As one of the oldest two-factor authentication (2FA) apps available, Google Authenticator has been around for over 10 years as of 2024. Over the years, Google has finally added the functionality to export and sync accounts with Google accounts to this app.
However, Google Authenticator’s export feature can only be used within the app itself. If, unfortunately, you want to transfer to a 2FA app that doesn’t support importing from Google Authenticator, the tedious process of logging into each account with 2FA enabled and re-adding the authenticator seems to be one of the two options. The other option is to switch to a new authenticator.
If you are developing a 2FA app that needs to be compatible with users coming from Google Authenticator, or you simply want to migrate to a new authenticator, extracting the data from the QR code exported by Google Authenticator is the core topic of this post.
QR Code Analysis
Following the steps below, we can obtain the migration QR code from Google Authenticator:
- Top-left menu
- Transfer accounts
- Export accounts
- Select the accounts you want to export and proceed
When you scan the QR code, you'll get a result similar to the one below:
otpauth-migration://offline?data=Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj%2Br0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4%2F4%2F%2F%2F%2F%2FwE%3D
This is a neatly structured URL scheme, and it's quick to spot the parameter called data. The string that follows is the data we need to process.
A Base64 Encoded String
Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj%2Br0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4%2F4%2F%2F%2F%2F%2FwE%3D
This is a Base64 encoded string, but before decoding it back into the original data, it needs to be decoded.
Open the Console in your browser and use the JavaScript function decodeURIComponent to get a new, decoded Base64 string.
Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj+r0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4/4/////wE=
Next, search Google using terms like "Base64 to bin" or "Base64 to file." The goal is to decode this Base64 string and save the result as a file. However, if the language or environment you’re using provides a convenient Base64 decoding function, you can skip this step.
I used Base64 Guru to decode the Base64 string directly and download it as a file.
In hexadecimal, the file should look like this:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 0A 2F 0A 0A 47 BB 5A 7D 5D CC 17 FB 07 84 12 1B ./..G»Z}]Ì.û.„..
00000010 74 6F 74 70 40 61 75 74 68 65 6E 74 69 63 61 74 totp@authenticat
00000020 69 6F 6E 74 65 73 74 2E 63 6F 6D 20 01 28 01 30 iontest.com .(.0
00000030 02 0A 2A 0A 14 E3 AD 65 1F 88 2B 81 1C 80 23 FA ..*..ã.e.ˆ+..€#ú
00000040 BD 18 6D 2F 28 4A B3 8B A8 12 0C 74 65 73 74 2D ½.m/(J³‹¨..test-
00000050 61 63 63 6F 75 6E 74 20 01 28 01 30 02 10 01 18 account .(.0....
00000060 01 20 00 28 DC 80 AB 8F F8 FF FF FF FF 01 . .(Ü€«.øÿÿÿÿ.
This file is encoded using Google’s Protocol Buffers.
Deserializing Protocol Buffers
A user named Chris van Marle uploaded a data structure definition for Google Authenticator export data on GitHub called OtpMigration.proto. The Proto file below should be saved locally.
// Unofficial protobuf definition of Google Authenticator Migration exports
// Based on Google Authenticator 5.10
// Chris van Marle 04-06-2020
syntax = "proto2";
message MigrationPayload {
repeated OtpParameters otp_parameters = 1;
optional int32 version = 2;
optional int32 batch_size = 3;
optional int32 batch_index = 4;
optional int32 batch_id = 5;
}
message OtpParameters {
optional bytes secret = 1;
optional string name = 2;
optional string issuer = 3;
optional Algorithm algorithm = 4;
optional DigitCount digits = 5;
optional OtpType type = 6;
optional int64 counter = 7;
}
enum Algorithm {
ALGORITHM_TYPE_UNSPECIFIED = 0;
SHA1 = 1;
SHA256 = 2;
SHA512 = 3;
MD5 = 4;
}
enum DigitCount {
DIGIT_COUNT_UNSPECIFIED = 0;
SIX = 1;
EIGHT = 2;
}
enum OtpType {
OTP_TYPE_UNSPECIFIED = 0;
HOTP = 1;
TOTP = 2;
}
If you're familiar with Protocol Buffers, you can skip the following content.
To use Protocol Buffers in a specific language, you need to install the protoc compiler to generate the serialization and deserialization code files for that language. On macOS, if you have Homebrew, you can install it via brew install protobuf. On Windows, you can download the binary files from Protocol Buffers’ GitHub Release and add them to your system environment variables. After installation, you should be able to see the following output when running the protoc command in the Terminal.
Parse PROTO_FILES and generate output based on the options given:
-IPATH, --proto_path=PATH Specify the directory in which to search for
imports. May be specified multiple times;
directories will be searched in order. If not
given, the current working directory is used.
