If you do a backup (even if not rooted you can use ADB to backup your apps and data,) then you can simply restore the app and data to your new phone and the codes for the device come with it.
If your Android is rooted, you can use Titanium Backup, which we’ve written about before, to take a backup of your Google Authenticator app data. [...] If you have root access to your device, you can actually extract the credentials manually
Well the scenario we are wanting to defend against is an attacker that can remotely (or even locally) exploit/root the phone (see long list of vulns for ios and android that have allowed exactly this). How many of these still exist not yet patched?
Depending on who you work for, someone might just burn a 0-day on you. It all depends on your threat profile.
Putting the secret in a hardware token gives you easy to reason about assurances a mobile phone OS vendor can't ever offer.
Also this means when you get a new phone, you just install app and tap key. No setup required.
No, that's a scenario you want to defend against, and I'll remind you again that if you're dealing with attackers that can exploit your computing devices directly, the tokens are pretty much cosmetic. If you have an insecure phone and you actually use it like a smartphone, you're boned no matter how many security tokens you've got attached to your key ring.
When we work with lawyers, reporters, and NGOs, what we find are people with much more urgent security problems. They're one carefully worded email away from giving their entire email account away to a 25 year old in Estonia. They aren't worried that their phone is about to get owned up --- mostly because that isn't going to happen, but for other reasons too.
Real targets are going to be compromised for 3 reasons:
1. They're going to be phished out of losing their credentials.
2. They're going to share credentials between sites and lose them in a breach of one of those sites.
3. They're going to click on an attachment and lose their whole computer to an attacker.
The U2F/TOTP stack this post recommends nicely addresses (1) and (2), and nothing anyone on this thread is talking about addresses (3). I'm not sure why we're spending so much time considering (13).
I think the other part of this is that for these people (and probably most people) losing access to your gmail account is a catastrophic event.
That access can be lost because of an attack or by losing the keys. The former is actually much less likely than the latter so mitigating in favor of it instead doesn't make sense in this threat model.
Even without root. Just run a backup and extract it from that. You can do it with just adb or helium.
--
I can't quickly find any examples online that don't specifically mention requiring rooting the phone. Just this anecdote: https://community.spiceworks.com/topic/465582-google-authent...
If you do a backup (even if not rooted you can use ADB to backup your apps and data,) then you can simply restore the app and data to your new phone and the codes for the device come with it.
This article appears to contain the most detailed instructions, stating that both Titanium backaup and manual extraction require root: https://www.howtogeek.com/130755/how-to-move-your-google-aut...
If your Android is rooted, you can use Titanium Backup, which we’ve written about before, to take a backup of your Google Authenticator app data. [...] If you have root access to your device, you can actually extract the credentials manually
It was at one point possible to extract from iPhone backups: https://dpron.com/recovering-google-authenticator-keys-from-...