Skip to content

Google Authenticator: A Deep Dive into Exported Data

Processing Data from a QR Code Exported by Google Authenticator.

Published: at 06:56 PM

省流: "The QR code contains data that has been serialized using Protocol Buffers and then encoded in Base64. By using the Proto definitions published in the otp_export repository, the data in the QR code can be deserialized."

As one of the oldest two-factor authentication (2FA) apps available, Google Authenticator has been around for over 10 years as of 2024. Over the years, Google has finally added the functionality to export and sync accounts with Google accounts to this app.

However, Google Authenticator’s export feature can only be used within the app itself. If, unfortunately, you want to transfer to a 2FA app that doesn’t support importing from Google Authenticator, the tedious process of logging into each account with 2FA enabled and re-adding the authenticator seems to be one of the two options. The other option is to switch to a new authenticator.

If you are developing a 2FA app that needs to be compatible with users coming from Google Authenticator, or you simply want to migrate to a new authenticator, extracting the data from the QR code exported by Google Authenticator is the core topic of this post.

QR Code Analysis

Following the steps below, we can obtain the migration QR code from Google Authenticator:

  • Top-left menu
  • Transfer accounts
  • Export accounts
  • Select the accounts you want to export and proceed

When you scan the QR code, you'll get a result similar to the one below:

otpauth-migration://offline?data=Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj%2Br0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4%2F4%2F%2F%2F%2F%2FwE%3D

This is a neatly structured URL scheme, and it's quick to spot the parameter called data. The string that follows is the data we need to process.

A Base64 Encoded String

Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj%2Br0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4%2F4%2F%2F%2F%2F%2FwE%3D

This is a Base64 encoded string, but before decoding it back into the original data, it needs to be decoded.

Open the Console in your browser and use the JavaScript function decodeURIComponent to get a new, decoded Base64 string.

Ci8KCke7Wn1dzBf7B4QSG3RvdHBAYXV0aGVudGljYXRpb250ZXN0LmNvbSABKAEwAgoqChTjrWUfiCuBHIAj+r0YbS8oSrOLqBIMdGVzdC1hY2NvdW50IAEoATACEAEYASAAKNyAq4/4/////wE=

Next, search Google using terms like "Base64 to bin" or "Base64 to file." The goal is to decode this Base64 string and save the result as a file. However, if the language or environment you’re using provides a convenient Base64 decoding function, you can skip this step.

I used Base64 Guru to decode the Base64 string directly and download it as a file.

In hexadecimal, the file should look like this:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  0A 2F 0A 0A 47 BB 5A 7D 5D CC 17 FB 07 84 12 1B  ./..G»Z}]Ì.û.„..
00000010  74 6F 74 70 40 61 75 74 68 65 6E 74 69 63 61 74  totp@authenticat
00000020  69 6F 6E 74 65 73 74 2E 63 6F 6D 20 01 28 01 30  iontest.com .(.0
00000030  02 0A 2A 0A 14 E3 AD 65 1F 88 2B 81 1C 80 23 FA  ..*..ã.e.ˆ+..€#ú
00000040  BD 18 6D 2F 28 4A B3 8B A8 12 0C 74 65 73 74 2D  ½.m/(J³‹¨..test-
00000050  61 63 63 6F 75 6E 74 20 01 28 01 30 02 10 01 18  account .(.0....
00000060  01 20 00 28 DC 80 AB 8F F8 FF FF FF FF 01        . .(Ü€«.øÿÿÿÿ.

This file is encoded using Google’s Protocol Buffers.

Deserializing Protocol Buffers

A user named Chris van Marle uploaded a data structure definition for Google Authenticator export data on GitHub called OtpMigration.proto. The Proto file below should be saved locally.

// Unofficial protobuf definition of Google Authenticator Migration exports
// Based on Google Authenticator 5.10
// Chris van Marle 04-06-2020

syntax = "proto2";

message MigrationPayload {
 repeated OtpParameters otp_parameters = 1;

 optional int32 version = 2;

 optional int32 batch_size = 3;

 optional int32 batch_index = 4;

 optional int32 batch_id = 5;
}

message OtpParameters {
 optional bytes secret = 1;

 optional string name = 2;

 optional string issuer = 3;

 optional Algorithm algorithm = 4;

 optional DigitCount digits = 5;

 optional OtpType type = 6;

 optional int64 counter = 7;
}

enum Algorithm {
 ALGORITHM_TYPE_UNSPECIFIED = 0;
 SHA1 = 1;
 SHA256 = 2;
 SHA512 = 3;
 MD5 = 4;
}

enum DigitCount {
 DIGIT_COUNT_UNSPECIFIED = 0;
 SIX = 1;
 EIGHT = 2;
}

enum OtpType {
 OTP_TYPE_UNSPECIFIED = 0;
 HOTP = 1;
 TOTP = 2;
}

If you're familiar with Protocol Buffers, you can skip the following content.

To use Protocol Buffers in a specific language, you need to install the protoc compiler to generate the serialization and deserialization code files for that language. On macOS, if you have Homebrew, you can install it via brew install protobuf. On Windows, you can download the binary files from Protocol Buffers’ GitHub Release and add them to your system environment variables. After installation, you should be able to see the following output when running the protoc command in the Terminal.