If not found in any of the these directories,
the --descriptor_set_in descriptors will be
checked for required proto file.
--version Show version info and exit.
-h, --help Show this text and exit.
--encode=MESSAGE_TYPE Read a text-format message of the given type
from standard input and write it in binary
to standard output. The message type must
be defined in PROTO_FILES or their imports.
--deterministic_output When using --encode, ensure map fields are
deterministically ordered. Note that this order
is not canonical, and changes across builds or
releases of protoc.
--decode=MESSAGE_TYPE Read a binary message of the given type from
standard input and write it in text format
to standard output. The message type must
be defined in PROTO_FILES or their imports.
--decode_raw Read an arbitrary protocol message from
standard input and write the raw tag/value
pairs in text format to standard output. No
PROTO_FILES should be given when using this
flag.
--descriptor_set_in=FILES Specifies a delimited list of FILES
each containing a FileDescriptorSet (a
protocol buffer defined in descriptor.proto).
The FileDescriptor for each of the PROTO_FILES
provided will be loaded from these
FileDescriptorSets. If a FileDescriptor
appears multiple times, the first occurrence
will be used.
-oFILE, Writes a FileDescriptorSet (a protocol buffer,
--descriptor_set_out=FILE defined in descriptor.proto) containing all of
the input files to FILE.
--include_imports When using --descriptor_set_out, also include
all dependencies of the input files in the
set, so that the set is self-contained.
--include_source_info When using --descriptor_set_out, do not strip
SourceCodeInfo from the FileDescriptorProto.
This results in vastly larger descriptors that
include information about the original
location of each decl in the source file as
well as surrounding comments.
--retain_options When using --descriptor_set_out, do not strip
any options from the FileDescriptorProto.
This results in potentially larger descriptors
that include information about options that were
only meant to be useful during compilation.
--dependency_out=FILE Write a dependency output file in the format
expected by make. This writes the transitive
set of input file paths to FILE
--error_format=FORMAT Set the format in which to print errors.
FORMAT may be 'gcc' (the default) or 'msvs'
(Microsoft Visual Studio format).
--fatal_warnings Make warnings be fatal (similar to -Werr in
gcc). This flag will make protoc return
with a non-zero exit code if any warnings
are generated.
--print_free_field_numbers Print the free field numbers of the messages
defined in the given proto files. Extension ranges
are counted as occupied fields numbers.
--enable_codegen_trace Enables tracing which parts of protoc are
responsible for what codegen output. Not supported
by all backends or on all platforms.
--plugin=EXECUTABLE Specifies a plugin executable to use.
Normally, protoc searches the PATH for
plugins, but you may specify additional
executables not in the path using this flag.
Additionally, EXECUTABLE may be of the form
NAME=PATH, in which case the given plugin name
is mapped to the given executable even if
the executable's own name differs.
--cpp_out=OUT_DIR Generate C++ header and source.
--csharp_out=OUT_DIR Generate C# source file.
--java_out=OUT_DIR Generate Java source file.
--kotlin_out=OUT_DIR Generate Kotlin file.
--objc_out=OUT_DIR Generate Objective-C header and source.
--php_out=OUT_DIR Generate PHP source file.
--pyi_out=OUT_DIR Generate python pyi stub.
--python_out=OUT_DIR Generate Python source file.
--ruby_out=OUT_DIR Generate Ruby source file.
--rust_out=OUT_DIR Generate Rust sources.
@<filename> Read options and filenames from file. If a
relative file path is specified, the file
will be searched in the working directory.
The --proto_path option will not affect how
this argument file is searched. Content of
the file will be expanded in the position of
@<filename> as in the argument list. Note
that shell expansion is not applied to the
content of the file (i.e., you cannot use
quotes, wildcards, escapes, commands, etc.).
Each line corresponds to a single argument,
even if it contains spaces.
Finally, you can access the Proto file through a specific language.
A Simple Example
Using C# as an example, copy the above Proto file into your current project and use protoc to compile it into the corresponding language’s code file.
protoc --csharp_out=. .\OtpMigration.proto
Once the command is executed, a C# file OtpMigration.cs will be generated in your project, allowing you to deserialize the data using the members of the MigrationPayload class.
using var input = File.OpenRead("C:\\Users\\xyfbs\\source\\repos\\GMigration\\payload.bin");
var payload = MigrationPayload.Parser.ParseFrom(input);
foreach (var item in payload.OtpParameters)
Console.WriteLine($"Type: {item.Type}, Algo: {item.Algorithm}, Secret: {item.Secret.ToStringUtf8()}");
However, before using the Secret data (e.g., converting it into a QR code), you need to Base32 encode the data first.