The Android logo, released under public domain

Extract tokens from Microsoft Authenticator

Notes published the
2 minutes to read, 493 words
Categories: android backup
Keywords: administrator android backup data recovery permissions

Microsoft Authenticator is a password manager from Microsoft, in particular, it supports multi-factor authentication.

It is used/recomended by different companies which uses Windows and Office for the employee for managing accesso to theyr accounts.

Compared to other similar programs, it has one particular limitation that I’ve stumbled upon.

It does not make it possible to access the TOTP[1] token.

While it surely prevents a possible attacker to steal it, it also prevents the end user (me) from accessing it.

Why would I want to?

For example, because I am changing my phone, or resetting it. Or what if an update breaks the program and I want to reinstall an older version?

The first two use cases are covered by the "cloud backup option", but I am not using it for different reasons.

The main one is that the number of apps that should access the internet should be minimal, and a password manager contains to many sensitive informations, so I configured the firewall on my device to not let Microsoft Authenticar access to it.

Also an online backup requires to handle an online account, with all drawbacks (which, granted, one probably already has).

As the application does not need to connect to the internet, possible security vulnerabilities are harder to exploit, in particular as I am just using the program for displaying the TOTP and writing it manually on my PC.

I am much more worried that a newer version might break something, and as there is no way to restore the previous functionality, I did not want to take any risk, and thus Microsoft Authenticar is one of those app I am not updating.

Possible workarounds

Obviously, the easiest solution is to use another password manager.

KeePassDX also supports TOTP, and also gives the possibility to access and export its contents.

But in my case, it was already too late.

By the time I informed myself about what Microsoft Authenticator actually does, I already configured it. Apparently, there is no simple (or official) way out.

Fortunately, I installed Microsoft Authenticator on an Android device where I have administrative privileges, so I can theoretically access anything.

In particular I have more powerful backup capabilities, in fact I already used Neo Backup for cloning the program from one phone to another, in order to have a fallback, just in case.

After some thinking, I decided to open the created backup and look around. As the backup works successfully, the token had to be there, somewhere.

Hopefully in plain text or otherwise readable format, and not obfuscated.

Lucky me extracting it is easy (at least until version 6.2208.5677)

sqlite3 'select username, oath_secret_key from accounts;'

The output will look something like you.mail@address|thesecrettoken.

Now copy the secret token and add it to your preferred password manager that supports TOTP.

Note 📝
I’ve used DB Browser for SQLite, (sqlitebrowser) for exploring interactively the databases.

1. Time-based One-Time Passwords

Do you want to share your opinion? Or is there an error, some parts that are not clear enough?

You can contact me anytime.