I wanted to extract my OTP secrets from Authy, so that I could install them on my preferred OTP generator. I found this gist by Indrek Ardel, based on another by Brian Hartvigsen, which were very thorough, but had out-of-date console instructions and sent your secret data through a Google QR code image-generator service. Thankfully, the general principle still works, with some simplification. Turn on developer mode for Chrome extensions and open the JS console for the Authy Chrome app's main.html, and enter:
appManager.getDecryptedApps().forEach(a => { console.log(a.name + ': ' + a.secretSeed); });This will display the hex-encoded seed for each service that you have configured with Authy. Copy the one you want.
To generate a OTP with that seed (in hex! You don't need to convert to Base32 for oathtool, which is available in Homebrew as part of the oath-toolkit formula):
pbpaste | xargs oathtool --totp --digits=7 --time-step-size=10(Assuming a Mac here; otherwise substitute xsel/xclip or whatever for pbpaste, or set up your shell so that you can exclude commands from being saved in your history, e.g. HISTCONTROL=ignorespace for Bash, and just paste it instead of using xargs.)
If you want to convert the seed to Base32 for use with other programs or devices, however, see the tiny Node.js script attached below. In particular, here's how to get the seed into a Google Authenticator-compatible app without retyping it:
-
Extract the seed in hex
-
Run
pbpaste | xargs ./hex-to-base32.js -
Install Burn After Reading and run it on this input, saved in an encrypted YAML file:
Example Authy Service: :totp: Example:YOUR_ACCOUNT_NAME: secret: YOUR_BASE32_SEED issuer: Example digits: 7 period: 10Or, generate the key URI by hand and feed it to some other QR code generator.
-
Scan the output with your favorite OTP generator app (that supports the
digitsandperiodparameters, which seems to be all of them including GA, despite the warnings on that GA wiki page).
Is it still working?