Migrating MFA configurations to a new (i)Phone can be tricky: this article shows how to migrate the tokens/accounts from the most common authenticator apps.
I recently got a new iPhone. All-in-all it was relatively simple to migrate my account credentials and tokens. However, it did take me a while to figure out how to provide additional verification for my Microsoft accounts at other organizations besides my work (using the Microsoft Authenticator). Also, I had to add my new phone to the native OTP of our Citrix ADC. This article describes my "MFA migration journey".
- Google Authenticator app
- Microsoft Authenticator app
- Citrix SSO app
- Citrix ADC native OTP: enroll your new phone
Migrating the MFA tokens from the Google Authenticator app is actually really simple: you can export them to your new phone.
1 - Go to the official Google support article:
2 - Select your phone (Android or iPhone/iPad).
3 - Scroll down, expand the section Transfer Authenticator codes to a new phone and follow the steps.
Direct link for iPhone and iPad:
Direct link for Android:
You can choose to have the same codes on multiple devices if you so choose. If you are not planning to use your old phone then it is best to delete the codes from that device.
The account credentials in your Microsoft Authenticator app can also be exported and imported to your new device. This official Microsoft article actually explains the process quite well, both for iOS and Android devices: Back up and recover account credentials in the Authenticator app. Just follow the steps in the article.
You can choose to have verification codes for the same accounts on multiple devices, but the verification codes will be unique on each of these devices (all are valid). If you are not planning to use your old phone then it is best to delete the codes from that device.
What the article did not explain very well is how to provide additional verification for account credentials that are outside your organization. I am talking about the situation as shown in the following screenshots.
An account requires additional verification.
You have to (re)scan the QR code, but where?
The solution is as follows. Go to the following website:
On the top right, click on the organization icon (if you do not see this icon, continue here):
You now see the current organization you are signed in for as well as a list of other organizations that you are a member of.
Now you can select another organization for which you need to re-verify your account.
If you do not see the organization icon, you may experience the new MyApps website layout. In this case, you see the name of the organization you are currently signed in to directly under your name. When you click on the profile icon you can select another organization for which you need to re-verify your account.
Remember, you are a member of one main organization (your work or school most likely) and you are using one e-mail address. But your work or school-related Microsoft Azure user account can be a member of multiple (external) organizations.
After changing the organization, click on your profile icon in the top right corner and click View Account.
In the left menu pane, go to the section Security info. Here you can add a sign-in method. After adding your new phone you can also delete your old phone.
You can also click on Update info to modify your security methods.
Citrix also has its own TOTP authenticator app called Citrix SSO. I was using this application on my previous iPhone, but during the migration to my new iPhone, I realized that there was no way to export or migrate the tokens. I then decided to re-enroll all of my tokens to Google Authenticator and stop using the Citrix SSO app. Unfortunately, I did not find another way.
Citrix SSO app on the Apple Store: https://apps.apple.com/us/app/citrix-sso/id1333396910.
I had to add my new phone to our Citrix ADC native OTP. In most cases, the URL will be https://ADCgatewayurl/manageotp. The URL can be different. Check the exact URL with your organization.
On the OTP enrollment website, click the plus sign to add another device.
Enter a name for your new phone.
Click Go and scan the QR code with the authenticator app of your choice.
I hope the information in this article was of some help to you.