Duo Restore

Duo Mobile version 4 was released on October 11, 2021.

Duo Mobile version 3 information remains available for users on older iOS versions who can't upgrade to the latest Duo Mobile release.

Duo Restore v3 Guide
Duo Mobile v3 Push Prompt

Duo Mobile's restore functionality lets you back up Duo-protected accounts and third-party OTP accounts (such as Google or Facebook) for recovery to the same device or to a new device.

When you use the below methods to restore Duo accounts on a new or replacement device, be aware that:

  • Restoring or reactivating any "Duo-Protected" and "Duo Admin" accounts on the new device deactivates those accounts on the old device.
  • Restoring any third-party accounts on the new device does not deactivate those accounts on the old device. Be sure to delete those accounts from Duo Mobile on the old device or delete Duo Mobile entirely from the old device once you verify the passcodes generated by the restored accounts work for logging in to those services.
  • Duo for Windows offline access does not reactivate offline access accounts restored to your phone. Reactivation of Windows offline access creates a second offline access account. Delete the restored Windows offline access account from Duo Mobile before reactivating Windows offline access.

If you are a Duo Mobile end-user (not an administrator) and are looking for help configuring Duo Restore beyond the instructions here, or if you are not sure if your organization permits use of Duo Restore, please contact your organization's IT help desk for assistance.

Duo Restore for iOS

Enabling Duo Restore

  1. Make sure you are running the latest version of the Duo Mobile App on your current iOS device.
  2. Back up your device to iCloud, with iCloud Keychain enabled to use Instant Restore. Nightly iCloud backups will include Duo Restore information. Encrypted iTunes or Finder backups will also work.

Due to how apps are automatically backed up in iOS, the backup functionality of Duo Restore is always on for iOS users who have iCloud enabled and they will not see a notification indicating their information is being backed up. However, whether an account can be restored depends upon Duo Restore being enabled by the administrator in the Duo Admin Panel or whether you've set a recovery password for reconnecting third-party accounts.

Enable Duo Restore for Third-Party Accounts

Be sure to enable third-party account backup and restore if you use Duo Mobile to generate passcodes for logging into applications like Instagram, Facebook, Snapchat, or other web services. Duo Mobile cannot recover access to those accounts without a backup. If you become locked out of those services and don't have a backup of your accounts in Duo Mobile, you'll need to contact the support team for that application (or perform the account recovery process for each of those third-party applications.

When Duo Mobile detects you have a third-party account, you'll be prompted to create a recovery password. Tap Enable Now to set one.

Enter a recovery password that has 10-128 characters. Do not lose this password! You'll need to provide it again to recover these accounts. Duo cannot recover this password for you. Be sure to store it securely. If you lose this password you'll need to manually reconnect your third-party accounts by visiting each of those services individually and following their 2FA setup process.

If you didn't enable backups for your third-party accounts when you added the first one, you can do it at any time.

  1. Open Duo Mobile and tap the menu icon to access Settings.
  2. Tap the Backup third-party accounts option to enable.
  3. Enter and confirm a 10-128 character recovery password.

Remember, Duo Support can't recover your third-party accounts for you or reset your third-party recovery password.

Restoring Duo Mobile Accounts

Recovering Duo-Protected Accounts with Instant Restore

To use Instant Restore you must have previously backed up your device with iCloud (with iCloud Keychain on) or an encrypted iTunes or Finder backup. Additionally, your organization's Duo administrator must have enabled the Instant Restore feature.

  1. Sign in to iCloud on your iOS device and restore from an iCloud, iTunes, or Finder backup.
  2. If using iCloud, enable iCloud Keychain. This could be the same device as before, or a brand-new one.
  3. Download the Duo Mobile app on your new device.
  4. Open Duo Mobile and tap Continue on the welcome screen.
  5. Duo Mobile locates your backed-up Duo-protected accounts in your restored backup and restores them to the app on your device. When complete, you're taken to the accounts list in the app.
  6. Duo also sends a push notification stating that accounts were activated on a new device to your old one. If you receive the new phone activation notification and you didn't just perform a restore, tap No. This deactivates your Duo accounts on both the original and replacement devices and alerts your organization's Duo administrators about the fraudulent reactivation.
    If you did initiate the restore to a replacement device, tap Yes to dismiss this notification and deactivate the accounts on your original device.

The Duo Mobile accounts list shows your restored Duo accounts, and you may use them to log into Duo-protected services with Duo Push or a generated passcode.

This process doesn't reconnect any third-party accounts. You'll still need to provide your third-party account recovery password before you can use those accounts to generate passcodes.

Recovering Duo-Protected Accounts from a Protected Application

Follow this process if your Duo administrator did not enable Instant Restore, if your restored iCloud backups did not include Keychain information or your iTunes or Finder local backups weren't encrypted, or the Instant Restore process failed.

