Duo Restore for Android

Duo Mobile's restore functionality lets you back up Duo-protected accounts and third-party OTP accounts (such as Google or Facebook) for recovery to the same device or to a new device.

Backup and restore of third-party accounts requires Duo Mobile version 3.28 or newer. Duo mobile versions 3.17 to 3.27 permit restore of Duo-protected accounts only.

If you are a Duo Mobile end-user (not an administrator) and are looking for help configuring Duo Restore beyond the instructions here, or if you are not sure if your organization permits use of Duo Restore, please contact your organization's IT help desk for assistance.

Enabling Duo Restore

 

Duo Mobile Recovery Setup

Duo Mobile Recovery Account Selection

Duo Mobile Recovery Account Selection

Duo Mobile Recovery Account Selection

  1. When you add your first-ever account in the Duo Mobile app, you will see a new notification prompt to enable Duo Restore on your device.
  2. Tap SET UP NOW and select the Google account to use for Duo Restore. Grant Duo Mobile permission to store the backup in your Google Drive.
  3. At this point, you can also choose to enable account recovery for your third-party accounts by tapping Automatically reconnect third-party accounts. If you don't enable this now, Duo Mobile will remind you later when you add your first third-party account.
  4. When prompted, enter and confirm a recovery password that has 10-128 characters. Do not lose this password! You'll need to provide it again to recover these accounts. Duo cannot recover this password for you. Be sure to store it securely. If you lose this password you'll need to manually reconnect your third-party accounts by visiting each of those services individually and following their 2FA setup process.

 

It is also possible to enable Duo Restore at any time by doing the following:

 

  1. Make sure you are running the latest version of the Duo Mobile App on your current Android device.
  2. Open the Duo Mobile App.
  3. Tap the overflow menu (three vertical dots) in the top right corner of the main accounts list.
  4. Tap Settings.
  5. Tap Duo Restore.
  6. Turn on Duo Restore by tapping Backup accounts with Google Drive.
  7. Select a Google account to store your backup.
  8. Optionally enable third-party account restore by tapping Automatically reconnect third-party accounts.
  9. Enter and confirm a recovery password that has 10-128 characters.

     

 

Recovering Third-Party Accounts

 

Duo Mobile Recovery Option

  1. Open the Duo Mobile app on your new or reset device.
  2. From your new Android device, download version 3.28 or newer of the Duo Mobile App from the Google Play Store.
  3. Open the Duo Mobile app on your new device.
  4. Tap Get My Account Back from the welcome screen.
  5. Select the Google account you used when initially setting up Duo Restore.
  6. If Duo Mobile finds a valid backup in your Google Drive, it restores your previoulsy backed-up accounts. If your backup included third-party accounts, enter your recovery password when prompted.

 

When you return to the accounts list after a successful third-party accounts restore, you'll be able to tap your third-party accounts to generate passcodes for logging into those services.

Note that this doesn't reconnect your Duo-protected accounts. You'll still need to perform the steps above before you can use those accounts to log in to Duo-protected services with Duo Push or Duo Mobile passcodes.

See third-party account recovery on Android in action.

Recovering Duo-Protected Accounts

Duo Mobile Recovery Option

  1. From your new Android device, download the latest Duo Mobile App from the Google Play Store.
  2. Open the Duo Mobile app on your new device.
  3. Tap Get My Account Back from the welcome screen.

    Duo Mobile Recovery Option

  4. Select the Google account you used when initially setting up Duo Restore.
  5. If account information is found, you will then see the accounts on the Duo Restore screen and in your main accounts list, but with a Reconnect button instead of the key button used to generate passcodes.
  6. Tap Reconnect next to your Duo account in the main accounts list.
  7. Log in to the Duo-protected application selected by your IT administrator.
  8. Authenticate using Duo via an method allowed for this application by your IT administrator. If SMS or hardware token passcode and phone calls are not allowed, you will either need to use a different Duo Push-capable 2FA device, use the Duo Self Service Portal, or contact your IT administrator to restore your account on your new device.
  9. After authenticating, your new Android device should be connected to the Duo service.

