It intentionally cannot be redisplayed; the reason is that doing so could mean someone else has the same key and ability to generate the same codes as your device, without your knowledge, so it is only visible during enrollment. What you can do is change two factor method, or turn it off, which will cause you to be forced to immediately re-enroll if it's an admin account, and you'll then see the new QR code for the new key.

I was thinking about replacing my smartphone. I hadn't had the question until now. The Google Auth app tie the 2FA to the hardware it's on? Makes sense that it would. That means data and app transfer from the old phone to the new phone is meaningless regarding the 2FA?

A quick solution could also be, use a backup token to log into Admin and then reset your 2FA on your new device?

Scott

That will come down to the app you choose to use for TOTP code generation and how secure you want to be. Google Authenticator, for example, can't extract the codes back out, and may not even survive a backup/restore (intentionally) so someone with temporary access to your phone, or with access to your backups, can't restore your key data onto a new device. There are other options like Authy which is cloud-based and lets you replicate your TOTP codes across devices, albeit with lower security.

The preferable 2fa option is Webauthn/U2F with hardware token (not YubiOTP which is different and can use the same hardware token). The Webauthn option supports a variety of hardware options and is not dependent on a cloud service. There are even tokens that do Webauthn via NFC so you can authenticate on a mobile device using your hardware token.

You are correct that you could also use a backup token to get in after moving devices and then reset your second factor.

Interesting news. I think it's new as I haven't seen the option before now. The Google Authenticator app updated on my iOS device. There is an "Export Accounts." I think it's new. It implies you can export your accounts to a different device. That appears it will save many hassles when changing/upgrading a smartphone.

PS: I'm still looking for a way to be able to authenticate (2FA) with either-or. If for some reason I don't have my Yubikey and no access to the backup tokens, I could still login with Google Auth -- without having a second/alternate user in the Miva Admin. I know a few stores that would have pages of users if they had multiple users.

Scott

There is no “or” scenario, it’ll always be the chosen method or backup code.

I've previously made the feature request in the proper forum, where, the user would be able to set up a second 2FA device for their account. I've heard or seen no feedback on the dream feature idea. There may be more Pros than I've implied, but I don't' know what the cons are if any.

Scott

The feature request does exist internally; I've logged the same one as well. The downside, if any of the methods are not hardware-based, is that someone could potentially posses your second factor without your knowledge; e.g. they got the TOTP key out of your device, Authy, etc. and are generating codes that are valid without you knowing it.