How To Read The TOTP Secret Key from a QR Code Image
- Adam Douglas
Many services today implement two-factor authentication (2FA) or multi-factor authentication (MFA) to aid in better account security. The unfortunate part is for the end user trying to setup 2FA or MFA on a specific service can be frustrating due how it was implemented. In particular I’ve come across various services that try to make it easier to enable 2FA/MFA through the use of a quick response (QR) code but don’t provide a means to display the time-based one-time password (TOTP) secret key. The only way to get the TOTP secret key is by scanning the QR code itself which is not always possible.
In the instructions below I will demonstration how obtain the TOTP secret key from a QR code image with the use of a web browser and the Linux terminal.
The following was used to test these instructions.
- Arch Linux x86_64
- Pacman v6.0.1
- Mozilla Firefox v94.0.1
- ZBar v0.23.1
Before we can begin Zbar suite must be installed.
$ sudo pacman -Sy zbar
$ sudo apt-get install zbar-tools
Never share a time-based one-time password (TOTP) secret key with anyone. The TOTP shown below is for demonstration purposely only.
- Login to the desired service via the the web browser.
- Start the process to enable 2FA/MFA.
- Right click over top of the QR code image and click on “Save Image As…”.
- Save the QR code image as “qrcode.png” and click the “Save” button.
- Open the terminal.
- Read QR code using “zbarimg”.
$ zbarimg ~/Downloads/qrcode.png QR-Code:otpauth://totp/Etsy%3Amwypeh0x?image=https%3A%2F%2Fwww.etsy.com%2Fimages%2Ffavicon.ico&issuer=Etsy&secret=23456789ABCDEFGHJKLMNPQRSTUVWXYZ scanned 1 barcode symbols from 1 images in 0.01 seconds . EAN/UPC (EAN-13, EAN-8, EAN-2, EAN-5, UPC-A, UPC-E, ISBN-10, ISBN-13) . DataBar, DataBar Expanded . Code 128 . Code 93 . Code 39 . Codabar . Interleaved 2 of 5 . QR code . SQ code - is the barcode large enough in the image? - is the barcode mostly in focus? - is there sufficient contrast/illumination? - If the symbol is split in several barcodes, are they combined in one image? - Did you enable the barcode type? some EAN/UPC codes are disabled by default. To enable all, use: $ zbarimg -S*.enable <files> Please also notice that some variants take precedence over others. Due to that, if you want, for example, ISBN-10, you should do: $ zbarimg -Sisbn10.enable <files>
- From the “zbarimg” output above copy the TOTP secret key that is located after “secret=”.
In the example output you would copy the following value.
- Paste the value into a desired password manager/authenticator application (e.g. KeePassXC).
- Delete “qrcode.png” to ensure no one can retrieve your TOTP secret key.
$ rm ~/Downloads/qrcode.png
I’m publishing this as part of 100 Days To Offload. You can join in yourself by visiting 100DaysToOffload.com.
- Arch Linux ZBar package
- Arch Linux
- Debian ZBar package
- Mozilla Firefox
- Multi-factor authentication, Wikipedia
- Pacman Home Page
- pacman, ArchWiki
- QR Code photo, photography by xat-ch, published Oct. 30, 2020, Pixabay
- QR code, Wikipedia
- Time-based One-Time Password, Wikipedia
- ZBar, GitHub
Changelog - modified
- Fix link to use https