Migration guide

How to Migrate from Google Authenticator to Fob in 2026

Published April 23, 2026. Works whether or not you use Fob.

Google Authenticator has an export button. Most authenticator apps do not. The process is honestly simple: one menu, one QR code, done in about a minute. This guide walks through it, explains what the export actually contains, and lays out what Fob does differently once your accounts are moved over.

Who this is for: Google Authenticator users with more than a handful of accounts who want tags, a backup story that is not tied to a Google account, or both. If you have five accounts, no organization needs, and you are happy with how sync works, Google Authenticator is fine. The honest version of this page starts there.

Why move from Google Authenticator?

Google Authenticator works. For a long time it did one thing (store TOTP secrets on one device) and did it reliably. In 2023 Google added cloud sync, which fixed the biggest complaint the app had for a decade.

Three gaps remain, and they are why most people who end up here are looking to leave:

• No organization. You get a flat list. Search helps up to maybe 15 accounts. Past that, scrolling is the user experience. There are no tags, no folders, no grouping.
• Sync is tied to your Google account. If you want the sync feature, you sign in with Google. Your encrypted vault rides along with your Google identity. For users who are trying to step away from that identity, or who just do not want 2FA tied to one provider, that is a problem.
• Backup is not zero-knowledge. Google's own documentation is clear that the cloud backup is encrypted, but not end-to-end. Google holds a key. That is an acceptable tradeoff for many users and a dealbreaker for others. Name it and decide.

None of this makes Google Authenticator a bad app. It makes it the right app for a specific profile: low account count, no organization needs, comfortable with Google holding the keys. If that is not you, a move is worth 60 seconds of effort.

The export format

This part is worth a paragraph because most migration articles skip it.

Google Authenticator's "Transfer accounts" feature generates a QR code (or several) that encodes an otpauth-migration://offline?data=... URI. The data parameter is a base64url-encoded protobuf message (the MigrationPayload schema) that carries each account's secret, name, issuer, algorithm (SHA-1, SHA-256, or SHA-512), digit count (6 or 8), and OTP type (TOTP or HOTP). It also carries a batch_size, batch_index, and batch_id so multiple QR codes can be stitched together in any order.

The practical consequence: Google caps each QR at about 10 accounts. If you have 30 accounts, your export will be three QR codes. A destination app has to read them all and reassemble. Fob does this automatically, as do most other apps that support the format.

There is no file download, no JSON export, no CSV. The QR codes are the entire interface. Once you have scanned them into a new app, you can regenerate them at any time from Google Authenticator.

How to migrate in about 60 seconds

Two paths, same outcome. Pick the one that matches your setup.

Two phones: camera scan

Use this if you are upgrading to a new phone and still have the old one in hand.

1. On your old phone, open Google Authenticator.
2. Tap the menu (three dots or your profile photo, depending on version), then Transfer accounts > Export accounts. Verify your device lock.
3. Select the accounts to transfer. You can select all, or prune the ones you have stopped using.
4. Tap Next. Google Authenticator generates one QR code per batch of up to 10 accounts. If you see "1 of 3" at the top, there are two more to scan.
5. On your new phone, open Fob, tap Add account, and choose Import from Google Authenticator > Open camera. Point the camera at the first QR on the old phone.
6. If there is more than one QR, Fob will tell you it still needs batch 2 of 3, and so on. Swipe on the old phone to show the next code, and scan each one.
7. Review the list Fob extracted. Accounts arrive untagged; add tags now or later.

One phone: screenshot import

Use this if you only have one phone. A phone cannot scan its own screen with its own camera (the camera faces away from the display), so the move is: screenshot the export QR in Google Authenticator, then pick the screenshot from Fob.

