Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

importing from third party apps #8

Open
FireCubeStudios opened this issue Aug 30, 2022 · 20 comments
Open

importing from third party apps #8

FireCubeStudios opened this issue Aug 30, 2022 · 20 comments
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest help wanted Extra attention is needed

Comments

@FireCubeStudios
Copy link
Owner

Basically Protecc should support importing from as many other apps as possible. I don't know how to get started on this so suggestions are welcome.

@FireCubeStudios FireCubeStudios added enhancement New feature or request good first issue Good for newcomers labels Aug 30, 2022
@peternrdstrm
Copy link

You'd basically need to parse JSON files as far as I understand, that the format most authentificator apps export to.
The twist is that some of them might be encryped, so you probably need to deal with that too, other than that, it should be easy to implement this feature

@FireCubeStudios FireCubeStudios added the help wanted Extra attention is needed label Sep 4, 2022
@FireCubeStudios FireCubeStudios self-assigned this Sep 4, 2022
@FireCubeStudios
Copy link
Owner Author

Since I am not familiar with the export types of other auth apps can people post an example of the file contents, file type and from which app the export is from so I can take a look

@DmitryGolubenkov
Copy link
Contributor

I researched some formats in Android applications that are installed on my phone.

Google Authenticator

Google Authenticator provides a QR code that can be used to export accounts. QR code is limited to 10 accounts, so, when user tries to export more that 10, the application generates more QR codes.
Its contents are encoded in base64, as far as I can tell. I didn't spend much time while researching, so I can be wrong. Relevant links:

otpauth-migration://offline?data=SOME_LONG_ENCODED_STRING

Authenticator Pro

Open source android client written in C#.
Provides several ways to export content.

First way

For individual items it shows a QR code that contains

otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED

%3A is : but it is still shown as its code.
By clicking Show URI button is shows the string above to user.
By the way, I tried to use the QR to export one of the codes to Protecc and couldn't do it.
The issue is that Protecc requires QR to contain only the secret string and can't parse it.

Second way

Export to native application format. It contains custom app icons and is encrypted. I don't think Protecc should support it as there are another ways to export from this app.

Third way

Export to HTML.
HTML contains a table:
Issuer | Username | OTP Auth URI | QR Code
OTP Auth URI contains the same structure as is described in first way.
I don't think Protecc should support is as this format is more for users than for parsing.

Fourth way

Export to txt. This format can be easily parsed.
Format:

otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED
otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED
otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED

The same format as in first way but all the codes and secrets are separated by new line. So it can be used for batch import.

Microsoft Authenticator

I think it encrypts exported file with some key that is composed of English dictionary words. I couldn't create a sample because the app broke on export.

@FireCubeStudios
Copy link
Owner Author

I researched some formats in Android applications that are installed on my phone.

Google Authenticator

Google Authenticator provides a QR code that can be used to export accounts. QR code is limited to 10 accounts, so, when user tries to export more that 10, the application generates more QR codes.

Its contents are encoded in base64, as far as I can tell. I didn't spend much time while researching, so I can be wrong. Relevant links:

Format:


otpauth-migration://offline?data=SOME_LONG_ENCODED_STRING

Authenticator Pro

Open source android client written in C#.

Provides several ways to export content.

First way

For individual items it shows a QR code that contains


otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED

%3A is : but it is still shown as its code.

By clicking Show URI button is shows the string above to user.

By the way, I tried to use the QR to export one of the codes to Protecc and couldn't do it.

The issue is that Protecc requires QR to contain only the secret string and can't parse it.

Second way

Export to native application format. It contains custom app icons and is encrypted. I don't think Protecc should support it as there are another ways to export from this app.

Third way

Export to HTML.

HTML contains a table:

Issuer | Username | OTP Auth URI | QR Code

OTP Auth URI contains the same structure as is described in first way.

I don't think Protecc should support is as this format is more for users than for parsing.

Fourth way

Export to txt. This format can be easily parsed.

Format:


otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED

otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED

otpauth://totp/NAME_WRITTEN_BY_USER%3AUSERNAME?secret=SOME_SECRET&issuer=NAME_OF_APPLICATION_OR_WEBSITE_WHO_ISSUED

The same format as in first way but all the codes and secrets are separated by new line. So it can be used for batch import.

Microsoft Authenticator

I think it encrypts exported file with some key that is composed of English dictionary words. I couldn't create a sample because the app broke on export.

It looks like both Google and Authenticator pro support keyuri and if I implement issue Keyuri support it should work for those. For Microsoft Authenticator do they have a qr code export option or is it just file?

@DmitryGolubenkov
Copy link
Contributor

I think that most authenticator apps will support keyuri, and an utility function to parse them to Account or something like that would help with implementing support for each of the applications.

Microsoft Authenticator doesn't have a QR code export option. Its only options are:

  1. Backup to their cloud (and the file is encrypted with some personal token that is stored on Microsoft servers)
  2. Export to encrypted file designed to be restored only in their app.
    More information about their implementation, at least in cloud backup.

I can't find any other option inside the app or in posts on different forums. And the only post about a function to export secret keys to file that can be used in other apps a microsoft MVP pretends like no other app besides their exists in this world, so why would you need such a feature?