Parse PROTO_FILES and generate output based on the options given:
  -IPATH, --proto_path=PATH   Specify the directory in which to search for
                              imports.  May be specified multiple times;
                              directories will be searched in order.  If not
                              given, the current working directory is used.
                              If not found in any of the these directories,
                              the --descriptor_set_in descriptors will be
                              checked for required proto file.
  --version                   Show version info and exit.
  -h, --help                  Show this text and exit.
  --encode=MESSAGE_TYPE       Read a text-format message of the given type
                              from standard input and write it in binary
                              to standard output.  The message type must
                              be defined in PROTO_FILES or their imports.
  --deterministic_output      When using --encode, ensure map fields are
                              deterministically ordered. Note that this order
                              is not canonical, and changes across builds or
                              releases of protoc.
  --decode=MESSAGE_TYPE       Read a binary message of the given type from
                              standard input and write it in text format
                              to standard output.  The message type must
                              be defined in PROTO_FILES or their imports.
  --decode_raw                Read an arbitrary protocol message from
                              standard input and write the raw tag/value
                              pairs in text format to standard output.  No
                              PROTO_FILES should be given when using this
                              flag.
  --descriptor_set_in=FILES   Specifies a delimited list of FILES
                              each containing a FileDescriptorSet (a
                              protocol buffer defined in descriptor.proto).
                              The FileDescriptor for each of the PROTO_FILES
                              provided will be loaded from these
                              FileDescriptorSets. If a FileDescriptor
                              appears multiple times, the first occurrence
                              will be used.
  -oFILE,                     Writes a FileDescriptorSet (a protocol buffer,
    --descriptor_set_out=FILE defined in descriptor.proto) containing all of
                              the input files to FILE.
  --include_imports           When using --descriptor_set_out, also include
                              all dependencies of the input files in the
                              set, so that the set is self-contained.
  --include_source_info       When using --descriptor_set_out, do not strip
                              SourceCodeInfo from the FileDescriptorProto.
                              This results in vastly larger descriptors that
                              include information about the original
                              location of each decl in the source file as
                              well as surrounding comments.
  --retain_options            When using --descriptor_set_out, do not strip
                              any options from the FileDescriptorProto.
                              This results in potentially larger descriptors
                              that include information about options that were
                              only meant to be useful during compilation.
  --dependency_out=FILE       Write a dependency output file in the format
                              expected by make. This writes the transitive
                              set of input file paths to FILE
  --error_format=FORMAT       Set the format in which to print errors.
                              FORMAT may be 'gcc' (the default) or 'msvs'
                              (Microsoft Visual Studio format).
  --fatal_warnings            Make warnings be fatal (similar to -Werr in
                              gcc). This flag will make protoc return
                              with a non-zero exit code if any warnings
                              are generated.
  --print_free_field_numbers  Print the free field numbers of the messages
                              defined in the given proto files. Extension ranges
                              are counted as occupied fields numbers.
  --enable_codegen_trace      Enables tracing which parts of protoc are
                              responsible for what codegen output. Not supported
                              by all backends or on all platforms.
  --plugin=EXECUTABLE         Specifies a plugin executable to use.
                              Normally, protoc searches the PATH for
                              plugins, but you may specify additional
                              executables not in the path using this flag.
                              Additionally, EXECUTABLE may be of the form
                              NAME=PATH, in which case the given plugin name
                              is mapped to the given executable even if
                              the executable's own name differs.
  --cpp_out=OUT_DIR           Generate C++ header and source.
  --csharp_out=OUT_DIR        Generate C# source file.
  --java_out=OUT_DIR          Generate Java source file.
  --kotlin_out=OUT_DIR        Generate Kotlin file.
  --objc_out=OUT_DIR          Generate Objective-C header and source.
  --php_out=OUT_DIR           Generate PHP source file.
  --pyi_out=OUT_DIR           Generate python pyi stub.
  --python_out=OUT_DIR        Generate Python source file.
  --ruby_out=OUT_DIR          Generate Ruby source file.
  --rust_out=OUT_DIR          Generate Rust sources.
  @<filename>                 Read options and filenames from file. If a
                              relative file path is specified, the file
                              will be searched in the working directory.
                              The --proto_path option will not affect how
                              this argument file is searched. Content of
                              the file will be expanded in the position of
                              @<filename> as in the argument list. Note
                              that shell expansion is not applied to the
                              content of the file (i.e., you cannot use
                              quotes, wildcards, escapes, commands, etc.).
                              Each line corresponds to a single argument,
                              even if it contains spaces.

Finally, you can access the Proto file through a specific language.

A Simple Example

Using C# as an example, copy the above Proto file into your current project and use protoc to compile it into the corresponding language’s code file.

protoc --csharp_out=. .\OtpMigration.proto

Once the command is executed, a C# file OtpMigration.cs will be generated in your project, allowing you to deserialize the data using the members of the MigrationPayload class.

using var input = File.OpenRead("C:\\Users\\xyfbs\\source\\repos\\GMigration\\payload.bin");
var payload = MigrationPayload.Parser.ParseFrom(input);

foreach (var item in payload.OtpParameters)
    Console.WriteLine($"Type: {item.Type}, Algo: {item.Algorithm}, Secret: {item.Secret.ToStringUtf8()}");

However, before using the Secret data (e.g., converting it into a QR code), you need to Base32 encode the data first.

作者:
Jimmy
关键词:
Tech, Google Authenticator QR Code, Protocol Buffers, C#

其他语言

  • 浅谈 Google Authenticator 的数据导出 QR Code

    Published: at 10:38 PM

    Google Authenticator 导出 QR Code 后的处理