Google's 2-factor auth comes with a list of onetime disposable keys one can use in place of not having their smartphone. I've had to use one specifically because I flashed a new Rom onto the Android device I was using before I thought about how I would setup the new Rom as a new device, which required me to log into my Google account. Almost the same idea as having the device get remote wiped unexpectedly. I keep a printed list of these keys in my fire safe at home with other important documents, like my birth certificate and passport.
Google will also call your home phone number and audibly speak a code to you if desired.
(Incidentally, you can backup and restore /data/data/com.google.android.apps.authenticator2/databases/databases via adb pull/adb push and you don't have to do the "painful" restore. It's slightly less secure, but I keep a copy on my SD card.)
Giant-flashing-neon-warning: if your phone's rooted (needs to be to pull /data), an attacker can pull it too. Use a passcode and enable full-device encryption (passcodes don't block recovery) to defend against this. If you're making full-image backups, wherever they're stored (on-device or elsewhere) needs to be secure too.
PS: even if you aren't rooted, if your device can be rooted w/o a wipe, should consider yourself just as vulnerable and enable FDE as well.
Yup, absolutely. I run FDE mostly just out of a personal policy that anything that someone can pick up and walk off with is encrypted, but this is a very good point.
The DB is a Sqlite3 database containing plaintext tokens and the account names they are used with, so while the attacker would still need your password, they can generate new tokens with that data.
Good policy upon losing any device that contains 2FA information is to use one of your backup codes to log into your account, remove the 2FA, and re-add it, thereby invalidating the old token secret. Thus, even if someone has your unprotected DB, they can't generate tokens for your account.
