After installing ALLthenticator, I needed a way to import my Google Authenticator OTP codes because I wan't going to go to 50 websites and register a new authenticator. I found a Gist by Alexander Hoem Rosbach that decoded the QR codes and printed them to the terminal. I slightly modified this code to convert the data to otpauth:// URLs so I could turn them into QR codes to import into ALLthenticator.

[!IMPORTANT] The below sections are mostly from Alexander's Gist, but have been slightly modified for clarification. The "I", they speak of is Alexander, not me.

I recently got myself a Yubikey and wanted to set up the Yubico Authenticator with all the OTPs I had in Google Authenticator. Unfortunately Yubico Authenticator doesn't support scanning the QR-code that the Google Authenticator generates when you export the OTP-keys, and it seemed like quite the daunting task to log in to every service to generate new OTP-keys. So I decided to have a look at the contents of the QR code, to see if I could import the keys into Yubico Authenticator in one go. Luckily I found a blog post by Alex Bakker that describes the data format.

Unfortunately, but likely for the best, the security policy of Google Authenticator won't allow you to take a screenshot of the generated export-all QR-code. Since my phone is also the only device I own with a decent camera, I had to resign to snap a picture of QR-code on the phone screen using the built-in webcam of my laptop. If you also use a low quality camera you might run into the same issue that I did, namely that the picture will have too much noice for QR-code readers to interpret the QR-code. The easiest way around it was split the export into multiple QR-codes, which for me meant two codes instead of twenty. I used the Linux desktop app Kamoso to snap the pictures.

To extract the OTP-keys from the Google Authenticator QR-code is a four-step procedure:

1. Extract data-URL from the QR-code
2. Base64 Decode the query parameter data
3. Decode the protobuf message
4. For each OTP-key; base32 encode the secret field

• nodejs
• zbar-tools (you will need to install this via your package manager)

The zbar-tools package includes a tool to extract URLs from QR-codes. I did try to use jimp and qrcode-reader in the javascript, but it didn't work straight out the box so I didn't bother spending more time to get it to work.

1. Clone this Git repository
2. Make otp-codes.sh and gen-qr-codes.sh executable: chmod +x *.sh
3. Extract codes ./otp-codes.sh <path to qr-code image 1> <path to qr-code image 2> <path to qr-code image 3> ... > urls.txt
4. Encode all the images to QR codes ./gen-qr-codes.sh
5. Import each code, one by one, using ALLthenticator's user interface
6. DELETE urls.txt and each generated qr code file. These files contain your secrets and MUST NOT be kept.