Sunday, September 6, 2020

Google Authenticator export format

A recent update of the Google Authenticator app on Android brought an export/import feature. This enables users to copy their 2FA codes to a new device.

The format of the export seems to not be publicly documented (yet?). I believe that this export function is quite interesting and would like to see innovative solutions for back-up or interoperability between devices. It would also be in the general public's interest if there would be a single import/export format for 2FA codes and this one looks promising to me.

This blog post contains my interpretation of the export data. I hope this enables other developers to come up with new cool solutions that use the exported secrets.

Python implementation is available in my Github Repo.

** NOTE THAT THE 2FA CODES ARE SECRETS THAT YOU SHOULD TREAT AS SUCH! **

An interesting blog about the update was published at Ctrl blog.

Encapsulation

The layers of data in the export are:

Protocol Buffers

A reconstructed definition of the protobuf file is included in the repo.

Bash example

With some regular bash tools and protoc you can extract the data like this:

$ function urldecode() { : "${*//+/ }"; echo -e "${_//%/\\x}"; }
$ urldecode '<DATA VALUE>' | base64 -d | protoc --decode_raw

Format description

See OtpMigration.proto.

MigrationPayload

message

IDNameType
1otp_parametersOtpParameters
2versionint32
3batch_sizeint32
4batch_indexint32
5batch_idint32

OtpParameters

message

IDNameType
1secretbytes
2namestring
3issuerstring
4algorithmAlgorithm
5digitsDigitCount
6typeOtpType
7counterint64

Algorithm

enum

ValueName
0ALGORITHM_TYPE_UNSPECIFIED
1SHA1
2SHA256
3SHA512
4MD5

DigitCount

enum

ValueName
0DIGIT_COUNT_UNSPECIFIED
1SIX
2EIGHT

OtpType

enum

ValueName
0OTP_TYPE_UNSPECIFIED
1HOTP
2TOTP