1. In Google Authenticator, open the menu, then Transfer accounts > Export accounts. Verify your device lock.
2. Select the accounts to transfer and tap Next. Google Authenticator generates one QR code per batch of up to 10 accounts.
3. Screenshot the QR. If there are multiple batches ("1 of 3", "2 of 3", ...), screenshot each one separately. Swipe to the next batch in Google Authenticator and screenshot again.
4. Open Fob, tap Add account, and choose Import from Google Authenticator > From image.
5. Pick the first screenshot from your gallery. Fob reads the QR out of the image, no camera involved.
6. If there are more batches, repeat for each screenshot. Fob stitches them together.
7. Review the list Fob extracted. Accounts arrive untagged; add tags now or later.
8. Delete the screenshots when you are done. They contain your account secrets in plain QR form.

That is it. If all your accounts are TOTP (the overwhelming majority are), everything transfers. Accounts that use HOTP (a counter-based variant) are rare and will be flagged during review so you can re-enroll them manually.

What happens to your Google Authenticator data

Exporting does not delete anything. Your accounts stay in Google Authenticator on the old phone until you decide to remove them. The generated QR codes are stateless: they do not invalidate the source, they do not phone home, they just encode the secrets that already live on the device.

This is the right way to do it. Keep Google Authenticator installed and working for a few days after you migrate. Generate codes from Fob as your primary app; use Google Authenticator as a fallback. Once you have logged into every account at least once using Fob codes, you know the migration took. Then, and only then, uninstall Google Authenticator or tap Remove accounts inside it.

If you use Google Authenticator's cloud sync, signing out of your Google account in the app also removes the synced copy from Google's servers, with the usual 30-day soft-delete window.

After migration: what Fob does differently

The migration was the easy part. Here is what changes once you are in.

• Tags, not folders. A Coinbase account can be crypto, exchange, and high-value at the same time. Filter by any combination. No other authenticator has this.
• Zero-knowledge sync. Your vault is encrypted on-device with AES-256-GCM. The key is derived from your password with Argon2id and never leaves your devices. Fob's servers hold a blob they cannot read. The full architecture is at fob.codes/security.
• No Google account required. Sync is tied to your Fob account and your password. Nothing else.
• Export any time. If Fob ever stops being the right choice for you, your vault exports in an open format behind a reauth prompt. We cannot hold your codes hostage.

If you are also moving accounts off Authy, that process is harder because Authy does not expose an export. The step-by-step is at /import/authy.

Fob is Android-first. iOS follows. The waitlist is on the homepage.

FAQ

Can I transfer accounts between two active devices?

Yes. The export QR does not touch the source, so you can scan it into a second device, leave the original intact, and have both working at once. This is useful if you are setting up a secondary phone or want a live backup. Treat both devices as equally sensitive. Two copies of a secret is twice the attack surface.

What if the QR code will not scan?

A few things to try, in order. Clean the camera lens. Turn the old phone's brightness up to full. Move closer: these QR codes are information-dense and benefit from the camera being six to eight inches away, not across the room. If the camera still refuses, screenshot the QR on the source phone, send the screenshot to the target phone, and tap From image in Fob's importer instead of using the camera. Fob's image decoder reads the same QR with no camera involved.

Can I migrate using only one phone?

Yes. Use the From image path described above. Screenshot the export QR inside Google Authenticator, then pick the screenshot from Fob's importer. Fob never needs the camera for this. Delete the screenshots after the import lands so they do not sit in your gallery indefinitely.

Does Fob keep a copy of my Google Authenticator data?

No. The QR data is parsed in memory on your device. Fob extracts the account fields into its own vault format, then discards the migration payload. The original QR is never sent to a server, never written to a log, and never persisted anywhere. This is true for every import format Fob supports.

Is Google Authenticator going away?

No. There is no indication Google plans to sunset it. The app is widely used and actively maintained. This guide is not an emergency exit. It exists because enough users are outgrowing Google Authenticator's organization story or want sync that is not tied to a Google account.

What about Authy?

Authy is a harder migration because Authy never shipped an export. There is no QR code to scan. Every account has to be disabled at its source and re-enrolled in the new app by hand. The step-by-step is at /import/authy. Google Authenticator users have it easier than anyone.