Using several phones with authenticator apps for 2FA

[MarkoRamius]

Select Topic Area

Question

Body

Maybe I'm just stupid, and it's a total non-issue.
However, I have two phones. One company-provided for work, and a personal one.

When I enable 2FA for my GitHub account using an authenticator app for using time-based one-time password (TOTP) as the second factor, only the app that was registered last seems to work.

Can one use multiple TOTP apps on multiple phones (meaning several phones, but each phone only has one TOTP app installed)?
It doesn't seem to work for me.

[MarkoRamius]

So, maybe it's me that's stupid; or maybe the whole 2FA registering thing isn't as intuitive as lay-people might come to expect.

---

In a discussion on Microsoft's Authenticator app, a possible solution is discussed: doing the registration concurrently with both phones, i.e., scan the QR code with both phones at the same time.

This is discussed here, although one has to read the whole thread to the end. It's only six replies.

---

While this might be the end of the discussion, as there exists a solution. One can't help as to get some "this is mythical lore" fantasy-vibes from this whole affair.

Please, for the love of the lay-people, please state the obvious (I guess that it is obvious for the people who deal with IT-security-things all the time) in your 2FA settings.

If a later Authenticator registration wipes out an earlier one, say so.
If using multiple phones for 2FA is possible, please say so.
If this can't or shouldn't be done, please explain why.

[dfsp-spirit]

Thanks so much, I am an IT professional (who never cared much for the details of 2FA, I have to admit) but it was not at all obvious to me whether this would work or whether it would be a good idea. I can confirm it works. Now I can try to tear apart and repair my cell phone, while having my family tablet as a backup for authentication in case the phone does not survive that surgery. Thanks again!

By the way, there are other websites (like my server hoster's site) that allow you to connect more than 1 authenticator app. I found that a lot less confusing then this solution.

[DNin01]

I believe if you scan the QR code on both phones during the same setup session, you should be able to register both of them simultaneously. Reconfiguring the TOTP factor will generate a new TOTP seed (and QR code) and discard the old one after you have set it up, causing any authenticator apps that you had set up in the past to not work anymore, until you register them again.

So, follow these steps:

1. Navigate to the Password and authentication settings
2. Click "Edit" next to Authenticator app.
3. Scan the QR code on all of the devices you want to use for authentication.
4. After you have finished scanning with all of your devices, enter the six-digit code (it should be the same across all of your devices) to complete the setup process.

[pkgadd]

With 2FA becoming mandatory, there really needs to be a solution to this. A possibility to handle multiple TOTP authenticators (and to invalidate/ replace them independently). I don't want to rely on a single device (even with the recovery codes) to authenticate my account, there needs to be a backup.

[Abdurajjak]

Select Topic Area

Question

Body

Maybe I'm just stupid, and it's a total non-issue. However, I have two phones. One company-provided for work, and a personal one.

When I enable 2FA for my GitHub account using an authenticator app for using time-based one-time password (TOTP) as the second factor, only the app that was registered last seems to work.

Can one use multiple TOTP apps on multiple phones (meaning several phones, but each phone only has one TOTP app installed)? It doesn't seem to work for me.

+8801602040923

[Ebola-Chan-bot]

So far, all you can do is configure the Authenticator app on one device, save the QR code image, and then configure all your other devices with that QR code. Note: Never Edit Authenticator app on GitHub again. Literally: Don't click the "Edit" button. The moment you click that button, a new QR code will override the old one, and all of your configured Authenticators will be invalidated. You can only save this new QR code image again and reconfigure all your other devices.
Always save the QR code image and do not use the setup key. Not all Authenticator apps support setup key, i.e., Microsoft Authenticator on Android.

[Abdurajjak]

![IMG_20240609_000434](https://github.com/community/community/assets/142670822/5dc3e32f-bfd0-46ee-a6be-6395d open

[AntonioGHub]

Great suggestion by @Ebola-Chan-bot previously

My understanding is that when you EDIT, you are issueing a new setupkey (or equivalently the QR code), which will overwrite the previous one. And with it, it will invalidate all single or multiple MFA devices which were using that setup key.

So the trick is:

1. create a setupkey or EDIT an existing one (knowing that you are invalidating all previous devices)
2. copy the setupkey or QR code, save it (also for later) paste it into your first device, and confirm the TOPT code generated from that device into the github page. And hit SAVE on github. At this point you have legitimated your first device.
3. then, open the other device, and setup the MFA by simply pasting the same setupkey. No further confirmation of the TOPT code generated by this second device is needed at this point
4. rinse and repeat with any additional devices

Essentially, after you associated your first device and confirmed its TOPT at github, all other devices configured with the same setupkey will generate the same exact TOPT code at the unison.
Beautiful to see all devices open at the same time, telling the same TOPT at once...

[MarkoRamius]

" ... when you EDIT, you are issueing a new setupkey ...", so maybe "edit" is a poor choice of words?

In general parlance, edit does not imply invalidating the pre-existing state, unless I actively change something.
Expected behaviour with an edit operation is, if I enter into the edit-mode, change nothing and save all changes; that the pre-existing state remains.

The way AntonioGHub describes the operation is fine, although it does not scream "edit".
So maybe, wrong expectations of the behaviour of "edit" is the root cause of my problem.

User error? I don't know. Somewhat yes, the expected behaviour of the user does not align with the behavior of the system. However, ... who else would expect "edit" to actually perform an "invalidate & create new"?