Possible to script Google Authenticator codes

Question

I have an Okta user with 2FA using google authenticator app on my phone, I have been looking into some code to automate this so I don't have to check my phone. I was hoping this could be done through a cmd line script.

I see this script https://github.com/grahammitchell/google-authenticator however I would need to know the user (which I believe to be my okta username) and secret (this I am not sure where I could pull this, perhaps I can generate a new one?)

I guess my question would be is this possible?

Answer 1

Yes you can (but you probably shouldn't). When you add a code / site whatever in Google Authenticator (or any TOTP code generator) it takes a symmetric secret (ie a passphrase) and uses that + the time to generate the 6 digit code. The IdP saves the same secret and uses the same TOTP protocol to generate the codes.

Provided the time is the same, the codes the IdP generate are the same as the code your phone generates and you proved you know the secret.

The trick is to get the underlying secret when enrolling the device into MFA and save this somewhere you can use it to generate the codes.

Once you have the QR code you can read the secret from it using python, eg: How to decode a QR-code image in (preferably pure) Python?

Then the script you linked can generate the codes.

When would you do this?

I have done this in the past to automate testing of various IdP functionality like enrolling into MFA, authenticating and so on.

When would you never do this?

If this is a normal account, like your gmail / some SaaS you use for work / something that is important, then this approach is a terrible idea. The idea behind MFA is that you have:

• Something you know, like your password
• Something you have, like your phone / a yubi key / something other than your usual laptop, pc or whatever.

It is undermining the security offered by the second factor. If they steal your password or somehow access your device, they still need to take over the other factor to access important services, but if you keep that secret on the same device they just got access to then you might as well have handed them your phone too.

Answer 2

The easiest method is to execute procedure of changing phone on Okta side and introduce new TOTP(Google Authenticator uses RFC6238). In such case most convinient would be to use Firefox or Chrome browser extensions which are capable of generating TOTP codes then pair this with the Some years ago using existing one it would require you to have root access the phone with Google Authenticator. Then you can get the SQlite database from location like this:

/data/data/com.google.android.apps.authenticator2/databases/databases

and use command:

sqlite3 ./databases "select * from accounts"

In current Google Authenticatior version there is export option which will generate QR code ready to be added on another device. Exact steps and commands depends both on the phone/OS and Google Authenticator version.

Answer 3

Bitwarden, a password manager, lets you save username, passwords and TOTP (eg. Google Authenticator codes) and will auto-generate and fill on websites. https://bitwarden.com/help/authenticator-keys/