I've started using the Google Authenticator app for two-factor authentication (2FA, TFA). I've forgotten to note the secret keys in my password file to be able to recover 2FA after a phone loss. I wanted to extract the secret keys from Google Authenticator. The app allows to to transfer accounts from one phone to another by QR codes.
How to extract two-factor authentication (2FA, TFA) secret keys from export QR codes of "Google Authenticator" app?
I've written a Python script which extracts the secret keys from the QR code data.
Usage
- Export the QR codes from "Google Authenticator" app
- Read QR codes with QR code reader (probably on a second device)
- Save the captured QR codes in a text file. Save each QR code on a new line. (The captured QR codes look like
otpauth-migration://offline?data=...) - Call this script with the file as input:
python extract_otp_secret_keys.py -p example_export.txt
Source code: github.com/scito/extract_otp_secret_keys
Example of extracted key with QR code
Requirement
The protobuf package of Google for proto3 is required for running this script.
pip install protobuf
Optional
For printing QR codes, the qrcode module is required. protobuf >= 3.14 is recommended.
pip install qrcode[pil]
Known to work with
- Python 3.6.12 and protobuf 3.14.0
- Python 3.8.5 and protobuf 3.14.0
Technical background
The export QR code of "Google Authenticator" contains the URL otpauth-migration://offline?data=....
The data parameter is a base64 encoded proto3 message (Google Protocol Buffers).
Command for regeneration of Python code from proto3 message definition file (only necessary in case of changes of the proto3 message definition):
protoc --python_out=generated_python google_auth.proto
References
- Proto3 documentation: https://developers.google.com/protocol-buffers/docs/pythontutorial
- Template code: https://github.com/beemdevelopment/Aegis/pull/406
