Degoogling TOTP Authenticator Codes – Imran Nazar

Back to Articles

1st Sep 2025

In the ongoing effort to extricate myself from Google’s services, I’ve been paring down my usage of their apps on my (admittedly Android) phone. I’m now down to two Google apps I use regularly: Maps (for traffic data) and Authenticator (for TOTP^[A]Time-based One Time Password codes).

Now, I spend most of my time in a terminal window on MacOS or connected to a Linux machine; it’d be nice if I could get TOTPs on the command-line, and it turns out there’s a utility called oathtool that allows for TOTP generation on the CLI. However, that would mean switching my OTP provider, which usually involves:

• Logging into each service that has an OTP registered in the app;
• Disabling two-factor authentication (2FA);
• Re-enabling 2FA and using the “manual entry” code as input to oathtool;
• Doing it all again for the next website or service.

Fortunately, Google’s Authenticator provides a way to migrate codes between instances of the app based on scanning QR codes, and we can use this to migrate them away from Google into a TOTP handler of our choosing. It’s another four-step process:

• Generating a QR code in Google Authenticator for the codes you want to export;
• Decoding the QR somewhere off-device, into a URL;
• Decoding the URL into its constituent services and secret values;
• Setting up oathtool to use the secrets.

Note that the below steps are presented just as I went through them, you may be able to find efficiencies or you may run into troubles that I didn’t (especially if you’re trying this exclusively on Windows); “your mileage may vary” is apt here.

Going from Authenticator to a migration URL

The first step is getting the code out of Authenticator, through the Transfer Codes menu option in the app. Picking the services you’d like to extract leads you to a code like this:

You may have an app on your phone that decodes QRs, but I don’t; instead, I transferred the file to my MacOS machine over Tailscale, and used a command-line tool called qrtool to get the QR content:

Decoding the migration QR

$ brew install qrtool
$ qrtool decode Screenshot_20250901_062719_Authenticator.jpg
otpauth-migration://offline?data=CjwKC2kqSJnNaAyKkw6jEhJUaGUgUmlja3JvbGwgU3RvcmUgASgBMAJCEzg4Yzg5ZTE3NTY3MDQzOTE0MzkQAhgBIAA%3D

Decoding the URL into secrets

So we have our migration URL, with a Base64-encoded data block. Unfortunately, if we were to simply decode the data, we’d end up with some binary gibberish:

Trying to decode the URL directly

$ php -r 'var_dump(base64_decode("CjwKC2kqSJnNaAyKkw6jEhJUaGUgUmlja3JvbGwgU3RvcmUgASgBMAJCEzg4Yzg5ZTE3NTY3MDQzOTE0MzkQAhgBIAA%3D"));'
string(69) "

It turns out that this is a Protobuf-encoded data string, and we need to use Google’s Protobuf library to get the data out. It turns out Tim Brooks has already done this with a short piece of Python at: https://github.com/brookst/otpauth_migrate

I decided to install this on a Linux machine I tend to be connected to (entirely unrelated to my Python installation being broken on Mac…):

Extracting the data via otpauth_migrate

$ git clone https://github.com/brookst/otpauth_migrate
$ cd otpauth_migrate
$ ./otpauth_migrate.py otpauth-migration://offline?data=CjwKC2kqSJnNaAyKkw6jEhJUaGUgUmlja3JvbGwgU3RvcmUgASgBMAJCEzg4Yzg5ZTE3NTY3MDQzOTE0MzkQAhgBIAA%3D
secret: "i*H\231\315h\014\212\223\016\243"
name: "The Rickroll Store"
algorithm: ALGORITHM_SHA1
digits: DIGIT_COUNT_SIX
type: OTP_TYPE_TOTP

Secret code = NEVERGONNAGIVEYOUM======

This tool is intelligent enough to extract any number of names and secrets from a migration URL, so you can export all your codes from Authenticator into one giant QR without needing to do each separately.

Using oathtool to generate OTPs

The final step is to use this secret code with oathtool, which takes the secret directly as a parameter. If you instead want to refer to the service by name, Michael Bushey^[1]“CLI 2-Factor Authentication”, Michael Bushey, 2023 has a quick wrapper script which extracts the secrets from a locally-stored file:

Wrapper script to generate OTPs: /usr/local/bin/otp

#!/bin/bash
OTPKEY="$(sed -n "s/${1}=//p" ~/.otpkeys)"
if [ -z "$OTPKEY" ]; then
   echo "$(basename $0): Bad Service Name '$1'"
   exit
fi
date
oathtool --totp -b "$OTPKEY"

OTP key store: ~/.otpkeys

rickroll=NEVERGONNAGIVEYOUM======

With this in place, you won’t need to use your Authenticator app again. The tool outputs the current date and time, so you can double-check that your code won’t expire (at :00 seconds) before you get a chance to type it in:

$ otp rickroll
Mon Sep  1 07:10:42 AM UTC 2025
200213

Future expansion

There’s a security issue here, of course, which is the exposed secret key sitting in a file on-disk. I’m happy to sit with that and not require a password to generate OTPs every time, but if you’re interested in adapting the wrapper script to use symmetric encryption to secure the keys, Vivek Gite^[2]“Use oathtool Linux command line for 2 step verification (2FA)”, Vivek Gite, updated Feb 2025 has a set of scripts which employ gpg for the job.

Now I just need to find a way to get traffic data into a maps App that doesn’t involve Google’s servers… Thoughts welcome.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!