Open in app

Sign in

Write

Sign in

TOTP Secret Extraction from QR codes

James Cavallo
6 min readOct 20, 2023

--

Do you have MFA enabled on any of your accounts? Well then chances are that you have been using TOTP (time based one time passcodes) unknowingly.

So what exactly is TOTP?

TOTP stands for “Time-Based One-Time Password.” It’s a security mechanism used to generate temporary authentication codes, often for two-factor authentication (2FA). TOTP codes are valid for a short period, typically 30 seconds, and are generated based on a shared secret key and the current time.

You are likely familiar with TOTP as an annoying second step to logging in. If you use an Authenticator app such as Duo, Google, or Microsoft Authenticator then you have probably been forced to enter a code after logging in with your regular account credentials. Does this look familiar:

I would guess that you’ve seen a similar screen before — trust me I know I have!

Why is TOTP important?

1. Enhanced Security: TOTP adds an extra layer of security to your online accounts. Even if someone manages to steal your password, they would still need the current TOTP code to gain access.

2. Protection Against Phishing: TOTP codes are time-based and generated using a shared secret key. This makes it more difficult for phishing attacks to succeed because attackers would also need access to your TOTP generator.

3. Mitigation of Credential Theft: In the event of a data breach where your password is exposed, TOTP can prevent unauthorized access to your account since the attacker would lack the time-sensitive TOTP code.

Really all of these ChatGPT generated bullets echo the same message: TOTP adds a second defense against password attacks.

TOTP Secret: a seed

I like to think of a TOTP secret key as a seed. Here is exactly how it works:

  1. Secret: A TOTP secret key is a randomly generated, shared secret between a user and a service (e.g., an online platform or website). This secret is typically provided to the user in the form of a QR code during the initial setup of two-factor authentication (2FA).
  2. Encoding: The secret key is usually encoded in Base32 or Base64 format for compatibility and security.
  3. Generation of OTP: remember that code that you get in your Authenticator app? This key is used to generate a one-time password (OTP), both the user and the service use this shared secret key and the current time as inputs into a cryptographic algorithm, typically HMAC-SHA1 or HMAC-SHA256. This produces a unique, time-based code.
  4. Short Validity: the OTP generated from the secret key is only valid for a short period, often 30 seconds. After that time window, a new OTP is generated.

TL;DR: TOTP secrets are used to generate the OTP codes that your Authenticator app provides. In other words they are like a master key that can generate unlimited mini keys.

Chances are that you have never actually seen a TOTP secret before — this is because your authenticator app stores this value. So given a QR code can we reverse engineer this TOTP secret value? Turns out the answer is resounding yes.

Extracting the secret step by step:

Step 1 (Finding a QR code):

Find yourself a QR code. This will need to be a QR code given to you on TOTP setup. This can of course be a setup code from any website. An example of what this may look like is the following:

Example of a TOTP setup page

Our goal here will be to extract the secret from the QR code image. Once we have this code we can generate as many OTP as we want (don’t worry if you are confused by this, I will explain later in the tutorial).

Step 2 (import this code into an authenticator app):

You can use Google Authenticator (iOS, Android) or any other MFA app for this step. For the purposes of this tutorial I will proceed with Google Authenticator, however, feel free to use whatever you are most familiar with!

A) First scan your chosen QR code using your Authenticator app. In Google Authenticator you can simply tap the plus button in the bottom right corner and then choose Scan a QR code.

Importing a new TOTP with Google Authenticate

B) This is where things get annoying. We next need to export this newly scanned TOTP using your authenticator’s export feature. The following screenshots show how to export your code. First tap the three dots in the top right hand corner of the Search for accounts bar. Next, tap Export accounts and you will be presented with a new QR code.

Exporting a TOTP source QR code with Google Authenticate

Step 3 (extract QR code data):

We almost have the secret, we just need to extract the link that is stored within the exported QR code above. To do this you can either scan this code with another device, or screenshot the code and then use an online reader to extract the link. I will use the latter option for this tutorial. To do this you can use this online QR code reader, or any other that you are familiar with! Simply upload the code from step 2 to get the Scanned Data that is contained in it.

Reading source QR code data

Step 4 (extract the TOTP secret from this data):

Have a look at our example scanned data, notice anything interesting?

otpauth-migration://offline?data=CkoKDZePmX7z8qHgFlH9yVc
SIlRoaXNfaXNfYW5fRXhhbXBsZTplbWFpbEBlbWFpbC5jb20aD0V4YW1
wbGVfV2Vic2l0ZSABKAEwAhABGAEgAA%3D%3D

The data component is encoded with Base64. In this payload is our TOTP secret! We are now just need to extract it, luckily for us, there is an open source Python library on Github for this. I will be doing this on Mac zsh shell, but you can do the same on Windows or Linux with slightly altered commands. First fire up Terminal and then follow the below steps:

A) Clone the extract_otp_secrets Python library locally (you will need booth Python and Git installed).

git clone https://github.com/scito/extract_otp_secrets

B) Next, switch into the newly cloned in directory and install the library with pip.

cd extract_otp_secrets
pip install -e .

C) Store the data from step 3 in a .txt file

cd src
sudo nano keys.txt

Paste in the data from step 3 and press control-o (^ + o) on your keyboard to save this new .txt file using nano. I just used nano text editor here because I am familiar with it. Really you just need to store your data from step 3 in a .txt file so that it is readable by the Python script. Feel free to do this any way that is easiest!

D) Run the program to extract the secret. Ensure that your text file contains the data from step 3. In the example below key.txt contains this data and is in the same directory ad my extract_otp_secrets.py script.

python3 extract_otp_secrets.py key.txt
Extracted TOTP secret data

If everything goes as planned you should get an output similar to above! You can see we now have the secret value and can use it for a variety of purposes.

Congrats! You now have a TOTP secret, go ahead and automate MFA logins or generate OTP codes on the fly. You can see full documentation for the extraction Python library here.

Totp
Cryptography
MFA
Authentication
Security

--

--

James Cavallo

Written by James Cavallo

19 Followers

I'm a Software Engineer at Audible and I talk about software development, hiking, and philosophy.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams