When you set any protection in WinAuth such as using a password, locking to the current user, or using a YubiKey, then your authenticator information is encrypted using the keys generated from those sources.
For this reason there is no password recovery, or any way to recover your information if your keys are lost.
This can happen if:
- you forget or lose your password
- you re-install Windows without removing the protection
- you lose or your YubiKey becomes faulty
MAKE BACKUPS OF ALL YOUR AUTHENTICATORS
You can do this in several ways:
- Use the Export option in WinAuth. This creates a password protected zipped file that can be opened in any text editor to view your secret keys.
- Right-click each authenticator and choose “Show Secret Key…” then write down the key and keep it somewhere safe.
- Take a copy of the configuration file “\Users\
\AppData\Roaming\WinAuth\winauth.xml”. Note: you must TURN OFF the “Encrypt to only be useable on this computer” setting before you make your copy.
As a precaution, WinAuth also makes an automatic encrypted backup of each newly created authenticator into your registry, or .xml file if running in portable mode. You can provide your PGP key for the backup by adding a
<pgpkey> tag into your winauth.xml file, otherwise the default WinAuth PGP key is used.
Recovering an Authenticator
From an exported WinAuth file
From a new or existing version WinAuth, click the “Add” button, choose “Import…” and select your backup file.
From a saved copy of your secret key
Click “Add” and choose the appropriate authenticator type and enter the Secret key (or Recovery code) into the opened window.
If you’ve been asked to provide your registry backup
- Run regedit.exe (click Start then “Run…” and enter “regedit”. If you do not have the “Run..” option visible, use the search field and find “regedit”).
- Click the small arrow to the left of HKEY_CURRENT_USER so it expands
- Do the same for: Software and WinAuth3
- Click on Backup under WinAuth3.
- On the right should be list of items. Double-click each one and copy the value of the ‘Value data’ field. It starts with “—–BEGIN PGP MESSAGE—–” and ends with “—–END PGP MESSAGE—–”.
- Put each entry in an email (or attached as a text file) and send it to firstname.lastname@example.org