Skip to content

Instantly share code, notes, and snippets.

@chowder

chowder/README.md

Last active February 13, 2026 08:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save chowder/2ead734d60d84d4d15034fcce81aaaf9 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save chowder/2ead734d60d84d4d15034fcce81aaaf9 to your computer and use it in GitHub Desktop.
Download ZIP
Exporting Microsoft Authenticator TOTP secrets
Raw
README.md

Background

Workplaces may enforce TOTP 2FA to be enabled Office 365 accounts, which require the Microsoft Authenticator app to be installed.

Regular TOTP applications (such as Aegis, Authy, or LastPass) cannot be used as Microsoft uses a proprietary scheme called phonefactor. Furthermore, the application requires Google Services Framework (GSF) to be installed (likely to provide device notifications), and will refuse to work when it is not present on the device.

Forunately, after the registration is complete, the underlying mechanism the app uses to generate TOTP codes is regular otpauth, and its secrets can be exported with a little bit of effort.

Extracting the keys

  1. To extract the keys, a complete registration must first be done with a rooted Android device. I used a virtual Android device created with Android Studio's Device Manager.

  2. Once complete, an SQLite database storing the keys can be found on the device at:

    /data/data/com.azure.authenticator/databases/PhoneFactor

    (accessing the /data partition is what requires root)

  3. ADB can then be used to connect to the device/emulator, using its bundled sqlite3 tool to view the database:

    $ adb root  # Ensure we run as the root user 
$ adb shell  # Launch a shell as the root user 
emu64xa:/ # whoami
root 
emu64xa:/ # sqlite3 /data/data/com.azure.authenticator/databases/PhoneFactor  # Connect to the database file
sqlite> SELECT name, username, oath_secret_key from accounts;
GitHub|Chowder@github.com|w0swofa8wl02vqml0pkbzphvp54zyx5x

    The 32-length string in the oath_secret_key column can then be imported into any TOTP application.

@CrazyTim71
Copy link

CrazyTim71 commented Feb 10, 2026

Thank you very much for all the guides! I successfully exported all my secrets and imported them into my new authenticator app :D

@Nriver Thanks for the command! Did you verify that your OTP codes are valid? I’m asking because mine were invalid when using &algorithm=SHA256. I had to adjust the algorithm to SHA1 according to the account type, as @zsrv mentioned:

account_type = 0 –> SHA1
account_type = 1 –> ??
account_type = 2 –> SHA256

Rooting the AVD

I’d like to point out to enable "Cold Boot" in the AVD settings before rooting it. Otherwise it might not work (neither with the ramdisk nor with the FAKEBOOTIMG in my case).

Easy import with QR Codes

As soon as I got the otpauth_url, I used DevToys to generate a QR code for each account. It works offline without any need for additional scripts.

@Nriver
Copy link

Nriver commented Feb 10, 2026

I have multiple accounts, all of which are type 2, and the code works correctly for logging in. Because of that, I initially assumed the value was fixed. However, since other values exist, the command can be updated as follows:

sqlite3 PhoneFactor "SELECT 'otpauth://totp/' || name || ':' || username || '?secret=' || oath_secret_key || CASE WHEN account_type = 2 THEN '&algorithm=SHA256' ELSE '&algorithm=SHA1' END AS otpauth_url FROM accounts;"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment