Back to blog
Recovery12 minPublished 2026-03-17Reviewed 2026-04-08

How to Find or Recover a Google Authenticator Secret Key

A practical guide for locating a TOTP secret, extracting it from a QR code, or deciding when to rotate it instead.

Google Authenticator secret keyrecover TOTP secretsecret key from QR code

Quick Summary

  • The secret key is the shared seed used to generate TOTP codes.
  • Recovery usually depends on the original QR code, backup data, or the service that issued the secret.
  • If the old device may be compromised, rotating the secret is safer than reusing it.

Key Takeaways

  • Start with the original setup source, not the app UI.
  • Local QR decoding is safer than uploading sensitive setup images elsewhere.
  • Recovered secrets should be stored like high-value credentials.

What the secret key really is

The secret key is the shared seed behind every TOTP code. When a service enrolls you in authenticator-based 2FA, it creates that seed and gives it to your app through a QR code or a Base32 string.

Anyone with the same seed can generate the same valid codes, so the secret should be treated like a sensitive credential.

Where recovery usually works

The easiest places to recover a secret are the original QR code, a password-manager note, an authenticator export, or the provider dashboard if it lets you reset or regenerate 2FA.

Recovery is much harder when the only copy lived inside one phone and the app never exposed export or backup options.

  • Original QR image or screenshot
  • Password manager secure note
  • Authenticator export or migration file
  • Provider security settings that allow re-enrollment

How to extract a secret from a QR code safely

A TOTP QR code usually contains an otpauth:// URL. If you decode that image locally, you can inspect the secret, issuer, and timing settings without sending the QR elsewhere.

That local-first workflow matters because the QR code itself contains the exact information needed to recreate the account.

When to recover and when to rotate

Recover when the problem is availability, such as a broken or replaced phone. Rotate when the problem is trust, such as theft or suspected exposure.

That distinction keeps users from reusing a secret that may already be compromised simply because it is convenient.

A practical test is to ask whether you still trust every place the secret may have been stored or displayed. If the answer is unclear, a clean reset is usually the safer long-term move.

This is also why a good recovery guide should tell users what not to reuse. High-utility content reduces risk by helping people choose between speed and trust with clear criteria.

Even a short checklist here can prevent a bad decision: list every place the secret lived, decide whether each copy is still trusted, and reset 2FA if that review leaves any doubt.

Comparison Table

Recovery source quality and the trust level each option usually deserves.

SourceBest useMain cautionRecommendation
Original QR codeRebuild access on a trusted deviceTreat as highly sensitiveUse carefully and store securely
Password manager noteLong-term backupMust be encrypted and access-controlledGood option for careful users
Old phone onlyLast-resort extractionDevice may be broken or compromisedUse only if the device is trusted
Provider resetStart freshMay require manual verificationBest option when trust is unclear

FAQ

Can Google Authenticator show me the secret after setup?

Usually no. Recovery normally depends on the original QR code, export data, or the service that issued the secret.

Is it safe to keep a copy of my secret key?

Yes, if it is stored securely. Anyone with the secret can generate your codes, so protect it carefully.

Can I use the same secret on more than one device?

Yes. If multiple devices import the same secret and settings, they will generate the same TOTP codes.

Keep Exploring

Continue with the 2FA generator, inspect an authenticator setup in the QR decoder, or browse related guides below.