Exporting Microsoft Authenticator TOTP secrets

README.md

Background

Workplaces may enforce TOTP 2FA to be enabled Office 365 accounts, which require the Microsoft Authenticator app to be installed.

Regular TOTP applications (such as Aegis, Authy, or LastPass) cannot be used as Microsoft uses a proprietary scheme called phonefactor. Furthermore, the application requires Google Services Framework (GSF) to be installed (likely to provide device notifications), and will refuse to work when it is not present on the device.

Forunately, after the registration is complete, the underlying mechanism the app uses to generate TOTP codes is regular otpauth, and its secrets can be exported with a little bit of effort.

Extracting the keys

1. To extract the keys, a complete registration must first be done with a rooted Android device. I used a virtual Android device created with Android Studio's Device Manager.

2. Once complete, an SQLite database storing the keys can be found on the device at:

   /data/data/com.azure.authenticator/databases/PhoneFactor

   (accessing the /data partition is what requires root)

3. ADB can then be used to connect to the device/emulator, using its bundled sqlite3 tool to view the database:

   $ adb root  # Ensure we run as the root user 
   $ adb shell  # Launch a shell as the root user 
   emu64xa:/ # whoami
   root 
   emu64xa:/ # sqlite3 /data/data/com.azure.authenticator/databases/PhoneFactor  # Connect to the database file
   sqlite> SELECT name, username, oath_secret_key from accounts;
   GitHub|Chowder@github.com|w0swofa8wl02vqml0pkbzphvp54zyx5x
   

   The 32-length string in the oath_secret_key column can then be imported into any TOTP application.

To save a minute of time, use the following command after you get the database file:

sqlite3 PhoneFactor "SELECT 'otpauth://totp/' || name || ':' || username || '?secret=' || oath_secret_key || '&algorithm=SHA256' AS otpauth_url FROM accounts;"

This will directly output the otpauth_url for each account. You can then save the generated keys to Bitwarden, and they will work seamlessly.

Thank you very much for all the guides! I successfully exported all my secrets and imported them into my new authenticator app :D

@Nriver Thanks for the command! Did you verify that your OTP codes are valid? I’m asking because mine were invalid when using &algorithm=SHA256. I had to adjust the algorithm to SHA1 according to the account type, as @zsrv mentioned:

account_type = 0 –> SHA1
account_type = 1 –> ??
account_type = 2 –> SHA256

Rooting the AVD

I’d like to point out to enable "Cold Boot" in the AVD settings before rooting it. Otherwise it might not work (neither with the ramdisk nor with the FAKEBOOTIMG in my case).

Easy import with QR Codes

As soon as I got the otpauth_url, I used DevToys to generate a QR code for each account. It works offline without any need for additional scripts.

I have multiple accounts, all of which are type 2, and the code works correctly for logging in. Because of that, I initially assumed the value was fixed. However, since other values exist, the command can be updated as follows:

sqlite3 PhoneFactor "SELECT 'otpauth://totp/' || name || ':' || username || '?secret=' || oath_secret_key || CASE WHEN account_type = 2 THEN '&algorithm=SHA256' ELSE '&algorithm=SHA1' END AS otpauth_url FROM accounts;"

Hi. I just completed this guide. Thank you so much! Our university admins have been extremely close minded about forcing MS Authenticator on students, despite multiple protests and even a stern blog post from the Free Software Foundation. This finally lets me sign in into the university system without any spyware, storing this secret anywhere I see fit.

However when I was popping back into the app to check if the TOTP codes are the same, I was met with this ominous popup. So far this credential I extracted works. I'll pop back into this thread if it does get revoked.

If they just detect root, we can probably peek into the emulator's storage from the host without rooting it. The scary thing they can do is require Play Integrity for provisioning, which would also lock out my Graphene OS...

Found an easier solution. After adding MS Auth on your phone, just go to the security settings in your browser to add "App Based Authentication", where it shares the secret key to use in another MFA app.

Found an easier solution. After adding MS Auth on your phone, just go to the security settings in your browser to add "App Based Authentication", where it shares the secret key to use in another MFA app.

The trouble is, many administrators disable plain TOTP completely. This hack is mostly for those accounts, not personal ones where you can add a passkey or plain TOTP easily if you avoid a dark pattern of two.

Thanks for this guide!

For anyone on Xiaomi devices running HyperOS 2 and 3 without the 2026-03-01 security patch, there's actually a way to access the database file without root or an unlocked bootloader.

I wrote a short guide covering this: https://github.com/unbyte/microsoft-authenticator-export-xiaomi

Hi. I just completed this guide. Thank you so much! Our university admins have been extremely close minded about forcing MS Authenticator on students, despite multiple protests and even a stern blog post from the Free Software Foundation. This finally lets me sign in into the university system without any spyware, storing this secret anywhere I see fit.

However when I was popping back into the app to check if the TOTP codes are the same, I was met with this ominous popup. So far this credential I extracted works. I'll pop back into this thread if it does get revoked.

If they just detect root, we can probably peek into the emulator's storage from the host without rooting it. The scary thing they can do is require Play Integrity for provisioning, which would also lock out my Graphene OS...

If you look at my blog post, you will see a mention of this, for now this only apply to organizations. May change in the future. (Probably will for "safety" as they say, and they still won't add a export option)

https://kitsumed.github.io/blog/posts/extracting-totp-tokens-from-microsoft-authenticator/#:~:text=Microsoft%20recently%20posted%20a%20really%20small%20hidden%20update%20on%20their%20support%20site%20that%20says%20%3A

Hi, I have a question. When my college account asks for verification, the log in window in my PC shows a number and a notification appears in my phone to pick the same number. The thing is that importing the keys to Aegis gives me six-digit codes, but the auth portal is the one giving me a number to approve inside the Microsoft Authenticator app. How can I change this behavior? Thank you.