[kentonv]

Google Authenticator does not back up TOTP state to Google. In fact, AFAIK, the app does not talk to the internet, at all, much less does it associated with a Google account.

You can transfer your Google Authenticator state to another phone. This is accomplished through scanning QR codes -- no data is transferred over a network. This is a relatively new feature; for many years, Google Authenticator refused to provide any way to extract the authenticator state from the phone at all. You literally had to root your phone to get the state out.

It's designed this way because if your TOTP state were backed up to your Google account then it would no longer provide any additional security over Chrome's password manager, which is also backed up to Google. The two factors in "two factor" are supposed to be "something you know" (password) and "something you have" (phone, or security key). In order for the authenticator app to really be "something you have", it has to be hard to copy.

[dalyons]

> It's designed this way Its a bad design then :) . I dropped gauthenticator years ago because of the ridiculously user unfriendly inability to transfer/backup auth codes. What a braindead UX assumption. If you pursue security purity too far, people just wont use it.

[kentonv]

You can transfer the state between phones now, they relented on that (a good thing, IMO).

Again, if you want auto backup to the cloud then you might as well just not use 2FA and rely on your password manager alone.

Personally I use hard keys wherever possible. Much better UX (and security) than any authenticator app. Just have to buy and register a few of them so you have backups if one breaks.