How to migrate devices when Google Drive is not enabled by admin

hi! my alma mater moved to Duo for authentication.

I just got a new Pixel 6a & I can’t use Duo Restore because my alma mater has chosen not to enable Google Drive.

I get this error message on my Pixel 3a:

can I back up to a different Google Drive?

how do I change the Google Drive my app is pointing to?

is there an easier way to move my Duo account to my new phone?

If you mean that the school disabled Google Drive for their Google user accounts, then if you have a personal Google account you should be able to add that account to your phone and use it to create the backup. If you have multiple Google accounts present on your Android phone then Duo Mobile will prompt you to choose one to create the backup.

this is correct!

when I was given the option to choose a Google account, there was no dialog box telling me what I was supposed to choose & now cannot change the association.

I had to factory reset my old device and return it so now I want to know how to add my profile to my new Pixel.

I have an active account on my iPadPro.

If you don’t have your old device and didn’t create a backup of Duo Mobile before returning your old device then you don’t have anything to restore to your new device.

There isn’t a way to migrate Duo Mobile accounts between iOS/iPadOS and Android devices.

If you were using Duo Mobile to generate passcodes for third-party accounts like Instagram or Twitter then you’ll need to log into those services with the passcodes from your iPad (if you have the accounts set up there too), or using the recovery codes provided by those services when you originally set up 2FA, and perform 2FA setup again with your new phone.

For Duo-protected services where you were receiving a Duo Push login request you will need to contact the organization that owns those services (your school?) for help activating your new phone.

You can change the account used by Duo Mobile to back up accounts if you go into the Duo Restore settings and tap edit. You need to have already added your non-school account from Android’s Settings > Accounts to be offered a choice between accounts for Duo Restore setup.

There’s a lot more information and frequently asked questions + answers about Duo Mobile Restore in this Duo knowledge base article.

1 Like

thank you for all your help. I contacted my alumni admin and they quickly resolved the issue and I have access on my mobile device now.

I know in the future when I upgrade devices to use the restore function and that I have the option to store the backup on a Google account that is not the one associated with my Duo emal

Is the backup file itself secure being stored in a different Google account?

1 Like

When you enable Duo Restore in the app, Duo Mobile creates an app-specific folder where it will backup your Duo Mobile account(s). The Google Drive API does not allow Duo Mobile to access your other Google Drive files, it can only access the Duo Mobile folder.

Google describes app folders thusly:

The App Folder is a special folder that is only accessible by your application. Its content is hidden from the user and from other apps. Despite being hidden from the user, the App Folder is stored on the user’s Drive and therefore uses the user’s Drive storage quota.

The App Folder can be used to store configuration files, temporary files, or any other types of files that belong to the user but should not be tampered with.

More details are in the Google Developer reference.

Follow security best-practices for your Google account information, like using a strong password and enabling two-step verification (if not OTP with Duo Mobile then at least Google’s own push prompts, SMS, or security key).

ok so what I’m getting is my Duo backup is only as secure as the Google Account it is stored in.

if my alum Google Workspace admin chooses to enable Google Drive, then my backup is protected by Duo 2FA.

if I choose to store my backup in a different Google Account, the backup will not be secured by Duo 2FA and thus is vulnerable to being restored by a malicious party.

Is this correct?

if my alum Google Workspace admin chooses to enable Google Drive, then my backup is protected by Duo 2FA.

Do you use Duo 2FA (with Duo Push) to log into the alumni Google account? This usually isn’t the case, because in an SSO scenario where Google is both the identity store and the application being protected it creates a login loop.

You can totally use Duo Mobile as an OTP generating app to provide two-step verification for your personal Google account. If you do, be certain to have one or more backup two-step methods configured in Google, or make sure that you save the recovery codes in an accessible yet secure location, because if you need to restore Duo Mobile using that Google account you might not also be able to use Duo Mobile to log in to that Google account (chicken <-> egg loop).

the short answer to the question is yes - when I log into our alum Google Workplace, I get a push notification from Duo which I accept & I am logged in.

I’m not clear where the login loop is because this has been working for over a year.

my circumstance revolves around my request to store my Duo backup in my alum Google Account and not store it anywhere else I can forget.

correction: I see what happens now:

  1. I go to gmail.com
  2. I enter my alumni email address
  3. it jumps to our university login portal
  4. i enter credentials
  5. it pushes a request to Duo
  6. I authenticate on my device
  7. it logs into Google Workspace

so to be clear, there isn’t a log in loop because my alum is using our university portal authenticated by Duo to log into our Google Workspace.

I now want to securely store my Duo backup in our Google Workspace instance.

This requires our Google Workplace admin to enable Google Drive for our alumni accounts and I am waiting for a response [from our admin]

OK, I do want to point out that if you have to use Duo to access your university’s Google account and Workspace and you decide to store your Duo Mobile backup there then if you are ever in need of recovering your Duo Mobile accounts you will have to be able to access the backup stored in your university’s Google Workspace. So, make sure you have a 2FA backup method available to you to log in there that isn’t Duo Mobile (like a phone call or SMS passcode).

Your university can advise you what backup Duo authentication methods they make available for logins to their Google Workspace.

1 Like