How to get a time-based one-time password secret from a QR code

More and more services are adopting a “can’t scan the QR code” option that
reveals the secret token. Some even go as far as offering up the secret token
along side of the QR code. Others present you with the QR code and nothing more.

Fortunately, those services seem to be in the minority.

The need for the secret token arises when opting to use a software-based
authenticator other than Google Authenticator (Authy, et al.). Modern password managers, such as BitWarden and 1Password allow you to enter the secret token into their software for ease of use with your web browser.

Before you comment, yes, storing your one-time password alongside your username and password create a single point of failure (SPOF). I’m not dismissing the need for a separate authenticator on your phone, especially to further secure your password manager.

All right, so let’s say you’ve run into a service that only gives you a QR code.
One of the easiest ways I’ve found to extract the secret token is with this
Chrome extension, QR Code (Generator and Reader).

Said extension gives you a new option in your right-click menu that allows you
to quickly and easily scan a QR code in your browser and extract the URL. To get the URL for a QR code you have loaded on your screen:

  1. Right-click on the QR code
  2. Click QR Code (Generator and Reader)
  3. Click Scan QR Code

If everything went swimmingly, you’ll be presented with a dialog that contains a
URL that looks something like this:


If you grab the YOURSECRETTOKEN part of the URL and load it into your
software-based authenticator, you’re probably going to be good to go. Try
entering in the generator code when prompted and see if it works.

I’ve found that sometimes there are other bits of information in the URL that
you need as well. In those scenarios, you may be able to put the entire URL into
your software-based authenticator and it will know what to do.

After discovering that, I always enter the entire URL in and haven’t had any
issues configuring the multi-factor authentication.

Sadly, some websites are either blocking extensions or have things layered in
such a way that you are unable to get the QR code reader’s option to show up.
Rarer still, you’ll use the tool and it won’t be able to extract the URL from
the QR code.

In those scenarios, I whip out my phone and scan the QR code. On Android it’s
pretty easy to grab just the URL but on iOS, I found that I needed to grab a
third-party scanner since Apple insisted on trying to open the URL instead of
letting me view it.

It’s a bit more cumbersome of a workflow, but it gets the job done. Fortunately,
once you get things setup you tend to be good to go for a very long while.

Josh Sherman - The Man, The Myth, The Avatar

About Josh

Husband. Father. Pug dad. Musician. Founder of Holiday API, Head of Engineering and Emoji Specialist at Mailshake, and author of the best damn Lorem Ipsum Library for PHP.

If you found this article helpful, please consider buying me a coffee.