  1. Restore your new or reset iOS device from your iCloud, iTunes, or Finder backup.
  2. Open the Duo Mobile app on your new device and view the accounts list.
  3. Tap Reconnect next to your Duo account in the accounts list.
  4. Log in to the Duo-protected application selected by your IT administrator.
  5. Authenticate using Duo via a method allowed for this application by your IT administrator. If SMS or hardware token passcode and phone calls are not allowed, you will either need to use a different Duo Push-capable 2FA device, use the Duo Self Service Portal (if available), or contact your IT administrator to restore your account on your new device.
  6. After authenticating, your new iOS device should be connected to the Duo service.

Recovering Third-Party Accounts

  1. Restore your new or reset iOS device from your iCloud, iTunes, or Finder backup.
  2. Open the Duo Mobile app on your new device and tap Continue on the welcome screen.
  3. Duo Mobile prompts for the recovery password you created when you enabled and then tap Reconnect. Duo Mobile restores your third-party accounts.

When you return to the accounts list after a successful third-party accounts restore, you'll be able to tap your third-party accounts to generate passcodes for logging into those services.

Note that this doesn't reconnect your Duo-protected accounts. You'll still need to perform the Duo-protected account recovery steps before you can use those accounts to log in to Duo-protected services with Duo Push or Duo Mobile passcodes.


Duo Restore for Android

Enabling Duo Restore

  1. Open Duo Mobile and tap the menu icon in the top right to open Settings.
  2. Tap Duo Restore in the "General" settings.
  3. On the "Duo Restore Settings" screen, tap to enable the Backup accounts with Google Drive.
  4. Select the Google account to use for Duo Restore and grant Duo Mobile permission to store the backup in your Google Drive.
  5. At this point, you can also choose to enable account recovery for your third-party accounts by tapping Automatically reconnect third-party accounts. If you don't enable this now, Duo Mobile will remind you later when you add your first third-party account.
  6. When prompted, enter and confirm a recovery password that has 10-128 characters. Do not lose this password! You'll need to provide it again to recover these accounts. Duo cannot recover this password for you. Be sure to store it securely. If you lose this password you'll need to manually reconnect your third-party accounts after restoring Duo Mobile on a new phone by visiting each of those services individually and following their 2FA setup process.

Restoring Duo Mobile Accounts

Recovering Duo-Protected Accounts with Instant Restore

To use Instant Restore you must have previously backed up your Duo Mobile accounts to Google Drive. Additionally, your organization's Duo administrator must have enabled the Instant Restore feature.

You must have access to Duo Mobile on your old Android device in order to use Instant Restore to restore your Duo-protected account backup to your new device. If you can't open Duo Mobile on your old device, for example, if your phone was lost or damaged, contact your Duo administrator to discuss your account recovery options.

  1. From your new Android device, download the latest Duo Mobile App from the Google Play Store.
  2. Open the Duo Mobile app on your new device.
  3. Tap I have existing accounts from the welcome screen.
  4. Duo Mobile will check for a previous backup in Google Drive. Select the Google account you used when initially setting up Duo Restore.
  5. You'll be asked if you have your old phone. Tap Yes, continue setup to continue.
  6. Open Duo Mobile on your old phone, and tap the menu icon in the top right to open Settings.
  7. Locate the "Connect a new phone" settings item, and tap View QR code to display a QR barcode on the screen.
  8. Return to your new phone, and tap Scan QR code in step 3, then scan the QR code shown on your old phone to complete account restoration.
  9. Duo Mobile locates your backed-up Duo-protected accounts and restores them to your device, showing a success message when complete.

The Duo Mobile accounts list shows your restored Duo accounts, and you may use them to log into Duo-protected services with Duo Push or a generated passcode.

This process doesn't reconnect any third-party accounts. You'll still need to provide your third-party account recovery password before you can use those accounts to generate passcodes.

Recovering Duo-Protected Accounts from a Protected Application

  1. From your new Android device, download the latest Duo Mobile App from the Google Play Store.
  2. Open the Duo Mobile app on your new device.
  3. Tap I have existing accounts from the welcome screen.
  4. Duo Mobile will check for a previous backup in Google Drive. Select the Google account you used when initially setting up Duo Restore.
  5. If account information is found, you will then see the accounts on the Duo Restore screen and shown as disabled in your main accounts list, with a Reconnect action.
  6. Tap Reconnect below a Duo account in the main accounts list.
  7. Log in to the Duo-protected application selected by your IT administrator.
  8. Authenticate using Duo via a method allowed for this application by your IT administrator. If SMS or hardware token passcode and phone calls are not allowed, you will either need to use a different Duo Push-capable 2FA device, use the Duo Self Service Portal, or contact your IT administrator to restore your account on your new device.
  9. After authenticating, your new Android device should be connected to the Duo service.

