Does Google's 2-factor authentication only care about the mobile phone number?
July 21, 2012 6:25 PM   Subscribe

I have a question about Google's 2-factor authentication and upgrading to a new device. Can you help?

I have Google 2-factor authentication enabled for my primary Gmail account.

I qualify for a new smartphone upgrade. Can I upgrade to a new handheld device without worrying about getting locked out of my Google account? Does Google's 2-factor authentication only care about the mobile phone number, or does it also care about trusting the mobile device?


Once a month (or sometimes more), Google asks me to enter a code sent to my smartphone (I don't do texting so Google actually phones me up, in order to authenticate my account.

If I do not have my phone, I'm pretty screwed.

So, I have a smartphone, a primary computer, and two other laptops associated with my Gmail account for 2-factor authentication.

The smartphone (with its phone number) and computer are trusted devices.

Does Google's 2-factor authentication only care about the mobile phone number, or does it also care about trusting the mobile device?
posted by KokuRyu to Computers & Internet (16 answers total)
I'm confused about the question. Is it whether they will give you the codes at all after you get a new phone? Google will send the code to the phone number you specified, it doesn't know what's on the other end of that.

If you have a smartphone you can get the smartphone app (that's the android version, since you didn't say what type of phone you have, I know there's an iPhone version, don't know about other mobile OSes but I assume they exist too) that will generate the codes instead of texting or calling you. You can also print out backup codes that you keep in your wallet or whatever in case you don't have access to your phone when you need to sign in somewhere.
posted by brainmouse at 6:40 PM on July 21, 2012

In case you're asking the other question that your phrasing can mean -- it doesn't associate authentication with a phone number, only with a device. Actually, even less than that -- if you are authenticated via Chrome on your computer, you are not also authenticated via Firefox, etc (and clearing cookies will clear your authentication). And different google apps sometimes need to be authenticated separately. So you will have to re-authenticate yourself on your new phone when you get a new phone even if you keep the phone number.
posted by brainmouse at 6:43 PM on July 21, 2012

If you're asking about google calling your phone, you're fine - that part of authentication will still work. It's connected to the number, not the device, so as long as you can answer whatever phone is attached to the number, you're set.

If you're asking about using your phone with your google account (gmail, google play, etc.), assuming that you're talking about an android phone, you will need to authenticate that device (I assume you use device-specific passwords, if you don't, consider it!) separately. You will be able to do that just as easily as the first time you signed into your device, from your computer or whatever.
posted by R a c h e l at 7:15 PM on July 21, 2012

Response by poster: Oh, sorry for the confusion...

I have 2-factor enabled. The code is sent to a phone number. I want to change the handset associated with that number (including SIM card).

Will getting a new mobile device cause problems?

The mobile telephone number associated with the account is a key part of 2-factor authentication.
posted by KokuRyu at 7:16 PM on July 21, 2012

OK, then no, you're fine. I just got a new phone, swapped the SIM card, it started sending the messages to the new phone, no problem. It cares about the phone number, not the device. If you're at all nervous though, printing out a set of backup codes before you do anything will give you some peace of mind, and setting up the app on your new phone instead of having them call you will just be easier moving forward.
posted by brainmouse at 7:22 PM on July 21, 2012

Response by poster: If I upgrade to a new device, do I need to retain the same SIM card?

I wasn't aware of an app, either.
posted by KokuRyu at 7:34 PM on July 21, 2012

Nope, it only knows the phone number. That's the only information that it has. Just your phone number. Any facts about what's on the other end of that phone number are irrelevant, as far as Google is concerned. See my first answer for a link to the app on Android, though this link explains how to set it up on Android, iPhone, and Blackberry,
posted by brainmouse at 7:37 PM on July 21, 2012 [1 favorite]

I've dealt with this many times. This is the cleanest way I've been able to do this, after flashing many custom ROMs and futzing with my phone. If anyone knows of a simpler way of doing this, I'm all ears.

If you've got an Android device, this is how I'd do it when switching devices (again, this assumes you're using an Android device, using the Google Authenticator app, and a QR code scanner such as the free Barcode Scanner v4.2 by ZXing ):
- go to Google's 2-step verification page
- enter your password, then turn off 2-step verification (top link)
- verify 2-step auth has been turned off (you'll get an immediate e-mail confirming this)
- under "How to receive codes"/"Mobile application," select Remove/Replace
- on your new phone, go through the entire setup for Android-- you don't have to use Authenticator anymore as it's turned off
- go back to the 2-step verification page at the above link
- turn 2-step verification back on
- add mobile application, verify phone number is correct (should be the same, as you're just replacing the phone)
- a code will be sent via SMS, enter code to confirm
- add mobile application for Android, which will present you with a QR code
- go into Google Authenticator's menu, select "Add account," and "Scan barcode"
- scan QR code, enter confirmation code on computer, and you're set.

