Extract tokens from Microsoft Authenticator
Microsoft Authenticator is a password manager from Microsoft, in particular, it supports multi-factor authentication.
It is used/recomended by different companies which uses Windows and Office for the employee for managing accesso to theyr accounts.
Compared to other similar programs, it has one particular limitation that I’ve stumbled upon.
While it surely prevents a possible attacker to steal it, it also prevents the end user (me) from accessing it.
For example, because I am changing my phone, or resetting it. Or what if an update breaks the program and I want to reinstall an older version?
The first two use cases are covered by the "cloud backup option", but I am not using it for different reasons.
The main one is that the number of apps that should access the internet should be minimal, and a password manager contains to many sensitive informations, so I configured the firewall on my device to not let Microsoft Authenticar access to it.
Also an online backup requires to handle an online account, with all drawbacks (which, granted, one probably already has).
As the application does not need to connect to the internet, possible security vulnerabilities are harder to exploit, in particular as I am just using the program for displaying the TOTP and writing it manually on my PC.
I am much more worried that a newer version might break something, and as there is no way to restore the previous functionality, I did not want to take any risk, and thus Microsoft Authenticar is one of those app I am not updating.
Obviously, the easiest solution is to use another password manager.
But in my case, it was already too late.
By the time I informed myself about what Microsoft Authenticator actually does, I already configured it. Apparently, there is no simple (or official) way out.
Fortunately, I installed Microsoft Authenticator on an Android device where I have administrative privileges, so I can theoretically access anything.
After some thinking, I decided to open the created backup and look around. As the backup works successfully, the token had to be there, somewhere.
Hopefully in plain text or otherwise readable format, and not obfuscated.
Lucky me extracting it is easy (at least until version 6.2208.5677)
sqlite3 com.azure.authenticator/databases/PhoneFactor 'select username, oath_secret_key from accounts;'
The output will look something like
Now copy the secret token and add it to your preferred password manager that supports TOTP.
|I’ve used DB Browser for SQLite, (sqlitebrowser) for exploring interactively the databases.|
Do you want to share your opinion? Or is there an error, some parts that are not clear enough?
You can contact me here.