We've all been there. 'Please enable Two Factor Authentication (2FA) to secure your account.' So you do, and probably think nothing more of it. Your account is secure as only you have access to the 2FA tokens.
Fast forward to when you get a new device, and you panic. So before we get there, lets rewind slightly and I'll give you my cautionary tale and hopefully we can all learn a little along the way.
One of the big authentication apps out there for your smartphone is Google Authenticator (Android ~ iOS). It's a free app from Google where you can scan a QR code or manually setup each site. There are others out there, and I used both Google's and a different app: Authy (Android ~ iOS). Though I only used Authy for two different sites, I seemed to use Google's app more (I still to this day do not know why).
Early 2018, and Apple released their battery upgrade program. 'Great, I can get a cheap battery replacement for my iPhone 6S Plus.' I thought. I notice this runs for the whole year, so decide to hold out as long as possible. September rolls around and I'm seeing the keynote for the new iPhones and decide I'm going to upgrade anyways, but someone I know will probably want my old iPhone so I decide to get the battery done anyway.
Great, I can get a cheap battery replacement
On my journey to the Apple Store, I setup my new iPhone from a backup of my 6S Plus I made earlier that day. Everything goes smoothly, and I'm ready ahead of time.
I arrive at the Store, and make a Genius Bar appointment. It's around an hour wait, so I stay in store and check out the cool new stuff the new phone can do compared to the three year old handset. My appointment comes around and I'm speaking to a Genius. Diagnostics are run, the battery doesn't need replacing but I go ahead anyway for the £25 fee.
I'm told to come back in around an hour when the work will be done. So I go away, get some food and come back. Check in with someone, and told my handset will be out shortly.
Sure enough, it is.
But the store employee is holding two handsets. They couldn't get the battery out so are replacing the device. For the small fee of £25. Sweet!
I am asked to wipe the phone, which I do. Pay the lady and off I go.
As I start to log in to new accounts on my new device, I'm starting to wonder about my 2FA accounts. I can think of a few sites and services that I have active with it. So I load up the Google Authenticator app and the horror sinks in. There is nothing there.
The whole concept behind 2FA is to keep anyone and everyone out who doesn't have the time sensitive code... even though I am the owner of the accounts, without that extra layer I cannot gain access. Now I'm pretty screwed.
I need to access my email. So I head to the Gmail site and of course that's linked to Google Authenticator and I cannot get in. Balls. Now what?
I get home, get on my laptop and thankfully I can get into my Gmail account as it is a trusted device that doesn't ask for 2FA every time I login, it's remembered. Phew. But what if it wasn't?! I don't even want to think about that!
I turn off 2FA for my account, and add it again on my new device. That's my email back under my control. I reached out to Google on Twitter, and I'm yet to receive a reply about this
Authy is very different. Authy lets you remove your account from all your devices and then lets you add them to your new one. The process takes a bit of time (around 24 hours, I'm told) but at least all your accounts will still be there. I'm still yet to get back in on Authy, but I have no doubt that my accounts will be there.
My Google account will be secured with Authy once I get back in, that's for sure. And anything else I need to add will be added to Authy.
Update - October 2nd, 2018
I have since learnt that you can use 1Password to store passwords and also use them for 2FA so you get everything in one place. May be something to think about also.