Recently I got a new phone – there was a crack in the screen of my old iPhone, and that was a decent excuse to upgrade my phone, which for me boils down to “same phone, slightly better camera”
Anyway, this meant that I was carrying two phones until I got all of my MFA apps and accounts migrated over to the new phone. “Easy” you say? Ummm – in same cases, yes. Here’s a summary of how easy it was, and what I found …
As easy as Export / Import
I had 18 entries, they all export to 2 QR codes. They display on the old phone, scan them on the new phone and you’re back in business! I did this in the Google Authenticator app, but this works on just about every “google compatible” authenticator application – ie most password managers.
I still had my original SDTID files to import, but without the passphrases they would have been useless. With them, it’s a re-import from the original files+passcodes. Without then, the next step would have been to request new token files or token links and passphrases from any clients I have left using RSA. From there it’s easy, just import the file/link on the new device.
Yup, MFA on Banking, with their proprietary app. Apparantly their proprietary MFA app is important to them so that they can show you ads and “brand” your login (what could possibly go wrong with that). I guess it’s too easy to use a modern industry standard interface , so they took a different “roll your own” path. Anyway, no export. They have great information on first-time setup of MFA for an account, but zero on migrating. They ended up having me call someone at the bank (the “salesperson” for corporate banking) who simply re-enrolled me on the strength of my phone call and the irritation in my voice. So this MFA is now as strong as my single factor (password) and the will of the salesperson to not offend a corporate customer. So single factor. Again
There is a way to enable iCloud backups in the setup screen. So the “easy” way to migrate your data is to enable cloud backup (“iCloud Backup” on an iPhone, or just “Cloud Backup” on an Android), then restore it to your new phone. As with all things cloudy, you’re relying on that cloud to secure that data, but I guess we’re all past that until the cloud apocolypse breach (when all of us security folks say “see, we TOLD you”). Then restore to the new device and you’re good, same as Google.
The other way to migrate MS Authenticator is to (for each account):
- Have the administrator (at your client) set you up to re-enroll a new device – in their MS dashboard they need to set “Require re-register MFA”
- Add the account in the app on the new phone
- Login when prompted (userid + password)
- You’ll see a QR code, scan or accept that (since it’s likely on the screen that has the camera on it), and you’ll be re-enrolled
Roughly half of my MS Authenticator clients had left me in that “re-enroll” mode after the first enrollment, so they were essentially “single factor to re-enroll MFA”. The other half wanted verification from me that I was me before they enabled that – that was WAY more reassuring to see!
As you’d expect, I leave control of all of these customer logins with the various clients, I don’t back them up.
Register with a new phone number, and the entries all get pulled down from a backup in the cloud. The entries then magically disappeared on my old phone. Since it just seems to be tied only to my phone number (which anyone can spoof), that just doesn’t seem right. I’m guessing that there’s a new exploit class (using an old exploit class) in this …
No export, no import. You need to get a new token from your administrator. Just as old-school as RSA, maybe a bit more so.
Looking at this list, the thing that keeps that tiny kernel of fear in my heart was “what if my phone had been stolen?”. In a migration, Google Authenticator was the easiest and (in my opinion) the most secure. They don’t store any of my data, and the export/import was done in a few minutes. But if my phone had been stolen and I didn’t have those QR codes backed up, recovery of my various individual accounts would have been a LOT more painful. First, I’d have to remember what all I had in there, then I’d have been at the mercy of each individual site admin team. I forsee pain and tears in that path …. (time to snag a backup of those QR’s if you don’t already have one!)
This is just my list of MFA apps. If you’ve got one that I’ve missed, by all means use our comment form to add to this list!
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.