Extract tokens from Microsoft Authenticator
Microsoft Authenticator is a password manager from Microsoft, in particular, it supports multi-factor authentication.
It is used/recommended by different companies that use Windows and Office for the employees to manage access to their accounts.
Compared to other similar programs, it has one particular limitation that I’ve stumbled upon.
While it surely prevents a possible attacker from stealing it, it also prevents the end user (me) from accessing it.
For example, because I am changing my phone, or resetting it. Or what if an update breaks the program and I want to reinstall an older version?
The first two use cases are covered by the "cloud backup option", but I am not using it for different reasons.
The main one is that the number of apps that should access the internet should be minimal, and a password manager contains too many sensitive information, so I configured the firewall on my device to deny Microsoft Authenticator access to the network.
Also, an online backup requires handling an online account, with all associated drawbacks.
As the application does not need to connect to the internet, possible security vulnerabilities are harder to exploit, in particular as I am just using the program for displaying the TOTP and writing it manually on my PC.
I am much more worried that a newer version might break something, and as there is no way to restore the previous functionality, I did not want to take any risk, and thus Microsoft Authenticator is one of those applicaion that I am not updating.
The easiest solution is to use another password manager.
But in my case, it was already too late.
By the time I informed myself about what Microsoft Authenticator actually does, I already configured it. Apparently, there is no simple (or official) way out.
Fortunately, I installed Microsoft Authenticator on an Android device where I have administrative privileges, so I can theoretically access anything.
After some thinking, I decided to open the created backup and look around. As the backup works successfully, the token had to be there, somewhere.
Hopefully in plain text or otherwise readable format, and not obfuscated.
Lucky me extracting it is easy (at least until version 6.2208.5677)
sqlite3 com.azure.authenticator/databases/PhoneFactor 'select username, oath_secret_key from accounts;'
The output will look something like
Now copy the secret token and add it to your preferred password manager that supports TOTP.
|I’ve used DB Browser for SQLite (sqlitebrowser) for exploring interactively the databases.|
Do you want to share your opinion? Or is there an error, some parts that are not clear enough?
You can contact me anytime.