Blog / Post

photo by xat-ch, Pixabay

How To Read The TOTP Secret Key from a QR Code Image

  • Adam Douglas
  • qrcode

Many services today implement two-factor authentication (2FA) or multi-factor authentication (MFA) to aid in better account security. The unfortunate part is for the end user trying to setup 2FA or MFA on a specific service can be frustrating due how it was implemented. In particular I’ve come across various services that try to make it easier to enable 2FA/MFA through the use of a quick response (QR) code but don’t provide a means to display the time-based one-time password (TOTP) secret key. The only way to get the TOTP secret key is by scanning the QR code itself which is not always possible.

In the instructions below I will demonstration how obtain the TOTP secret key from a QR code image with the use of a web browser and the Linux terminal.

Environment

The following was used to test these instructions.

  • Arch Linux x86_64
  • Pacman v6.0.1
  • Mozilla Firefox v94.0.1
  • ZBar v0.23.1

Prerequisite

Before we can begin Zbar suite must be installed.

Arch Linux

$ sudo pacman -Sy zbar

Debian

$ sudo apt-get install zbar-tools

Instructions

Warning

Never share a time-based one-time password (TOTP) secret key with anyone. The TOTP shown below is for demonstration purposely only.

  1. Login to the desired service via the the web browser.
  2. Start the process to enable 2FA/MFA.
  3. Right click over top of the QR code image and click on “Save Image As…”.
  4. Save the QR code image as “qrcode.png” and click the “Save” button.
  5. Open the terminal.
  6. Read QR code using “zbarimg”.
    $ zbarimg ~/Downloads/qrcode.png
    QR-Code:otpauth://totp/Etsy%3Amwypeh0x?image=https%3A%2F%2Fwww.etsy.com%2Fimages%2Ffavicon.ico&issuer=Etsy&secret=23456789ABCDEFGHJKLMNPQRSTUVWXYZ
    scanned 1 barcode symbols from 1 images in 0.01 seconds
    
    . EAN/UPC (EAN-13, EAN-8, EAN-2, EAN-5, UPC-A, UPC-E, ISBN-10, ISBN-13)
    . DataBar, DataBar Expanded
    . Code 128
    . Code 93
    . Code 39
    . Codabar
    . Interleaved 2 of 5
    . QR code
    . SQ code
            - is the barcode large enough in the image?
            - is the barcode mostly in focus?
            - is there sufficient contrast/illumination?
            - If the symbol is split in several barcodes, are they combined in one image?
            - Did you enable the barcode type?
    some EAN/UPC codes are disabled by default. To enable all, use:
    $ zbarimg -S*.enable <files>
    Please also notice that some variants take precedence over others.
    Due to that, if you want, for example, ISBN-10, you should do:
    $ zbarimg -Sisbn10.enable <files>
    
  7. From the “zbarimg” output above copy the TOTP secret key that is located after “secret=”. In the example output you would copy the following value.
    23456789ABCDEFGHJKLMNPQRSTUVWXYZ
    
  8. Paste the value into a desired password manager/authenticator application (e.g. KeePassXC).
  9. Delete “qrcode.png” to ensure no one can retrieve your TOTP secret key.
    $ rm ~/Downloads/qrcode.png
    

I’m publishing this as part of 100 Days To Offload. You can join in yourself by visiting 100DaysToOffload.com.