A low-tech way to see the TOTP secret exported from Google Authenticator

Google Authenticator’s Export functionality produces a QR code. You can scan the QR code with another copy of Google Authenticator, to transfer the Time-based One-Time Password secret to a new phone for example. But if you want to use it in another context, it’s annoying and tricky. For example, if you need to authenticate in order to run automated tests, you can’t be getting your phone out each time your CI job runs.

These instructions are for a Debian-based Linux machine.

  1. sudo apt-get install zbarcam-gtk oathtool protobuf-compiler
  2. Click the three dots menu in Authenticator, choose Export, and select the accounts you want to export
  3. Run zbarcam-gtk and point your computer’s camera at the QR code displayed on your phone
  4. Copy the URL at the bottom of the window
  5. Paste it somewhere and delete the prefix, QR-Code:otpauth-migration://offline?data=
  6. Open Python3 and run:
    from urllib.parse import unquote
    import base64
    with open("secret.proto") as out:
     out.write(unquote("the rest of the decoded QR"))
    
  7. Back in the terminal, run protoc --decode_raw < secret.proto
  8. rm secret.proto
  9. Copy the thing that looks like \123WE\012 etc – the binary representation of the TOTP secret – not including its quotation marks.
  10. Back in Python, type
    base64.b32encode(b"PASTE HERE")
    

    You should get back a bytes object that’s all letters and numbers. That’s the TOTP secret, encoded in base32.

  11. Now, any time you need a one-time password, you can run
    oathtool -b --totp the_base32_secret
    

This is less secure than your phone, e.g. your secret will be visible in your shell history file. But it can be worthwhile in certain cases.

I did it this way because I didn’t know what TOTP desktop apps were trustworthy or would send your passwords to Nocturnal Aviation Associates. I figured these tools were low-level enough that they wouldn’t be scams?

Categories:

work