Workplaces may enforce TOTP 2FA to be enabled Office 365 accounts, which require the Microsoft Authenticator app to be installed.
Regular TOTP applications (such as Aegis, Authy, or LastPass) cannot be used as Microsoft uses a proprietary scheme called phonefactor
. Furthermore, the application requires Google Services Framework (GSF) to be installed (likely to provide device notifications), and will refuse to work when it is not present on the device.
Forunately, after the registration is complete, the underlying mechanism the app uses to generate TOTP codes is regular otpauth
, and its secrets can be exported with a little bit of effort.
-
To extract the keys, a complete registration must first be done with a rooted Android device. I used a virtual Android device created with Android Studio's Device Manager.
-
Once complete, an SQLite database storing the keys can be found on the device at:
/data/data/com.azure.authenticator/databases/PhoneFactor
(accessing the
/data
partition is what requires root) -
ADB can then be used to connect to the device/emulator, using its bundled
sqlite3
tool to view the database:$ adb root # Ensure we run as the root user $ adb shell # Launch a shell as the root user emu64xa:/ # whoami root emu64xa:/ # sqlite3 /data/data/com.azure.authenticator/databases/PhoneFactor # Connect to the database file sqlite> SELECT name, username, oath_secret_key from accounts; GitHub|[email protected]|w0swofa8wl02vqml0pkbzphvp54zyx5x
The 32-length string in the
oath_secret_key
column can then be imported into any TOTP application.
Thanks for this. My account_type was "2" and I had to construct an otpauth URI that set the algorithm to SHA256:
otpauth://totp/MY_ISSUER:MY_EMAIL?secret=MY_SECRET&algorithm=SHA256