How to transfer Google’s 2-factor authentication to a new iPhone in 14 easy steps

I just got a new iPhone 7. It’s much faster, has eight times the space, and takes marginally better low-light photos compared to my 4-year old iPhone 5. Living a mile above sea level also leaves me wondering if I’ll ever need the water-resistant functionality.

Nevertheless, migrating all the settings and logins over is never fun, especially onerous but important security features like 2-factor authentication for important services like Google. Given the crucial importance of 2-factor for securing devices and accounts, Google’s current implementation of migrating two-factor to a new phone is simply unacceptable. I spent nearly an hour trying to match out-of-date documentation with important settings hidden in the user interface. With 79 million new iPhones forecast to be sold between September and December and I’d guesstimate that >50% of them have Google accounts as well, I am confident that most other people have neither the time nor the patience to figure this all out themselves. Why transitioning isn’t vastly simpler is a question best left to security usability experts, but Google’s current terrible implementation all but guarantees that there will be thousands or millions of people who will opt out of using 2-factor because this transition is simply too difficult and poorly documented.

How to migrate your Google Authenticator to a new iPhone 14 easy steps.

  1. You’ll need your Authenticator app on your old phone or backup codes to get into your account as well as a “real” computer (desktop or laptop) to do this. If you thought you could get away with managing this on just two mobile devices, that’s adorable.
  2. In any Google service, click on your name in the top right. In the drop-down, select “My Account”.
    step2
  3. At this point you’re scratching your head wondering where the “Security” button or “Settings” selections are as the documentation glibly intones. Don’t worry, they’re not anywhere to be found and your hold on reality hasn’t slipped yet! Select “Signing in to Google”.
    step3
  4. Select “2-step verification”. You’ll probably be asked to log in and enter a 2-factor code again from your old device or backup codes. Try not to tear up thinking about how this may be one of the last times you ever gaze upon this screen.
    step5
  5. Once you’re in, select the teeny tiny pencil on the right-hand side of the “Authenticator app (Default)” box to edit these settings. For the love of god, don’t click anywhere but the progress buttons in the subsequent screens or you’ll get to start over at square one right here.
    step6
  6. While the naive reader might expect where the documentation says “Move to a different phone”, there would be a button labelled “Move to a different phone.” This is not a valid assumption. You have to select “Change” instead. What does it change? We don’t know until we click on it!
    step7
  7. If you’re using an iPhone like me, select “iPhone”. I’m guessing if you use an Android you should select “Android”. I can’t rule out it also opening a portal into a hellscaped alternative timeline, so proceed with caution.
    step8
  8. Now a QR code will show up on the screen. You’ve probably seen these on low-rent billboards or dubious business cards before, but now you’re actually going to interact with one. Don’t you dare click on anything yet.
  9. On your new phone, launch the Authenticator app and select “Begin Setup” in tiny font at the bottom of the screen beneath the gigantic banner than conveys absolutely no information about this 14-step process you’re just over halfway through now.
    img_0003
  10. Select “Scan barcode” also in tiny font at the bottom. At this point you may also be barraged with requests for the app to use your camera, all of which you should accept just like you do for every other application. Unfortunately Authenticator will not notify you when you’ve matched with another hot single in the area.
    img_0004
  11. Now point your phone’s camera at your computer screen so it can capture the barcode. Yes, it’s simultaneously thrilling, infuriating, and will make you look like an idiot to any passers-by.
    img_0006
  12. A six-digit number should pop up on your phone if you’re successful. If you’re not, you always have the option of going back to Step 8 and figuring out how the “Can’t Scan” choose your own adventure option ends (hint: with you getting to manually enter a 16-digit alphanumeric key!).
    img_0007
  13. Going back to your desktop computer, enter the six-digit code on your phone into the field. Pretend you’re a spy since the number is only good for something like 30 seconds and flashes and turns red when you’re running out of time. It’s the small touches like this that makes this simple process so much less stressful.
    step10
  14. Assuming you didn’t make any errors in a process that involved you switching contexts between three different screens and entering time-sensitive random numbers into easily-closed dialogue boxes that reset the whole process, you should now be able to use Google Authenticator on your new phone!
    step11

 

Site hacked and rebuilding now

Bad: Thanks to a number of people who pointed out that my site got hacked and had links to unsavory topics popping up in Google.

Worse: I was overzealous in removing the previous install and inadvertently deleted the directories containing the data and papers I had previously made available.

Please bear with me over the next few days and weeks as I try to go through the process of trying to track all these files down and get them properly linked back to their posts and such. Please contact me directly if there’s some data or code you need in the interim. My apologies in advance for any inconveniences this may cause!

First

I’ve had an “uneven” experience blogging in the past–insufficient motivation, feeling as though I’m shouting into the void, a lack of coherence. But those lucky souls who follow me on Twitter know I am not a timid poster. I hope this blog will be a venue to curate and expand on academic, political, and personal thoughts I already share on Twitter: papers of interest, news of import, and experiences as I finish my PhD. So, here we go.