cd /news/cybersecurity/exporting-microsoft-authenticator-to… · home topics cybersecurity article
[ARTICLE · art-10594] src=gist.github.com ↗ pub= topic=cybersecurity verified=true sentiment=· neutral

Exporting Microsoft Authenticator TOTP secrets

The article explains that Microsoft Authenticator uses a proprietary scheme called phonefactor for Office 365 TOTP 2FA, preventing the use of standard TOTP apps. However, after registration, the app generates codes using regular otpauth, and the secrets can be extracted from a rooted Android device's SQLite database at `/data/data/com.azure.authenticator/databases/PhoneFactor`. The extracted 32-character `oath_secret_key` can then be imported into any standard TOTP application.

read1 min views20 publishedFeb 21, 2023

Workplaces may enforce TOTP 2FA to be enabled Office 365 accounts, which require the Microsoft Authenticator app to be installed.

Regular TOTP applications (such as Aegis, Authy, or LastPass) cannot be used as Microsoft uses a proprietary scheme called phonefactor. Furthermore, the application requires Google Services Framework (GSF) to be installed (likely to provide device notifications), and will refuse to work when it is not present on the device.

Forunately, after the registration is complete, the underlying mechanism the app uses to generate TOTP codes is regular otpauth, and its secrets can be exported with a little bit of effort.

  1. To extract the keys, a complete registration must first be done with a rooted Android device. I used a virtual Android device created with Android Studio's Device Manager.

  2. Once complete, an SQLite database storing the keys can be found on the device at:

    /data/data/com.azure.authenticator/databases/PhoneFactor

    (accessing the /data partition is what requires root)

  3. ADB can then be used to connect to the device/emulator, using its bundled sqlite3 tool to view the database:

    $ adb root  # Ensure we run as the root user 
    $ adb shell  # Launch a shell as the root user 
    emu64xa:/ # whoami
    root 
    emu64xa:/ # sqlite3 /data/data/com.azure.authenticator/databases/PhoneFactor  # Connect to the database file
    sqlite> SELECT name, username, oath_secret_key from accounts;
    GitHub|Chowder@github.com|w0swofa8wl02vqml0pkbzphvp54zyx5x
    

    The 32-length string in the oath_secret_key column can then be imported into any TOTP application.

── more in #cybersecurity 4 stories · sorted by recency
── more on @microsoft authenticator 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/exporting-microsoft-…] indexed:0 read:1min 2023-02-21 ·