If you are reading this article, I’m sure you are aware that the QR codes generated by the Google Authenticator app when transferring accounts are unreadable by other similar applications capable of generating the TOTP codes. For example, applications like Authy, Microsoft Authenticator, LastPass, or 1Password, to name a few, will return an error message when attempting to scan the QR code.
The whole idea of extracting Secret Keys from Google Authenticator came about when I wanted to export my Google Authenticator accounts to 1Password. To my surprise, the 1Password could not read the QR codes generated by the Google Authenticator app, and I did not have the Secret Keys.
I had two choices; visit each account secured with the Two-Factor Authentication and rescan the QR codes with the 1Password or try to extract the Secret Keys from the Google Authenticator QR codes. I have immediately discarded the first option due to the many accounts I have in the Google Authenticator app and the hours it will take to visit all the sites.
Having only one option left, I started my research. I quickly found a simple solution in the form of a decoding software that is easy to use and does the job of extracting Secret Keys from Google Authenticator QR codes very well.
The video guide.
Exporting Google Authenticator accounts.
To export Google Authenticator accounts, select the Transfer Accounts option from the Google Authenticator menu, followed by the Export Accounts option.
You can either generate a QR code for each account in the Google Authenticator or select them all as a batch which will produce one or more QR codes depending on the number of accounts you have chosen. The method of extracting the Secret Keys from the QR code I presented in this article will work either way but exporting all accounts at once will save you a lot of time.
Extracting the data from the QR Code.
By the way, did you know that the 1Password has an Authenticator application built into it that will automatically populate the 2FA codes for you on the login page both on your computer and the mobile browser? I have been using 1Password for over three years now, and I cannot overstate how much I like this Password Manager. You can try 1Password for free for 14 days or visit the 1Password website for more information.
The first thing I needed to do was extract the data embedded within the QR code using a mobile phone camera.
Most modern mobile phone cameras can read QR codes, but if yours doesn’t work for some reason, then download the most popular QR Code Scanner app from the app store and use this instead.
We can do this in several ways, but my favorite was to take a picture of the Google Authenticator QR code using my spare phone. I then pointed my primary phone camera at the QR image I had just taken until the link appeared at the bottom of the screen. The QR scanner my camera uses reads the data encoded within the QR code and returns it as a hyperlink. Clicking that link will open the browser where we can copy the data from the address bar.
Get your spare phone and take a picture of each QR code generated by the Google Authenticator app. Remember that the screenshot option is disabled when using the Google Authenticator app; you will need a spare phone, digital camera, a webcam, or a third-party screenshot app to take the picture.
As long as the device you used to take the pictures of the QR codes has a screen, you are good to go. Otherwise, send the images to your computer or another device where you can display them on the screen.
You can see the example of me pointing the camera at the QR code image captured using my spare phone below. Notice the red arrow pointing at the data extracted from the QR code.
Click the link to open the browser and copy the data from the address bar into the Notepad or Notepad++.
The data copied from the browser address bar should look similar to the example on the image below.
The data embedded within the Google Authenticator QR code has been encoded with the base64 and proto3 message protocol (Google Protocol Buffers). Now that we have that data, we will pass it through the decoding software, which will extract the Secret Keys and produce new QR codes.
Download the Secret Key extraction software.
Note: Although I have used the software below successfully, I am not the owner of this software or have any affiliation with the author. You are using the software at your own risk.
Follow the link below and download the ZIP file to your computer.
Once downloaded, unzip the archive on your desktop and open the directory.
Install Python on your computer.
Make sure to check the Readme file, which will list the requirements for the software. For example, when I was writing this article, Python 3.8 was the version I had to install.
Open the Microsoft Store, type Python in the search box, and press enter.
Click the version of the Python listed in the Readme file and install it.
Close the Windows Store window once the installation has finished and open the directory with the software.
Preparing the data for Secret Keys extraction.
Get back to the directory with the software and open the example_export.txt file in the Notepad or Notepad++. Select everything and delete the sample data. Then, copy the data we extracted earlier from the Google Authenticator QR code, paste it into the text file, save it, and close it down.
Note: If you have more than one set of data extracted from multiple QR codes, make sure each set is on a separate line.
The software we will use to extract the Secret Keys from the Google Authenticator QR code is a console tool. Type the CMD in the folder address bar and press Enter to open the command line window.
If you’ve done everything correctly, you should see the command line window like the one below.
Now that we have our data ready, we must install the dependencies to allow the software to decode the provided data and extract the Secret Keys.
Get back to the command line window, and type the following commands one after another, remembering to press Enter after each command.
- pip install protobuf
- Press Enter.
- pip install qrcode[pil]
- Press Enter.
The first command installs the Google Proto3 protocol package required for the software to decode the data. The second command is optional and allows the software to generate the QR codes for each account decoded using the software. You will be able to have your Secret Keys and new QR codes that any 2FA software can read, unlike the QR codes generated by the Google Authenticator app.
Extracting Secret Keys from the encoded data.
Finally, we are ready to run the software and extract the Secret Keys. Get back to the command line, type or paste in the following command, and press Enter.
- python extract_otp_secret_keys.py -p example_export.txt
If all went fine, you should see the results in the command line window. The software extracted the Secret Keys and generated a new QR code for each account.
Can you screenshot Google Authenticator QR codes?
You will not be able to take a screenshot of the Google Authenticator app when using your phone’s built-in screenshot option. However, downloading a third-party application from the app store will allow you to circumvent this security feature. The other option that I have used in the example above is to use a spare phone to take pictures of the Google authenticator QR codes.