Always save the keys (or the scanner code) whenever you add them to Authenticator. Then, when you get a new phone (or whatever) you can just re-import the keys.
It's pretty stupid that Google doesn't allow for any way of getting the keys out of it's 2FA app. Your only transition path is backup/restoring an entire device to a newer one of the same OS.
There's no direct path to migrate from say an iPhone to an Android based phone without manually adding each 2FA entry to the new device.
> Your only transition path is backup/restoring an entire device to a newer one of the same OS.
This isn't an option on iOS! When I bought an iPhone a year and a half ago, the 2FA keys were not included in my iTunes device backup, even through backup encryption was turned on. I had to manually create new keys for all seven sites I use Google Authenticator with.
They're definitely included as I've done it a number of times. I'm going to wager you don't have your iTunes set up to backup apps from your phone. I think there's a separate check box you have to click once to enable it.
The secrets are in the keychain, which is backed up.
Google Authenticator used to store its secrets in the devices keychain as available "while unlocked". This allows them to be stored in the backup in a way that can be transferred to a new device - if you use an encrypted backup. It also makes it possible to extract the keys if you know the backup password. (I have code that does this, inspired by the old "iphone-dataprotection" codebase on google code.)
Google Authenticator now (last I checked) marks its keychain entries as "This device only" - this still allows backup/restore, but only to the same device. They are wrapped by a key only available on that specific device (the 0x835 key - you used to be able to extract it on a jailbroken device, but I'm not sure that's possible anymore).
It's possible you have grandfathered entries or even an old version of Authenticator. But I no longer see entries for "CLNPY5GLN9.com.google.Authenticator" in my decrypted keychain, so it must have migrated my old entries. Before my phone dies, I need to go through all of mine and make sure I've got a backup or regenerate the ones I'm missing. (I have old snapshots of decrypted keychains.)
If you have a rooted phone, there is another option: copying off the sqlite database. At that point you can generate QR codes with a tool like WinAuth. Bit of a pain, but very doable (if you rooted your phone.)
Bypassing this with Authy is generally a better idea.
I think they do this to make it harder for an exploit to just run the command to get the keys. I'm torn whether I think this is really an issue or not though. From a security standpoint it is one less attack vector to get my 2nd factor keys. From a usability standpoint it is annoying when I switch devices. I personally solved this problem by storing my two factor auths on my yubikey neo which is a bit more portable. I don't think there is a way to get the keys off of there either but at least the key itself is portable and works with Android and all my desktops/laptops. I am not sure if they ever figured out iPhones though.
As an additional note: I strongly recommend storing these keys securely offline. With these keys someone can replicate your 2FA generator, so you really want it not hackable.
Paper in a fireproof safe is excellent for these sorts of things, or a safety deposit box.
There's no direct path to migrate from say an iPhone to an Android based phone without manually adding each 2FA entry to the new device.