The Android logo, released under public domain

Extract tokens from Microsoft Authenticator

Notes published the
2 minutes to read, 492 words
Categories: android backup
Keywords: administrator android backup data recovery permissions

Microsoft Authenticator is a password manager from Microsoft, in particular, it supports multi-factor authentication.

It is used/recommended by different companies that use Windows and Office for the employees to manage access to their accounts.

Compared to other similar programs, it has one particular limitation that I’ve stumbled upon.

It does not make it possible to access the TOTP[1] token.

While it surely prevents a possible attacker from stealing it, it also prevents the end user (me) from accessing it.

Why would I want to?

For example, because I am changing my phone, or resetting it. Or what if an update breaks the program and I want to reinstall an older version?

The first two use cases are covered by the "cloud backup option", but I am not using it for different reasons.

The main one is that the number of apps that should access the internet should be minimal, and a password manager contains too much sensitive information, so I configured the firewall on my device to deny Microsoft Authenticator access to the network.

Also, an online backup requires handling an online account, with all associated drawbacks.

As the application does not need to connect to the internet, possible security vulnerabilities are harder to exploit, in particular as I am just using the program for displaying the TOTP and writing it manually on my PC.

I am much more worried that a newer version might break something, and as there is no way to restore the previous functionality, I did not want to take any risk, and thus Microsoft Authenticator was one of those applications that I was not updating.

Possible workarounds

The easiest solution is to use another password manager.

KeePassDX (the KeePassXC port for Android) also supports TOTP, and also gives the possibility to access and export its contents.

But in my case, it was already too late.

By the time I informed myself about what Microsoft Authenticator does, I had already configured it. Apparently, there is no simple (or official) way out.

Fortunately, I installed Microsoft Authenticator on an Android device where I have administrative privileges, so I can theoretically access anything.

In particular, I have more powerful backup capabilities, in fact, I already used Neo Backup for cloning the program from one phone to another, in order to have a fallback, just in case.

After some thinking, I decided to open the created backup and look around. As the backup works successfully, the token had to be there, somewhere.

Hopefully in plain text or otherwise readable format, and not obfuscated.

Lucky me extracting it is easy (at least until version 6.2208.5677)

sqlite3 'select username, oath_secret_key from accounts;'

The output will look something like your.mail@address|thesecrettoken.

Now copy the secret token and add it to your preferred password manager that supports TOTP.

Note 📝
I’ve used DB Browser for SQLite (sqlitebrowser) for exploring interactively the databases.

1. Time-based One-Time Passwords

Do you want to share your opinion? Or is there an error, some parts that are not clear enough?

You can contact me anytime.