Jean15paul writes,

I just read the article on using 2-step and I want to start using it, but I'm a ROM flasher.  How do I manage?  I think this could make a great article.

We think it could make a great article, too, Jean15paul. And it goes for users with more than one mobile device as well as flashers and ROM-a-holics. As safe as two-step authentication is, it was clearly designed for folks with one phone, and one computer, who don't like to erase and re-install either one. Unfortunately, this is a hard hurdle to cross.

The easy way, and the way I'm lucky enough to be able to do it, is with an old Android phone that's a dedicated authenticator. I reverted my Nexus One back to stock, and installed the authenticator app. I also use an authenticator for Blizzard games, so this worked well for me. I keep the phone charged, and any time I need a code I can start it up and get one -- until the power button goes out again, that is. This way I'm not ever locked out of my Google account, which can happen when flashing ROMS or jumping to a new phone.

Of course, that's not a good solution for most folks. If you have an old Android device laying around, I really recommend you try it (as well as printing out your 15 one-time use codes). If you don't have access to another Android phone, which is going to be most of us, things are a little bit rougher. The best solution I can find is to disable two-step authentication from the web (in your Google account settings) before you wipe and flash a new ROM. Once you're satisfied that it's worth keeping for a few days, re-enable it and go through the set-up with application specific passwords again. It's a lot of work, and adds a good bit of time to your set-up every time you flash a ROM. But it's also the best way to guarantee you're not locked out of your Google account.

Of course, since it's a pain in the you-know-what, most folks aren't going to do it. Never mind what you know, or what you've heard is best for your online safety, people always like to take the easy way out. With that in mind, I want to share a little nugget of wisdom passed on to me by a teacher about passwords. Long passwords with upper case and lower case letters are very difficult to crack. They are also difficult to remember. To make the remembering part easier, use the first line from a favorite song all in one word. For example, ItsAllRightIfYouLoveMeItsAllRightIfYouDont is a password that probably won't ever get cracked, but is easy for me to remember. It's just a pain to type out on an on-screen keyboard. But it's still better than being hacked.

Have a question you need answered? (Preferably about Android, but we're flexible.) Hit up our Contact Page to get in touch!


Reader comments

From the mail bag: Managing two-step authentication for the ROM addict


My nexus one is also an Authenticator. But be careful, clock drift when it has no sim card installed can make it so none of the codes work. Use the clock sync option built into authentication app to get around this.

But realistically, who has a smartphone that they want to root and rom, but no computer they can trust?

If you are a rom a week kind of guy you would better off NOT using Authenticator at all. Just get your codes via SMS. If your phone is so bricked you can't even get a sms, you can always log in with your computer.

Oh, and Jerry: Wake All app in the Play store gets around the dying Nexus One power button. Sadly, mine is dying too.

But doesn't android NOT use 2-step but uses the Application Code instead? Couldn't you revoke access or something similar and then redo it when you try to login to Gmail on your phone?

Yes android uses an Application specific password, 16 characters.

If you are romming a lot, write it down the first time, and use it after each rom install. I don't think you need a new code for each rom.

The only thing you need the Authenticator for is getting a 6 digit code for web apps, such as the browser. If you can log into the account on the Android browser you can do everything from there, including generating a new 16 char application specific password. You will need a 6 char code to log in via the browser, just to get a 16 char code to have android log in.

Just get them by sms would by my recommendation unless you have another android laying around.

So then it is not really a big deal. You can just login to Google 2-step on a PC when u flash and enter a new 16- character hash. Am I right?

all of subject I know but I have been searching for an answer. Google wallet keeps force closing when I try to add a card to it after flashing a new rom.does anyone know how to resolve this?

Since you've used Blizzards authenticator you already know thats how it should be done with google. With blizzards authenticator there is a recovery code that i keep safely locked away that i use every time i flash something new so that i dont have to constantly worry about removing it from my account before i flash again

Agreed. I would hope that Google is having a close look at the Authenticator app after this new influx of users. Maybe they can simplify the entire process.

If you're using a separate dedicated phone for authentication, don't you have to take that phone with you anywhere? How would I log into Google at work if my dedicated authenticator is at home?

