account. Mentally switching to that view makes it less confusing. -
Check if you’re actually fully locked out
For each account, before touching support, go to the login page and look closely for stuff like:- “Try another way”
- “Can’t use your authenticator?”
- “I lost my device”
- “Use a recovery method”
Lots of people miss these tiny links and jump straight to support hell.
-
Prioritize accounts in this order
Since some sites make recovery painful, start with:- Email accounts (especially the one tied to everything else)
- Banking / exchanges / anything with money
- Work accounts
- Everything else after
Reason: many “lost 2FA” flows use your email, so if your main email is locked, you’re double-stuck.
-
Use device recognition to your advantage
If you still have any computers or tablets where you’re logged in:- Do not log out
- Go straight to security settings while you’re still in
- Turn off 2FA or add a new method (new authenticator, SMS, security key, etc.)
Even if you can’t see codes on the old phone anymore, a logged in browser session is often your best lifeline.
-
On Google itself, try this slightly different path
People often use the “Forgot password” link only. Instead, also try:- Go to https://myaccount.google.com/security
- From a known device/IP where you used that account
- Sometimes Google is more lenient if your IP, device, and browser match older logins
It is not guaranteed, but their risk engine cares a lot about that context.
-
Be careful with what you send to support
When you reach the “contact support” stage:- If they ask for ID, redact extra info: cover MRZ, document number, etc. if they only need name + photo + DOB
- Never send passwords or full card numbers, even if someone claims to be support
- Use only official support channels linked from the actual site, not from search ads or random “help” pages
-
When you re-enable 2FA, do not repeat the old setup pattern
Here I’d push a bit further than @ombrasilente suggested:- Don’t rely on a single authenticator app tied to a single phone
- Prefer either:
- A password manager with TOTP sync, or
- A 2FA app that lets you securely export or back up keys
- For important accounts, add:
- A security key (like a hardware key)
- At least one alternate method: SMS, backup email, or printed backup codes
-
Screenshot / export, but not recklessly
A lot of people say “never screenshot QR codes.” That is too absolute. More accurate:- Screenshot or write down the secret key
- Store it somewhere encrypted: password manager, encrypted volume, or offline USB that you control
- Do not leave it in plain photos on your phone or in cloud photos
-
Accept that some accounts might be gone
Not fun, but realistic. If:- No backup codes
- No phone / email fallback
- No logged in sessions
- No usable support
Then those accounts may effectively be lost. Focus your time on services that actually have a recovery path instead of banging your head on the ones that treat 2FA loss as permanent.
Once you’ve recovered even one key account, pause and set up a safer system before continuing with the rest so you don’t end up in the same spot after your next phone upgrade.