Migrating MFA configurations to a new (i)Phone

Migrating MFA configurations to a new (i)Phone can be tricky: this article shows how to migrate the tokens/accounts from the most common authenticator apps.

I recently got a new iPhone. All-in-all it was relatively simple to migrate my account credentials and tokens. However, it did take me a while to figure out how to provide additional verification for my Microsoft accounts at other organizations besides my work (using the Microsoft Authenticator). Also, I had to add my new phone to the native OTP of our Citrix ADC. This article describes my “MFA migration journey”.

Google Authenticator app
Microsoft Authenticator app
Citrix SSO app
Citrix ADC native OTP: enroll your new phone

Google Authenticator app

Migrating the MFA tokens from the Google Authenticator app is quite simple: you can export them to your new phone.

1 – Go to the official Google support article:

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DiOS&oco=0

2 – Select your phone (Android or iPhone/iPad).

3 – Scroll down, expand the section Transfer Authenticator codes to a new phone, and follow the steps.

Direct link for iPhone and iPad:

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DiOS&oco=0#zippy=%2Ctransfer-authenticator-codes-to-a-new-phone

Direct link for Android:

https://support.google.com/accounts/answer/1066447#zippy=%2Ctransfer-google-authenticator-codes-to-new-phone

You can choose to have the same codes on multiple devices if you so choose. If you are not planning to use your old phone then it is best to delete the codes from that device.

Microsoft Authenticator app

The account credentials in your Microsoft Authenticator app can also be exported and imported to your new device. This official Microsoft article explains the process quite well, both for iOS and Android devices: Back up and recover account credentials in the Authenticator app. Just follow the steps in the article.

You can choose to have verification codes for the same accounts on multiple devices, but the verification codes will be unique on each of these devices (all are valid). If you are not planning to use your old phone then it is best to delete the codes from that device.

What the article did not explain very well is how to provide additional verification for account credentials that are outside your organization. I am talking about the situation as shown in the following screenshots.

An account requires additional verification.

You have to (re)scan the QR code, but where?

The solution is as follows. Go to the following website:

https://account.activedirectory.windowsazure.com/r/#/profile

On the top right, click on the organization icon (if you do not see this icon, continue here):

You now see the current organization you are signed in for as well as a list of other organizations that you are a member of.

Now you can select another organization for which you need to re-verify your account.

If you do not see the organization icon, you may experience the new MyApps website layout. In this case, you see the name of the organization you are currently signed in to directly under your name. When you click on the profile icon you can select another organization for which you need to re-verify your account.

Note:
Remember, you are a member of one main organization (your work or school most likely) and you are using one e-mail address. But your work or school-related Microsoft Azure user account can be a member of multiple (external) organizations.

After changing the organization, click on your profile icon in the top right corner and click View Account.

In the left menu pane, go to the section Security info. Here you can add a sign-in method. After adding your new phone you can also delete your old phone.

You can also click on Update info to modify your security methods.

Citrix SSO app

Citrix also has its own TOTP authenticator app called Citrix SSO. I was using this application on my previous iPhone, but during the migration to my new iPhone, I realized that there was no way to export or migrate the tokens. I then decided to re-enroll all of my tokens in Google Authenticator and stop using the Citrix SSO app. Unfortunately, I did not find another way.

Citrix SSO app on the Apple Store: https://apps.apple.com/us/app/citrix-secure-access-client/id1333396910.

Citrix ADC native OTP: enroll your new phone

I had to add my new phone to our Citrix ADC native OTP. In most cases, the URL will be https://ADCgatewayurl/manageotp. The URL can be different. Check the exact URL with your organization.

On the OTP enrollment website, click the plus sign to add another device.

Enter the name of your new phone.

Click Go and scan the QR code with the authenticator app of your choice.

Click Done.

I hope the information in this article was of some help to you.

Dennis Span

Dennis Span works as a Lead Account Technology Strategist at Cloud Software Group in Vienna, Austria. He holds multiple Citrix certifications (CCE-V). Dennis has been a Citrix Technology Advocate (CTA) since 2017 (+ one year as Citrix Technology Professional, CTP). Besides his interest in virtualization technologies and blogging, he loves spending time with his family as well as snowboarding, playing basketball and rowing. He is fluent in Dutch, English, German and Slovak and speaks some Spanish.

3 thoughts on “Migrating MFA configurations to a new (i)Phone”

Ray Davis on June 22, 2022 at 13:29 said:

Good Doc Dennis.

Reply ↓
- Dennis Span on June 30, 2022 at 14:13 said:
  
  Thanks a lot Ray!
  
  Reply ↓
Mateusz Litwin on October 20, 2022 at 11:57 said:

Thanks a lot, impressive. MS advised to contact Azure Admin in order to get QR code, having access to 40 organization it is impossible.

Reply ↓