I must admit, I'm guilty of ROM flashing while driving :(
In my defense, the phone was on a windshield mount and I typed in the username and password while stopped on a red light.

I have authenticator running on two devices. My daily driver, and my Nexus One which lives on my desk at home. See the how-to..

But the chances of me needing a code when I don't have cell service is slim to none, and I'm thinking of just dropping it all together in favor of SMS.

This is unnecessarily complicated. I set up the Google Authenticator on my phone, then backed it up using Titanium Backup. After I flash a new ROM, I restore the Google Authenticator app plus data, and it immediately begins giving me codes again with no new log-in, etc. Try it out! It's a lot more convenient than keeping a separate device on me at all times.

Logged in to say the same thing and found that it has already been said.

Titanium backup of Google Authenticator data can be restored and it will work as expected. I use my galaxy nexus as an authenticator and when I got my Nexus 7, rather than de-activate and re-activate 2 factor authentication, I just sent my titanium backup of it over to my N7 and now both can be authenticating devices.

I'm assuming you have the titanium backup apk then, as well as a rom with a file manager integrated? Or perhaps you don't do full wipes between flashes? As I'm sure you know, doing a full wipe will log you out of all of your google services, in this case most importantly the market. Thus, obviously, re-downloading apps would be impossible without re-authenticating.

I use a different method involving some google voice trickery to allow me to gain access when I'm away from my computer, but I am curious if you have found a different way that is also mobile. Crack flashers cannot be hindered by location lol.

Of course, ignore all of this if you're using adb.

You need to use a "Application-specific password" to log to your Google Account from your phone anyway. You do not need your authenticator in that case to access the Play Store.

Login using a "Application-specific password" generated specifically for your phone, install Titanium from the Store, restore your Authenticator and you are golden.

Actually, a friend and I were comparing notes. He does exactly as you with an application-specific password. However, I use my real password in the browser sign-in and then it asks for a verification code.

For my older OGD, I use an application specific password.

Eh, I wouldn't say "need." It is possible using your account password. That being said, do you know of a way to generate an application specific password when mobile? I have not found a way, nor do I want to carry around one written down in my wallet.

Never liked the idea of writing down passwords lol, especially when it is possible when out and about without writing one down.

Sure. Open your browser on the mobile, and go to

You can do it from that page on mobile just as well as on the desktop.
Problem is, on a freshly installed phone/rom, you will need a 6 digit code just to access that page.

Get that by SMS or the Authenticator.

Yeah, I guess I left out a few steps. Here's what I do:
1) Back up my apps+data (including GAuth) using TB
2) Copy the TitaniumBackup folder from Android to my PC
3) install the ROM (this includes wiping data)
4) Place the TitaniumBackup folder back on Android, if it was wiped
5) Set up wifi on the new ROM
6) Generate a new device-specific code in my Google Account in a web browser, and use that to sync my Google Account with the new ROM
7) log into Google Play Store and install Titanium Backup and Pro
8) Restore all apps+data in TB. GAuth should continue to work as before.

Sometimes, when I go to perform step 6, Google will ask me for one of my codes. SInce GAuth hasn't been set up yet, I just click "Don't have your phone?" Then it calls my Google Voice number which forwards to my cell, and I use the code there to access the Device code page in Google Account settings.

May seem complicated, but all of these steps are the normal fair when installing a ROM anyways, and they bring all of my apps back. Hope this helps!

You can use the tibu app to 'create',and make sure you save it as a system app, you will see the option. When you flash your roms that is always there on your sdcard waiting to be activated... Check it...

Are you referring to wiping sd card too? When I flash a rom, I wipe cache, dalvik, factory reset. Then I just download Titanium Backup from the market and restore the backup. The backups are on the SD so they are safe unless you wipe the SD card, and I never do.

I usually have TiBu and OI file manager apks on the sdcard.
The easiest way of installing is by copying them to /data/app
in recovery via TWRP's file manager, aroma file manager or adb.

If they're on the sdcard and I forget to copy in recover, I
enable unsecure app installation and point the stock browser
at whichever apk like so: file:////sdcard/apks/Titanium_Backup_latest.apk

The last method is to just download either apk from their web pages
and install directly from the download.