This doesn't take as long as it seems. I've done this numerous times. PM me if you need help with anything.

Last note: having printable backup codes is a lifesaver. Use it! Keep them safe, but accessible!
posted by herrdoktor at 7:44 PM on July 21, 2012 [1 favorite]

(And the reason I turn off 2-step is because when setting up a new phone or starting from a newly flashed ROM, you avoid the mess of entering a backup code or using your old phone's Authenticator in setting up the new phone. It's a terrific pain in the ass. Better to just set up the new phone and add 2-step after it's all set up.)
posted by herrdoktor at 7:48 PM on July 21, 2012 [1 favorite]

herrdoktor's advice is good if you already were authenticating via an app instead of via a phone number -- and turning off Authenticator is another good idea if you're nervous, but since you're currently authenticating via a phone number, it will continue to work with a new phone without you doing anything.
posted by brainmouse at 7:52 PM on July 21, 2012 [1 favorite]

You could conceivably need a new SIM, by the way, but they will take your SIM and clone your personal information to it; additionally SIM can contain a small number of contacts and such-- that will get carried along the cloning process.

Google again will not know the difference-- it sends you an SMS, which does not offer any info about the sending device, nor return any info about the receiver.
posted by Sunburnt at 12:46 AM on July 22, 2012

Response by poster: In my case I have disabled SMS (I'm trying to save money, and Canadian mobile contracts are expensive) so Google phones me instead.
posted by KokuRyu at 7:06 AM on July 22, 2012

You could just turn it off.
posted by flabdablet at 10:27 AM on July 22, 2012

Just as a follow-up, is it an Android phone you're using? And do you use the Google Authenticator app?

I believe that getting 2-step turned on gives you the option of receiving a phone call instead of an SMS for activation. Once that's done, and the Authenticator app is activated, you don't need anything else: no data/syncing is required. eg: I could have my phone in "airplane" mode and have all data/phone services off, and the Authenticator app on the phone will still provide me with a working key; it's not dependent upon anything but the initial sync and time and some sort of magic.
posted by herrdoktor at 2:30 PM on July 22, 2012

Response by poster: Just as a follow-up, is it an Android phone you're using? And do you use the Google Authenticator app?

The phone in question was an HTC Hero - an Android phone. I had never heard of the authenticator app, and, generally speaking, one of the reasons why I wanted to upgrade to a new phone was that the Hero really could not handle most contemporary apps.

I also have texts disabled (I need to save money any way I can), so Google would phone me up with a code.

I did have a list of backup codes printed out.

Anyway, I simply disabled Google 2FA on my account, and went out and got a new phone - a HTC One X. I'm very happy with it! I have not yet had a chance to turn 2FA back on, but I will check out the authenticator app.

Thanks for the advice.

This is a useful thread, as I will be out of the country for about 3 months starting in September, and was wondering how I would handle 2FA.

Since the codes seem to work regardless of telephone (I won't be able to receive calls) this is a lifesaver thread!
posted by KokuRyu at 11:37 AM on July 23, 2012

You're set, then. I went out of country with an Android phone, had 2-step auth on, and set my phone to airplane mode so no data/calls/etc. would go through. I could still activate WiFi, though, but never used it.

Went into various internet cafes, loaded up Gmail, and opened the Authenticator app for the code. Entered it, was sure to uncheck "Remember this computer for 30 days," and everything worked without any data being sent to/from the phone.

Still traveled with the backup codes written on the back of a card in my wallet, but never had to use it.

One thing to remember that if you ever deactivate 2-step, or get a new phone, or go crazy and start installing custom ROMs, you're going to have to go through and repeat the process of "Add Account" and scan the QR code from the 2-step setup page as detailed above.

Oh, and one last thing: when you turn on 2-step, your phone which is synced to Google, will balk and say you've got to re-enter your username/password. Then it's going to take you to a web page where you have to enter your Authenticator code. With the One X and any Android phone running Ice Cream Sandwhich or Jelly Bean (the latest versions of Android OS), you can do the following when prompted to enter the Authenticator code:
- hit the home button to take you to main launcher screen
- open Authenticator, wait for the timer to cycle and generate a new code (remember the code!)
- hit the appswitch button and go back to the page where you enter the code
- quickly enter the code, click "Remember for 30 days" and you're done.

Sorry for going on and on about this, but I've done this many times. Sometimes, in the time it takes to enter the Authenticator code, enough time passes such that the code is no longer valid.

Try it all out, and if you've any questions, MeMail me. And have fun on your travels!
posted by herrdoktor at 7:39 PM on July 23, 2012 [1 favorite]

« Older LCD monitor into fully functional TV?   |   How to label baby bottles and clothes? Newer »
This thread is closed to new comments.