How to get a time-based one-time password secret from a QR code

Josh Sherman
2 min read
Productivity

More and more services are adopting a “can’t scan the QR code” option that reveals the secret token. Some even go as far as offering up the secret token along side of the QR code. Others present you with the QR code and nothing more.

Fortunately, those services seem to be in the minority.

The need for the secret token arises when opting to use a software-based authenticator other than Google Authenticator (Authy, et al.). Modern password managers, such as BitWarden and 1Password allow you to enter the secret token into their software for ease of use with your web browser.

Before you comment, yes, storing your one-time password alongside your username and password create a single point of failure (SPOF). I’m not dismissing the need for a separate authenticator on your phone, especially to further secure your password manager.

All right, so let’s say you’ve run into a service that only gives you a QR code. One of the easiest ways I’ve found to extract the secret token is with this Chrome extension, QR Code (Generator and Reader).

Said extension gives you a new option in your right-click menu that allows you to quickly and easily scan a QR code in your browser and extract the URL. To get the URL for a QR code you have loaded on your screen:

  1. Right-click on the QR code
  2. Click QR Code (Generator and Reader)
  3. Click Scan QR Code

If everything went swimmingly, you’ll be presented with a dialog that contains a URL that looks something like this:

otpauth://totp/your%40email.com?issuer=SomeService&secret=YOURSECRETTOKEN

If you grab the YOURSECRETTOKEN part of the URL and load it into your software-based authenticator, you’re probably going to be good to go. Try entering in the generator code when prompted and see if it works.

I’ve found that sometimes there are other bits of information in the URL that you need as well. In those scenarios, you may be able to put the entire URL into your software-based authenticator and it will know what to do.

After discovering that, I always enter the entire URL in and haven’t had any issues configuring the multi-factor authentication.

Sadly, some websites are either blocking extensions or have things layered in such a way that you are unable to get the QR code reader’s option to show up. Rarer still, you’ll use the tool and it won’t be able to extract the URL from the QR code.

In those scenarios, I whip out my phone and scan the QR code. On Android it’s pretty easy to grab just the URL but on iOS, I found that I needed to grab a third-party scanner since Apple insisted on trying to open the URL instead of letting me view it.

It’s a bit more cumbersome of a workflow, but it gets the job done. Fortunately, once you get things setup you tend to be good to go for a very long while.

Join the Conversation

Good stuff? Want more?

Weekly emails about technology, development, and sometimes sauerkraut.

100% Fresh, Grade A Content, Never Spam.

About Josh

Husband. Father. Pug dad. Musician. Founder of Holiday API, Engineering Manager and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.

Currently Reading

Parasie Eve

Previous Reads

Buy Me a Coffee Become a Sponsor

Related Articles