How does it work?
The TOTP (Time-based One-Time Password) is an OTP generated using a shared key and the current time. When you scan the QR code to setup the MFA using the authenticator app(on any service), you are reading the shared key from the QR code. Inorder for the app to generate the OTP, it needs the shared key. Because of that, the key has to be stored somewhere in the device itself, so that the app could use it. The authenticator apps (Google and Lastpass) stores this key on an SQLite3 database.
The idea is to extract the key and generate the QR code again so that you can scan it on a new app without having to worry about removing and adding the 2FA from your online account (whatever it may)
Works for me (TM)
This was tested with:
- Google Authenticator v2.49 on Android 4.2.1 (rooted)
- Lastpass Authenticator v1.2 on Android 7.1 (rooted)
Scripts in this repository highly depend on sqlite database schema of the authenticator app. So if the schema changes in new versions this method could break until i update the repository.
If it breaks for you, please open an issue with following information:
- Google authenticator exact version (you can check it in settings > about)
- Android exact version
- Any other information about the error
It doesn't work
Sure it does !
The only thing that can fail here is time synchronisation between your different devices and different authenticator app vendors.
Please check that both old and new devices have the same timezone and time
Try to play with "offset compensation" feature in authenticator settings if codes don't match
Keep in mind that you won't be able to have perfect match between two different devices. You may experience 10 seconds offset between two devices.
Does it work on linux/osx/windows ?
Should work everywhere as long as you have all dependencies installed (see below):
- Any Linux distro (tested on ubuntu 14.04)
- MacOS
- Windows via cygwin
Step 1
To access the SQLite database, we need root permission. So, root your phone that has the authenticator app installed.
Step 2
We will be using ADB (Android Debug Bridge) to pull the database from the phone to your computer. Install adb on your PC/Mac. A simple Google search with your operating system name should be more than enough to get you started.
Step 3
Make sure you have sqlite3, netcat (nc), adb and bash installed on your machine. If you are on a Mac/Linux machine, you're probably good to go.
Step 4
Enable Developer options
on your old phone and enable USB debugging
. Connect your phone to the computer using a USB cable
Note: Make sure that you enable root for adb
Step 5
Make sure that you have the adb connection working. adb devices
should show your device.
- Run
adb shell
. This puts you in your phone's shell - Run
su
. When you press enter, check your phone and grant root permission to ADB
For Google Authenticator
Run the following command in the shell
cp /data/data/com.google.android.apps.authenticator2/databases/databases /sdcard/
For LastPass Authenticator
cp /data/data/com.lastpass.authenticator/databases/databases /sdcard/
Step 6
The above step copies the database into your sdcard. Now, we need to copy it to your computer. Open a new terminal and cd
to where you
cloned this repository and run
./extract.sh
Step 7
If that worked without showing any errors, the SQLite database should be at data/databases
.
Run ./doit.sh
and follow the instructions on screen
Step 8
That's it. This is the same QR code as the one you scanned the very first time with your old phone. Hover your mouse on one of blue squares, QRcode is displayed. Open Authenticator on new device, and scan each code
Note : You can use any authenticator app to scan the code and it should work.
Step 9
Congratulations if you made it so far. Your Authenticator codes are now transfered to your new device.
WARNING!!!! WARNING!!! WARNING!!!
Before you remove your codes from old device, make sure that one time passwords generated by the Authenticator apps are EXACTLY the same on both devices. Note that both devices should have correct datetime set. If the codes are different and the time is the same, the schema of the SQLite db has probably changed. Open an issue and I shall take a look.
Thank you for using this guide :)
Awesome links:
-
Google auth url format https://code.google.com/p/google-authenticator/wiki/KeyUriFormat
-
QRcode js library http://davidshimjs.github.io/qrcodejs/
-
QRcode commandline library https://github.com/gtanner/qrcode-terminal