Get The Multifactor Authentication Secret From A QR Code_

Support the Entertainment Community Fund.
🇺🇦 Resources to help support the people of Ukraine. 🇺🇦
May 15, 2023 @11:00

Quite some time ago I moved all my multifactor authentication tokens into my preferred password manager, zx2c4's pass. As a command line utility, it is extremely powerful but to manage one-time passwords you need to provide the URL for the secret, this is usually in the form of otpauth://totp/Label?secret=[BASE32 ENCODED SECRET] and is what is encoded in those fancy QR codes that most websites produce. Most websites will give you the secret directly if you ask, generally by pressing a button under the QR code but Etsy does not so I went to figure out a quick way to get the secret from the QR code.

I put together the following quick Python script that uses the qrtools library, which I installed on Debian using the python3-qrtools package. The script is super easy and it outputs the otpauth URL which I pasted into the pass entry for Etsy.

#!/usr/bin/env python3

import os
import sys
from qrtools import QR

def usage():
    print(f'usage: {os.path.basename(sys.argv[0])} qr_code_image_file')

if __name__ == '__main__':
    if len(sys.argv) != 2:

    fn = sys.argv[1]
    if not os.path.exists(sys.argv[1]):
        print(f'Cannot read {fn}')

    qr = QR(filename=fn)

There are a bunch of different options out there, but too many of them require you to send your secret to someone's server which totally defeats the purpose of MfA. Hopefully this will help you avoid that pitfall.

Comment via e-mail. Subscribe via RSS.