You can just get a new code online from security setting under your account. I do it all the time and flash many ROMs. It's not that much of a hassle at all. You can also use it to remove authentications for older devices or ROMs not in use anymore.

I've been using Google Authenticator pretty much ever since it became publicly available. Since I switch ROMs often and use multiple Android devices, I use Titanium Backup to synchronise the apps everywhere with the same token data. The basic idea is to backup GAuth in app+data mode. You can than use TItanium to restore it to whichever device you need to use it on.

This method worked very well for me. I have never had the need to disable/re-enable 2-step authentication, both on Google or on a bunch of other services that use GAuth (LastPass is one).

One thing you might consider doing (if you are paranoid) is avoid saving the Titanium Backup of GAuth on the cloud (e.g., Dropbox or Box).

It's even easier than that to replace your authenticator device, assuming you have both the new and old device in front of you before you start. Just go to your Google accounts page, then go to the Security section (quick link: ). Click "Edit" next to 2-step verification. Then look for the "Remove/Replace" link, next to the Mobile Application label. Clicking that disables multifactor temporarily, but you can then re-enable with the same seed on a different device, which keeps your one-time-use "scratch codes" (recovery codes) intact, as well as any site-specific passwords that you may have set.

This has never worked for me. I've tried multiple times, and each time it killed all of my application specific passwords at the same time. And that's a huge problem for me, because as well as a few Android devices I have a Windows Phone I use, and each Google application on there (Reader, Voice, Talk, Gmail, Music...) has its own application specific password. It's a huge hassle to have to fix all of that.

I just turn off 2-step before flashing a new ROM and then reactivate it afterwards. That is the quickest method for me. I also have the printable backup codes saved as a text file in Google Drive and bring them up on my Chromebook when needed.

The quickest method for you is to write down that 16 digit app specific code or put it on your chromebook.
Having to turn things off and on again is silly.

Keeping the google auth files backed up is a good idea but if they are on a SD card that means an enterprising hacker could easily use them against you (the SD card is less protected than the internal storage where the gauth data is normally kept). Still better than just a password, but not totally secure.

What I usually do is make sure my google account is "fresh" on the PC i need it on (as in the code was already entered) and then flash the new rom. Only if I decide to keep the rom for a while do i bother setting up authenticator on it. I go in through my PC and generate a new 1 time password, then follow the "Activate authenticator" process as well to set that up. You briefly have to turn 2-factor off and then on but it is not really a hassle.

And yes, print out your codes and keep them with you (or in a safe, close location). I have been "stumped" 4 times now (locked out with no working gauth) so it has come in handy.

I've been using 2-step for awhile and I'm a crack flasher always wiping my phone and trying new roms. There's no need to disable 2-step when you flash a new rom or even to go online to get a code. I have also never had to use the Google Authenticator app. I have my phone number tied to my account so it will text me a new code. All i have to do is copy and paste.

After you wipe and flash a new rom, on the initial set up it asks if you have an existing Google account, say NO. Then on the next screen it asks if you want to create an account, say Not Now, then just finish the setup. Now you'll be at your home screen so go to Settings > Accounts and add a Google account. Log in with your normal password, it will tell you that it cannot log in and take you to a webpage to log in. This is when you will be texted an authentication code. Put that into the webpage and you are all logged in.

The key is not trying to log into your account on the welcome setup because it will still take you to the webpage logon page but you cannot back out to view the text message it sends you.

Nice, thanks for this. I won't be so scared to use it now. I'm constantly flashing....out of boredom mostly.

Tip: skip entering your info on that login screen and head to straight browser login via the overflow menu button (three dots) on the action bar (or wherever your menu is).

Good tip. Never thought of doing it that way.

All I usually do is make sure I'm signed in on a computer before I flash a new ROM so I can get an application specific password after the new ROM is flashed and use that in the initial setup to login to my google account.

Then I install the google authenticator either through Ti or from the market (I sync data on my google account so the settings usually just come right back.) But I keep my printed emergency codes handy in case I need them.

Other than having to get a new application specific password it's not big hassle to deal with at all.

There are two ways authenticate the phone with 2-step. One is with an application-specific password. The other is with your real password and a verification code (from the authenticator or elsewhere).

This is very similar to my method, works well and although it is slightly time consuming it is most certainly worth it. Cool to see someone came up with something similar :).

