Migrating MFA configurations to a new (i)Phone

Migrating MFA configurations to a new (i)Phone can be tricky: this article shows how to migrate the tokens/accounts from the most common authenticator apps.

I recently got a new iPhone. All-in-all it was relatively simple to migrate my account credentials and tokens. However, it did take me a while to figure out how to provide additional verification for my Microsoft accounts at other organizations besides my work (using the Microsoft Authenticator). Also, I had to add my new phone to the native OTP of our Citrix ADC. This article describes my "MFA migration journey".

Google Authenticator app

Migrating the MFA tokens from the Google Authenticator app is actually really simple: you can export them to your new phone.

1 - Go to the official Google support article:

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DiOS&oco=0

2 - Select your phone (Android or iPhone/iPad).

Google Authenticator support article choose OS

3 - Scroll down, expand the section Transfer Authenticator codes to a new phone and follow the steps.

Google Authenticator transfer codes to new phone

Direct link for iPhone and iPad:

https://support.google.com/accounts/answer/1066447?co=GENIE.Platform%3DiOS&oco=0#zippy=%2Ctransfer-authenticator-codes-to-a-new-phone

Direct link for Android:

https://support.google.com/accounts/answer/1066447#zippy=%2Ctransfer-google-authenticator-codes-to-new-phone

You can choose to have the same codes on multiple devices if you so choose. If you are not planning to use your old phone then it is best to delete the codes from that device.

Microsoft Authenticator app

The account credentials in your Microsoft Authenticator app can also be exported and imported to your new device. This official Microsoft article actually explains the process quite well, both for iOS and Android devices: Back up and recover account credentials in the Authenticator app. Just follow the steps in the article.

You can choose to have verification codes for the same accounts on multiple devices, but the verification codes will be unique on each of these devices (all are valid). If you are not planning to use your old phone then it is best to delete the codes from that device.

What the article did not explain very well is how to provide additional verification for account credentials that are outside your organization. I am talking about the situation as shown in the following screenshots.

An account requires additional verification.

You have to (re)scan the QR code, but where?

Authenticator presents a one-time password as a verification code

The solution is as follows. Go to the following website:

https://account.activedirectory.windowsazure.com/r/#/profile

On the top right, click on the organization icon (if you do not see this icon, continue here):

Myapplications Microsoft organization icon

You now see the current organization you are signed in for as well as a list of other organizations that you are a member of.

Azure myaps current organization

Now you can select another organization for which you need to re-verify your account.

Myapplications Microsoft change organization

If you do not see the organization icon, you may experience the new MyApps website layout. In this case, you see the name of the organization you are currently signed in to directly under your name. When you click on the profile icon you can select another organization for which you need to re-verify your account.

Microsoft new apps experience

Note:
Remember, you are a member of one main organization (your work or school most likely) and you are using one e-mail address. But your work or school-related Microsoft Azure user account can be a member of multiple (external) organizations.

After changing the organization, click on your profile icon in the top right corner and click View Account.

Myapplications Microsoft view account

In the left menu pane, go to the section Security info. Here you can add a sign-in method. After adding your new phone you can also delete your old phone.

Myapplications Microsoft security info

You can also click on Update info to modify your security methods.

Myapplications Microsoft update security info

Citrix SSO app

Citrix also has its own TOTP authenticator app called Citrix SSO. I was using this application on my previous iPhone, but during the migration to my new iPhone, I realized that there was no way to export or migrate the tokens. I then decided to re-enroll all of my tokens to Google Authenticator and stop using the Citrix SSO app. Unfortunately, I did not find another way.

Citrix SSO app on the Apple Store: https://apps.apple.com/us/app/citrix-sso/id1333396910.

Citrix ADC native OTP: enroll your new phone

I had to add my new phone to our Citrix ADC native OTP. In most cases, the URL will be https://ADCgatewayurl/manageotp. The URL can be different. Check the exact URL with your organization.

On the OTP enrollment website, click the plus sign to add another device.

Citrix ADC or Storefront ManageOTP add new device

Enter a name for your new phone.

Citrix ADC or Storefront ManageOTP name new device

Click Go and scan the QR code with the authenticator app of your choice.

Citrix ADC or Storefront ManageOTP scan QR code

Click Done.

I hope the information in this article was of some help to you.

Dennis Span on EmailDennis Span on LinkedinDennis Span on Twitter
Dennis Span
Dennis Span
Dennis Span works as a Lead Sales Engineer at Citrix in Vienna, Austria. He holds multiple certifications such as CCE-V, CCIA and CCEA. In 2017, Dennis became a Citrix Technology Advocate (CTA). In 2019, he became a Citrix Technology Professional (CTP). Besides his interest in virtualization technologies and blogging, he loves spending time with his family as well as snowboarding, playing basketball and rowing. He is fluent in Dutch, English, German and Slovak and speaks some Spanish.

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.