I think that trying to support their app could be very hard and time-consuming. If it is even possible

@FireCubeStudios
Copy link
Owner Author

Ok we don't need to focus on importing from ms Authenticator then

@peternrdstrm
Copy link

Another popular open source option is Aegis, found in the main repository of F-Droid.
It's export option include text, unencrypted text, json and unencrypted json.
This is how that looks (the unencrypted one):

otpauth://totp/Website%3AUSERNAME?period=30&digits=6&algorithm=SHA1&secret=SECRET&issuer=Website

@FireCubeStudios
Copy link
Owner Author

how is the json one? I am thinking of making interfaces for anyone (with basic c# knowledge) to easily add compatibility to third party importing

@peternrdstrm
Copy link

how is the json one? I am thinking of making interfaces for anyone (with basic c# knowledge) to easily add compatibility to third party importing

I think the contents are identical, only the formatting is different

@kurisucat
Copy link
Contributor

I'm using Aegis on my Android phone.

It have 2 way to export, Aegis' json and txt.

Aegis' json can be encryption.

This is Aegis .json (No encryption):

{
    "version": 1,
    "header": {
        "slots": null,
        "params": null
    },
    "db": {
        "version": 2,
        "entries": [
            {
                "type": "totp",
                "uuid": "ititit-just-aaaa-fake-uuiduuiduuid",
                "name": "KurisuCat",
                "issuer": "FakeBBS",
                "note": "",
                "icon": null,
                "info": {
                    "secret": "ABCDEFGHIJKLMNOP",
                    "algo": "SHA1",
                    "digits": 6,
                    "period": 30
                }
            }, 
            {
                "type": "steam",
                "uuid": "ititit-just-aaaa-fake-uuiduuiduuid",
                "name": "KurisuCat",
                "issuer": "Steam",
                "note": "",
                "icon": null,
                "info": {
                    "secret": "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345",
                    "algo": "SHA1",
                    "digits": 5,
                    "period": 30
                }
            }
        ]
    }
}

This is .txt:

otpauth://totp/FakeBBS%3AKurisuCat?period=30&digits=6&algorithm=SHA1&secret=ABCDEFGHIJKLMNOP&issuer=FakeBBS
otpauth://steam/Steam%3AKurisuCat?period=30&digits=5&algorithm=SHA1&secret=ABCDEFGHIJKLMNOPQRSTUVWXYZ012345&issuer=Steam

@FireCubeStudios
Copy link
Owner Author

Thanks for sending this. I can add Aegis importing then

@FireCubeStudios
Copy link
Owner Author

@kurisucat can you send the json but with an icon to see how icon format looks like

@kurisucat
Copy link
Contributor

@kurisucat can you send the json but with an icon to see how icon format looks like

icon value is base64 of image,

iVBORw0KGgoAAAANSUhEUgAAAZ... too long

and not include data:image/png;base64,

@ghost
Copy link

ghost commented Oct 17, 2022

Microsoft Authenticator

I think it encrypts exported file with some key that is composed of English dictionary words. I couldn't create a sample because the app broke on export.

How do you export your TOTPs in Microsoft Authenticator? couldn't find the option to do that.

@DmitryGolubenkov
Copy link
Contributor

@KitCat36

How do you export your TOTPs in Microsoft Authenticator? couldn't find the option to do that.

Maybe there is no such function..
I opened settings and scrolled down to the bottom, where I saw export and import buttons. I thought that that was the export thing. Now I have checked this again - and no, these buttons export other things from the app

So you are correct
It is impossible to export 2FA keys from Microsoft Authenticator
They can be backed up to Microsoft cloud, and that's it

@krisu5
Copy link

krisu5 commented Oct 22, 2022

icon value is base64 of image,

iVBORw0KGgoAAAANSUhEUgAAAZ... too long

and not include data:image/png;base64,

Note that Aegis also supports SVG vectors and JPGs for entry icons.

@ricardoboss
Copy link

ricardoboss commented Oct 3, 2023

Would also be cool to be able to import TOTP keys from 1password.

I have found the following:

  • Export your vault via 1password Desktop as a 1pux file
  • The file is actually a zip archive containing a "export.data" file with unencrypted JSON data
  • in the JSON data, the path accounts[i].vaults[ii].items[iii].details.sections[iv].fields[v].value.totp contains the TOTP key

The value can also contain a URI with the otpauth:// scheme

I will see if I can contribute an importer for this. Also not sure if the path above is the only path to find TOTP keys. If not me, I hope this helps someone else integrate this. I can provide more info on the 1password exported file.

@FireCubeStudios
Copy link
Owner Author

The 1 password looks simple so I can add it

@ricardoboss
Copy link

@FireCubeStudios started work on a view for importing. Maybe you can build off of it? #85

@minecraftfen
Copy link

minecraftfen commented Mar 4, 2024

@KitCat36

How do you export your TOTPs in Microsoft Authenticator? couldn't find the option to do that.

Maybe there is no such function.. I opened settings and scrolled down to the bottom, where I saw export and import buttons. I thought that that was the export thing. Now I have checked this again - and no, these buttons export other things from the app

So you are correct It is impossible to export 2FA keys from Microsoft Authenticator They can be backed up to Microsoft Cloud, and that's it

@DmitryGolubenkov

There are some possible ways to export data manually: original link(Chinese)
Simply put, the original text says those data are saved in folder /data/data/com.azure.authenticator/databases/, file PhoneFactor, PhoneFactor-shm, PhoneFactor-wal, in SQLite format, it needs a rooted android device.

I have exported it this way and I get a JSON, an Array of {uuid, otpauthstr}, and I'm finding ways to import it into protecc

maybe I can convert this JSON into something that protecc can import, but I can't find any options to import or documents of protecc's YAML

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest help wanted Extra attention is needed
Projects
Status: No status
Development

No branches or pull requests

7 participants