Recovering Accounts Manually

If the Duo Restore feature is not enabled by your Duo administrator, or your backup includes third-party accounts but you did not set a recovery password for those accounts, after tapping Reconnect within Duo Mobile you'll see the options to Scan a QR code or Enter activation code.

Tap Scan QR code and scan the barcode from your third-party account 2FA setup screen, or, to recover a Duo-protected account, access the My Settings and Devices page from the Duo prompt to reactivate the account. If your organization hasn't enabled self-service device management, contact your IT Help Desk or Duo service administrator for assistance reactivating the account.

Recovering Third-Party Accounts

  1. From your new Android device, download the latest Duo Mobile App from the Google Play Store.
  2. Open the Duo Mobile app on your new device.
  3. Tap I have existing accounts from the welcome screen.
  4. Duo Mobile will check for a previous backup in Google Drive. Select the Google account you used when initially setting up Duo Restore.
  5. If Duo Mobile finds a valid backup in your Google Drive, it restores your previously backed-up accounts. If your backup includes third-party accounts, enter your recovery password when prompted.

When you return to the accounts list after a successful third-party accounts restore, you'll be able to tap your third-party accounts to generate passcodes for logging into those services.

Note that this doesn't reconnect your Duo-protected accounts. You'll still need to perform the Duo-protected account recovery steps before you can use those accounts to log in to Duo-protected services with Duo Push or Duo Mobile passcodes.


Frequently Asked Questions

How does the Duo Mobile restore process affect third-party accounts in my Duo Mobile app?

You'll need to visit each third-party site and follow their specific instructions for reactivating 2FA. This usually involves scanning a QR code after using an alternative recovery method like phone call or SMS. Third-party accounts include accounts that were added to Duo Mobile but not directly linked to the Duo service, such as Google Accounts, Amazon, Facebook, Snapchat, Dropbox, etc.

Will Duo Mobile accounts be saved on my device if I delete the app?

It depends on the device's operating system.

  • On iOS, all accounts are retained in the device's secure keychain when you delete the app. This means both Duo-protected and third-party accounts will be available if you reinstall Duo Mobile on the same device. Accounts are only deleted when done so explicitly in the app.
  • On Android, deleting the Duo Mobile app will delete all accounts from your device. Deleting the Duo Mobile app essentially wipes the potential for unassisted account recovery.

Is it possible to restore an account once I've deleted it in Duo Mobile?

No. If you manually delete accounts within the app then they are gone and there is no process for restoration.

How large are Duo Mobile backups?

The size of Duo Mobile backup files can vary depending on how many accounts are associated with a device, but generally they are not larger than 500 KB.

Does Duo backup the private key pairs used in any of the accounts in my Duo Mobile App?

If you haven't enabled third-party account restore in Duo Mobile then app backups to Google Drive (Android) or iCloud (iOS) accounts DO NOT contain any private key or other sensitive data. Do note that some third-party accounts use an email address as the primary identifier, and thus will be included in the backup (Amazon, Gmail, and others).

Full device encrypted backups to iTunes will back up both the account listings and private key pairs, but can only be restored on the SAME phone that created the backup.

If you opt-in to third-party account backup and restore, and have set an account recovery password, then the app backups to Google Drive (Android) or iCloud (iOS) do include the private key information for your third-party accounts. The backups are encrypted by the recovery password, which is only known to you and cannot be recovered by Duo. When you restore a backup that contains third-party account information you must enter the recovery password to decrypt the backup.

Users cannot inspect or open backup files. iCloud does not provide a way for users to view the backup file. Google Drive users can view that Duo Mobile is using their Drive to store data and the size of that backup but cannot interact with that file. Duo Mobile only has access to the application-specific folder in Google Drive.

If the private keys are not backed up, how does this work?

Once you restore your account list you'll see a “Reconnect” link next to each account. Reconnecting the account directs you through a reactivation process where you need to authenticate to a Duo protected application (configured by the Duo account admin) to verify your identity. Once your identity has been verified, Duo Mobile reactivates the account.

Can I restore a backup to a different mobile platform (Android → iOS or iOS → Android)?

No, backups can not be restored across platforms. Duo Mobile can be activated on a new device that uses the same phone number as an old device on a different platform via the self-service device management options in the Duo prompt (if enabled by your Duo admin), or you can contact your IT help desk or Duo admin to request assistance reactivating the accounts on the new device.

Why am I getting an error saying "We couldn't find any accounts backed up on this Google account. Try selecting another Google account or contact your help desk." when attempting Duo Restore?

There are several reasons this could happen:

  • The wrong Google account was chosen when attempting Duo Restore.
  • If you very recently toggled on Duo Restore on your new phone, it may not be in sync with the backup on your old phone yet.
  • Duo Restore was actually never activated on the old (original) device so no backup is available.
  • Duo Restore was turned off on the old device.