Josh Sherman
More and more services are adopting a “can’t scan the QR code” option that reveals the secret token. Some even go as far as offering up the secret token along side of the QR code. Others present you with the QR code and nothing more.
Fortunately, those services seem to be in the minority.
The need for the secret token arises when opting to use a software-based authenticator other than Google Authenticator (Authy, et al.). Modern password managers, such as BitWarden and 1Password allow you to enter the secret token into their software for ease of use with your web browser.
Before you comment, yes, storing your one-time password alongside your username and password create a single point of failure (SPOF). I’m not dismissing the need for a separate authenticator on your phone, especially to further secure your password manager.
All right, so let’s say you’ve run into a service that only gives you a QR code. One of the easiest ways I’ve found to extract the secret token is with this Chrome extension, QR Code (Generator and Reader).
Said extension gives you a new option in your right-click menu that allows you to quickly and easily scan a QR code in your browser and extract the URL. To get the URL for a QR code you have loaded on your screen:
- Right-click on the QR code
- Click
QR Code (Generator and Reader) - Click
Scan QR Code
If everything went swimmingly, you’ll be presented with a dialog that contains a URL that looks something like this:
otpauth://totp/your%40email.com?issuer=SomeService&secret=YOURSECRETTOKEN
If you grab the YOURSECRETTOKEN part of the URL and load it into your
software-based authenticator, you’re probably going to be good to go. Try
entering in the generator code when prompted and see if it works.
I’ve found that sometimes there are other bits of information in the URL that you need as well. In those scenarios, you may be able to put the entire URL into your software-based authenticator and it will know what to do.
After discovering that, I always enter the entire URL in and haven’t had any issues configuring the multi-factor authentication.
Sadly, some websites are either blocking extensions or have things layered in such a way that you are unable to get the QR code reader’s option to show up. Rarer still, you’ll use the tool and it won’t be able to extract the URL from the QR code.
In those scenarios, I whip out my phone and scan the QR code. On Android it’s pretty easy to grab just the URL but on iOS, I found that I needed to grab a third-party scanner since Apple insisted on trying to open the URL instead of letting me view it.
It’s a bit more cumbersome of a workflow, but it gets the job done. Fortunately, once you get things setup you tend to be good to go for a very long while.