I agree with the TiBu folks above. I have no problems with Google Authenticator being backed up each time before I flash a new ROM, and restoring it afterwards (using app+data). If you use the 2-step authentication, you'll need to use the "sixteen-letter random password" Google gives you when initially setting up your Google account on your Android phone. (I've had to enter that 16-character password so many times, I now have it memorized. Which is a sad usage of my limited memory.)

True, if somebody can get at your TiBu backups they might be able to access your GAuth code, but then they hopefully don't have your "main" Google password. I'm willing to take that risk.

Also note that "dirty flashing" a ROM seems to have no impact on Google Authenticator -- it goes right on working.

Google's 2-step authentication is pretty awesome...everybody should be doing it!

There's also another way to get back your authenticator without using Titanium Backup. When you're first setting up 2-step auth, instead of scanning the barcode, select doing it manually, and save the key that you're asked to enter on the app. When you flash the rom etc you can manually add the account back by entering that same key again, so as long as you save that key somewhere safe, you can re-add your account without having to turn off 2-step authentication.

I think my workaround is the easiest one.

To log in to your Google account you always need to enter a 6 digit verification code after the password. Before you erase your settings from the ROM (ex. factory reset) log in to the Google account settings and add your phone number so that the website can send you the code by SMS text message instead.

Once you flash your new ROM, log in to your account, request the code to be sent by SMS, go to settings, 2 step verification, remove the android app, then click again to add android app. It will prompt you to scan the bar code from the Authenticator app or give you a code so you can manually add the account.

IMPORTANT! You cannot setup the app in the new ROM until the app is installed (obviously). You either need to have the .apk saved on your sd card or setup a dummy/random Google account so that you can download apps from Google Play/Market.

This is what I do. I actually have a dummy Google account that's only used for a Google Voice number. The Google Voice is the one I have setup to receive the codes via SMS.

Hope this helps.

Before flashing a ROM sign-in and disable 2-Step Verify and make sure you have your print out of codes. I usually keep a PDF file of them on my phone. Setup ROM re-install Authenticator and set it back up and go on with your life. >>"CAKE"<<

The way I see it, it's a lot easier to save the key used to setup the Authenticator app, that way you never have to turn off 2-step authentication again. You just reinstall Authenticator, add your account & key and you're set.

Yeah, this works pretty well, and is what I used to do, but for some reason my titanium backup failed once the other day, not sure why, possibly because I switched from an ICS to a JB rom on my gnex. But when I tried restoring with data it didn't have my accounts, and I tried with 2 different backups.

Also, you should consider saving the one time password for your account, it comes in pretty handy when you're constantly flashing, that way you don't have to skip activation.

I think it should also be noted that the one-time use codes that Jerry mentions in the article actually number more than 15. They're generated in batches of 10 at a time and as many more can be generated as necessary. I wrote a set down in my wallet on a random piece of paper, no labels or anything. Should be pretty secure there, I hope.

I use LastPass for most things online. My Google account has a completely different password then the rest of the sites I use, but I do not use 2-step. On Android, I use App Lock on some "sensitive" apps: Gmail, G+, Yahoo mail, Chrome, Dropbox, Drive, Amazon appstore, Messaging, ROM manager, G-Talk, G-Voice, YouTube, Settings, Solid Explorer, Wallet. I also do not store any really important data in the cloud. Mostly it's just trivial stuff which can easily be replaced.

Thoughts on my approach, anyone?

LastPass rocks. See my comment at the end. Everyone should use LastPass Premium. (Though I think you could use the free browser/pc version for this issue.)

As most people are indicating, Jerry, you're trying way too hard and doing it the wrong way. I've been using Google Authenticator since before it came out (not supposed to tell you why) and flashing ROMs monthly since the early days of the N1 and never had to disable 2-step authentication once or use a device specifically for Google Authenticator. That's just silly. When you're ready to flash a ROM, simply open a browser on a device that's not your phone, access the list of application-specific configurations. Wipe and flash the ROM, delete the current application-specific credential for your device, generate a new one and use it to log into the device, restore from Titanium Backup. Done. If you happen to have forgotten to access the 2-step auth section, but have signed into Google on that computer using the secondary token in the last 30 days, you should only be asked for your regular Google password. If not, you can still have the 2-step auth system send you a text. I don't recall if your have to be signed in on a phone to receive texts though. Anyway, it's really easy. Do it.

