MFA Lockout Risk: Google Authenticator Sync With Your Work Google Account

Audience: All employees using MFA for JumpCloud and federated work apps Severity: High — can cause complete loss of MFA tokens and account lockout Action required: Yes — see What you need to do below

If you signed into the Google Authenticator app with your work Google Workspace account (you'll see a small green cloud icon on top of the app), your MFA codes are syncing to that Google account. That sounds great — until something changes on the back end of your Google sign-in (for example, when we federate Google Workspace to JumpCloud). When that happens, the Authenticator app gets signed out of Google, all of your synced MFA tokens disappear from the app, and you can't log back into the very accounts that need those codes. Classic chicken-and-egg.

Do one of these, today:

1. Best: Install JumpCloud Protect and use it as your MFA app for both push and TOTP codes.

2. Acceptable: Keep using Google Authenticator, but disable sync so codes live only on your device.

If this already happened to you and your codes are gone, jump to I'm already locked out.

Google Authenticator was originally an offline-only app. A few years ago Google added a "cloud sync" feature: sign into the app with a Google account and your TOTP seeds back up to that account so you can move to a new phone without re-enrolling every site.

That feature was designed for consumer Google accounts, where the sign-in to Google is the same sign-in every day. It has quietly become a problem in work environments where:

• Your Google Workspace login can be redirected to a third-party identity provider (in our case, JumpCloud).

• When that federation is enabled, changed, or your Google session gets invalidated, the Google Authenticator app loses its session.

• A signed-out Google Authenticator app does not show synced tokens. They're not deleted from Google's servers, but the app can't display them until it can sign back into Google.

• And to sign back into Google… you typically need an MFA code. From the very app that just lost them.

This is the chicken and egg. The fix is to make sure the Authenticator app never depends on being signed into the work Google account in the first place.

Open the Google Authenticator app on your phone. Look at the top of the screen:

• Green cloud icon with your work email under your profile picture → You are affected. Sync is on against your work account.

• No cloud, or a slashed-out cloud → You're fine. Codes are local only.

JumpCloud Protect is the official MFA app from our identity provider. It handles both push notifications ("tap Approve on your phone") and TOTP codes (the 6-digit rotating numbers), so it can replace Google Authenticator entirely for work-related MFA. It has no sync feature that can leave you stranded.

Step 1 — Install the app

• iOS: App Store → search JumpCloud Protect

• Android: Google Play → search JumpCloud Protect

Step 2 — Enroll your device for Push MFA

1. On a computer, go to the JumpCloud User Portal: https://console.jumpcloud.com

2. Sign in with your work credentials.

3. Click the Security tab.

4. Under JumpCloud Protect (Push), click Configure (or Reset if you've enrolled before).

5. Open the JumpCloud Protect app on your phone, tap the + to add an account, and scan the QR code shown on your computer.

6. Back in the User Portal, click I Have the App, then confirm. You'll see a green checkmark when the device is verified.

Step 3 — Enroll the same device for TOTP

Push and TOTP are enrolled separately, even within the same app. Don't skip this step — TOTP is what fills the role Google Authenticator was playing.

1. Still in the JumpCloud User Portal → Security tab.

2. Under Verification Code (TOTP), click Configure (or Reset TOTP if you previously used Google Authenticator for TOTP).

3. If asked, enter a current code from your existing TOTP app to authorize the reset.

4. Scan the new QR code with JumpCloud Protect.

5. Enter the 6-digit code from JumpCloud Protect back into the portal to confirm.

Step 4 — Move other work TOTP codes off Google Authenticator

If you have TOTP set up for any other work apps (admin consoles, AWS root, vendor portals, GitHub, etc.) that currently live in Google Authenticator, re-enroll them in JumpCloud Protect:

1. Log into the app/service.

2. Go to the security/MFA settings and choose Reset or Reconfigure the authenticator.

3. Scan the new QR code with JumpCloud Protect instead of Google Authenticator.

4. Remove the old entry from Google Authenticator once you've confirmed the new one works.

Step 5 — Save your recovery info

When you set up each TOTP account, you're usually shown a recovery key, backup codes, or a string of characters. Save these in your password manager, not in a screenshot in your camera roll. This is your "break glass" if you lose your phone.

If you want to keep using Google Authenticator, you need to make sure it isn't tied to your work Google account.

On iOS or Android:

1. Open the Google Authenticator app.

2. Tap your profile picture / avatar in the top-right corner.

3. Tap Use Authenticator without an account.

4. Tap Continue to confirm.

The green cloud icon will disappear. Your codes are now stored only on the device.

Important: Doing this does not delete your codes from the device. It just stops syncing them to your work Google account. However, if the device is ever lost, wiped, or replaced, those codes are gone unless you've previously transferred them to a new device. Save recovery keys to your password manager.

Note: If you have already lost your codes because Google signed you out, disabling sync now won't bring them back. See the next section.

If you opened Google Authenticator today and the work entries are gone (or the app is asking you to sign back into Google and Google requires the very code you just lost), here's the recovery path:

1. Don't panic and don't reinstall the Google Authenticator app — that will not bring the codes back and may make things harder.

2. Contact IT/Support and request a JumpCloud MFA reset. We'll verify your identity through an out-of-band channel (this is intentional and is the only safe way to do this).

3. Once your JumpCloud MFA is reset, you'll be guided through enrollment again. Use JumpCloud Protect this time — see Option 1 above.

4. For any other work apps whose TOTP was also lost, you'll need to contact the owner of that app (or its support) to have their MFA reset as well. Most SaaS vendors require account verification before they'll do this.

Do I have to uninstall Google Authenticator? No. You can keep Google Authenticator installed for personal accounts. The recommendation is just that work MFA shouldn't live in an app that's signed into your work Google account.

Can I use both JumpCloud Protect and Google Authenticator? Yes. Many people keep JumpCloud Protect for work and Google Authenticator (without sync) for personal accounts. Just don't keep work TOTP seeds in both — pick one to be authoritative for each account.

Does this affect Authy, 1Password, or other authenticator apps? This specific failure mode is about Google Authenticator syncing to a Google account that gets re-federated. Other authenticator apps have their own backup mechanisms (Authy uses a phone number, 1Password uses your 1Password account) and don't have this specific chicken-and-egg with JumpCloud. They have other trade-offs we won't get into here. JumpCloud Protect is still the supported tool for work MFA.

What if I'm a hardware-key user (YubiKey, Titan, etc.)? You're not affected by this issue. Hardware keys don't depend on a sync service. Keep doing what you're doing — and make sure you have a backup key registered.

Will I get push notifications if I'm offline? Push won't work without internet, but the TOTP side of JumpCloud Protect works offline. That's why we have you enroll in both.

This isn't a hypothetical. The pattern we keep seeing is: a user has Google Authenticator synced to their work Google account, an identity change happens (federation rollout, session invalidation, password reset on the Google side), the Authenticator app silently signs out, and the user discovers their MFA codes are missing right when they're trying to log in to fix something else. The recovery is always more painful than the prevention.

A 10-minute switch to JumpCloud Protect today saves a multi-hour lockout later.