Google Authenticator

I’ve been using Google Authenticator for years now, and it seems that Google just recently added support for exporting/syncing accounts. One feature that I and a few people have been missing is the ability to export the OTP/TOTP secret keys from each account.

Account Export

As stated above, the Google Authenticator App now has the ability to export accounts for use/migration on another device. The issue, however, is that the migration is one2one. Meaning, you can only move from one Google Authenticator app to another.

In this tutorial, I’ll demonstrate a procedure. A hack if you will. Using three tools:

• The Google Authenticator App itself
• ZBar bar code reader
• google-authenticator-exporter
• Podman or Docker
• Some method to screen capture the export QR-Codes and transfer them to you’r computer

Capturing the moment

To begin with, a “export” has to be started.

1. Tap the hamburger menu icon in the upper-left corner of the screen to open the side menu.
2. Select Transfer accounts from the options. You’re asked to export or import existing accounts.
3. Select Export accounts. You’re asked to verify the action with your fingerprint or lock screen password.
4. Enter your password or input your fingerprint. You’re asked to select the accounts to export. All the accounts are selected by default.
5. Tap Next. A barcode displays on your screen to be scanned by your new device.
6. Screen capture all of the presented QR-Codes and crop them if necessary.
7. Transfer the captured QR-Codes to a computer.

Machine Reading

The QR-Codes can now be read using software instead of Google Authenticator or any other app. I prefer to use an application known as zbarimg, from the zbar suite.

On macOS, it can be installed using Homebrew.

brew install zbar

Once installed, the zbarimg can be used to “scan” the images.

zbarimg IMAGE_FILE

If there are more than one images, or parts, these need to be scanned as well.

The output will look something like this:

QR-Code:otpauth-migration://offline?data={783-char-random-propriety-google-base64-urlencode-string}

Take note of the otp-migration:// URIs, without the prepended “QR-CODE” part.

Decode

I can honestly say that I gave it a go, but failed miserably in trying to decode the garbled urlencode-base64 mess that Google has (possibly) invented. Luckily krissrex/google-authenticator-exporter has done the hard work for us.

As per krissrex instructions, the recommended approach is to utilize Docker build (or Podman, even better).

Clone and build:

git clone https://github.com/krissrex/google-authenticator-exporter
cd google-authenticator-exporter
podman build . -t google-authenticator-exporter:0.0.1

Decode previously obtained URIs:

1. Run the container

podman run -it --rm google-authenticator-exporter:0.0.1

2. Enter the URI when prompted
3. Press enter until the secrets are printed in JSON

Store the secrets securely or enter the TOTP secrets in another OTP app.

Cleanup

Remember to delete the QR images and any other remnants of the procedure.