I'm very skeptical of the theory that the "use the first line from a favorite song all in one word. For example, ItsAllRightIfYouLoveMeItsAllRightIfYouDont" method of password generation is all that secure. In fact, it seems very vulnerable to a potential dictionary attack:

The bad guys know the common folk are using this method - it's a well publicized scheme; Leo LaPorte blabs it out on his Tech Guy radio program pretty routinely - so they look for a way to exploit it.

Write a script that scrapes some lyrics site for the lyrics to all the songs on it. Write another script that parses out the various permutations of the lyrics scheme from the songs and dump it into a dictionary file along with all the other dictionary file common stuff. Brute force your way in.

I'm no cryptologist, and certainly not the sharpest tool in the shed, but seems like risky business to me. I'd love to be proven wrong on this? Are the permutations just too many?

Either way, I think it's extremely unsafe to not include at least a few special characters or numbers in the mix.

I really think some here are making this way to complicated. All you have to do is have a second device handy when you flash a ROM. A PC, tablet, ipod touch or any old phone on wifi will do just fine. On the secondary device, delete the old application specific password and generate another. Use that to log into your google account on your newly flashed rom and you are up and running. Super easy!

The really addicted crack flashers are flashing while driving, while on the golf course, etc. A second device isn't available to them. Personally, I wouldn't risk flashing on the only device I have with me while out and about, but some like to live life on the edge. ;)

So I kind of lucked out.

When I set up 2-step verification, I used my cell # as a backup method for getting authentication codes. I later ported my cell # to Google Voice. So now, my backup authentication codes are sent to my Google Voice inbox.

As long as I'm at home, I can just use my desktop (always signed into my Google account) as my authenticator device! Failing that, if I'm out and about I can just force Google to call my GV (inevitably reaching my phone) and get a code that way.

Another thing you could do is just generate a device-specific code for your Android phone, write that down and keep it safe, and use that as your password for setting up your device.

I just have a copy of the barcodes used to setup my Google 2-Step and LastPass in my email.. I login to my email on another device before flashing, flash, upload the APK for authenticator, scan the barcodes and its all sorted.

And yeah for the actual application password.. I just fire up a browser, delete and recreate everytime.. takes 30 seconds.

"I just have a copy of the barcodes used to setup my Google 2-Step and LastPass in my email...." **FACEPALM**

[N.B. My experience is relevant for those doing factory resets regularly, but not rooting or reflashing a phone.]

Yes, you need an application specific password for the Android device. You generate it from the "Authorized access to your Google account" page. To my knowledge you can't retrieve a previously used app-specific password; you can only revoke a previously set one and create a new one. Takes a few seconds.

I believe the arises if you flash your phone which holds Authenticator, then remember you have to generate a new app-specific password for the phone. OOPS. Google prompts you for an Authenticator one-time code to get in to the Account Security page. The solution is a very non-tech-savvy step. Log in to Google FIRST, and if you're prompted for the one-time code, put it in. Then revoke the device password. THEN do your reflashing, factory reset, etc.

Re-syncing Authenticator is a bit clunkier. You can delete the sync from the phone, but I can't find a page to "re-provision" the mobile app. There might be a simpler way, but I have done it by disabling two-step auth from my account. Then re-enable it. Otherwise, it shows the Authenticator is already enabled, no options. (Am I missing something?) BUT when I've re-enabled two-step auth, my previously created application specific passwords are still there. Kind of a security lapse, but very handy so I haven't had to set up each device and application again (and yes, I have a bunch: Outlook, 2-3 browsers on 3-4 computers). Just make sure you are fully logged in through the entire process.

And don't do it over public (open) WiFi hotspots. Do it at home over Ethernet. ;)

(BTW, the one-time passwords Google tells you to print out ... saving as a secure note in LastPass Premium works better for me. Since the data is encrypted, and stored in the cloud (encrypted), it is accessible once I reinstall Lastpass and log in as well as on my PCs. I also use Authenticator and two-step auth with LastPass. Very easy to reprovision Authenticator for LastPass.)