Recovering Accounts Manually

If the Duo Restore feature is not enabled by your Duo administrator, or your backup includes third-party accounts but you did not set a recovery password for those accounts, you will see a screen like this upon attempting account recovery (tapping Reconnect) within Duo Mobile:

 

Duo Mobile Reconnect

Scan the barcode from your third-party account 2FA setup screen, or, to recover a Duo-protected account, access the My Settings and Devices page from the Duo prompt to reactivate the account. If your organization hasn't enabled self-service device management, contact your IT Help Desk or Duo service administrator for assistance reactivating the account.

Frequently Asked Questions

How does the Duo Mobile restore process affect third-party accounts in my Duo Mobile app?

You'll need to visit each third-party site and follow their specific instructions for reactivating 2FA. This usually involves scanning a QA code after using an alternative recovery method like phone call or SMS. Third-party accounts include accounts that were added to Duo Mobile but not directly linked to the Duo service, such as Google Accounts, Amazon, Facebook, Snapchat, Dropbox, etc.

Will Duo Mobile accounts be saved on my device if I delete the app?

It depends on the device's operating system.

  • On iOS, all accounts are retained in the device's secure keychain when you delete the app. This means both Duo-protected and third-party accounts will be available if you reinstall Duo Mobile on the same device. Accounts are only deleted when done so explicitly in the app.
  • On Android, deleting the Duo Mobile app will delete all accounts from your device. Deleting the Duo Mobile app essentially wipes the potential for unassisted account recovery, as any Duo Restore data backed up to Google Drive, if enabled, will be removed as well.

 

Is it possible to restore an account once I've deleted it in Duo Mobile?

No. If you manually delete accounts within the app then they are gone and there is no process for restoration.

How large are Duo Mobile backups?

The size of Duo Mobile backup files can vary depending on how many accounts are associated with a device, but generally they are not larger than 500 KB.

 

Does Duo backup the private key pairs used in any of the accounts in my Duo Mobile App?

If you haven't enabled third-party account restore in Duo Mobile then app backups to Google Drive (Android) or iCloud (iOS) accounts DO NOT contain any private key or other sensitive data. Do note that some third-party accounts use an email address as the primary identifier, and thus will be included in the backup (Amazon, Gmail, and others).

Full device encrypted backups to iTunes will back up both the account listings and private key pairs, but can only be restored on the SAME phone that created the backup.

If you opt-in to third-party account backup and restore, and have set an account recovery password, then the app backups to Google Drive (Android) or iCloud (iOS) do include the private key information for your third-party accounts. The backups are encrypted by the recovery password, which is only known to you and cannot be recovered by Duo. When you restore a backup that contains third-party account information you must enter the recovery password to decrypt the backup.

Users cannot inspect or open backup files. iCloud does not provide a way for users to view the backup file. Google Drive users can view that Duo Mobile is using their Drive to store data and the size of that backup but cannot interact with that file. Duo Mobile only has access to the application-specific folder in Google Drive.

If the private keys are not backed up, how does this work?

Once you restore your account list you'll see a “Reconnect” link next to each account. Reconnecting the account directs you through a reactivation process where the you need to authenticate to a Duo protected application (configured by the Duo account admin) to verify your identity. Once the your identity has been verified, Duo Mobile reactivates account.

 

Can I restore a backup to a different mobile platform (Android → iOS or iOS → Android)?

No, backups can not be restored across platforms. Duo Mobile can be activated on a new device that uses the same phone number as an old device on a different platform via the self-service device management options in the Duo prompt (if enabled by your Duo admin), or you can contact your IT help desk or Duo admin to request assistance reactivating the accounts on the new device.

Why am I getting an error saying "We couldn't find any accounts backed up on this Google account. Try selecting another Google account or contact your help desk." when attempting Duo Restore?

There are several reasons this could happen:

  • The wrong Google account was chosen when attempting Duo Restore.
  • If you very recently toggled on Duo Restore on your new phone, it may not be in sync with the backup on your old phone yet.
  • The Duo Mobile app was deleted from the old phone, which would have also deleted the Google Drive backup.
  • Duo Restore was actually never activated on the old (original) device so no backup is available.
Print Article

Details

Article ID: 78846
Created
Wed 5/22/19 10:04 AM
Modified
Thu 5/23/19 9:29 AM

Related Articles (6)

Overview of Duo enrollment
Overview of Duo Restore
Troubleshooting article for Duo Push notifications on Android devices.
Introduction to two-factor authentication and Duo
Duo-protected versus third-party applications. What's the difference?