Backup and Restore Codes

[npmccallum]

Reported by stephenjudge on 8 Mar 2014 17:44 UTC Many sites that offer two factor authentication offer a method to recover access to your account should you loose your authentication device, this is usually SMS authentication or a set of printable codes. However some sites and OTP implementations don't have such a feature and if you loose your authentication device, you loose access to your account.

An example of this is if you add the Google Authenticator plugin to a self-hosted Wordpress blog. The plugin does not provide a secondary method of authentication. In their FAQ there is this question:

"'''Can I create backupcodes'''?

''No, but if you're using an Android smartphone you can replace the Google Authenticator app with Authenticator Plus. It's a really nice app that can import your existing settings, sync between devices and backup/restore using your sd-card. It's not a free app, but it's well worth the money.''"

This proprietary app, Authenticator Plus, does look very nice and has some nice features, but the most beneficial I think is its ability to backup and restore codes.

This could be a huge addition to FreeOTP and I would like to request that someone considers this feature and looks at a way of implementing it. I am not able to code myself.

[ree4]

Been using FreeOTP for years .. when they added the feature to copy every, single OTP code to clipboard, I got a little nervous, but decided to stick with it. Then needed to backup my codes sometime after, the adb method worked fine at the time. Then I came to check and see if they'd implemented this feature yet, and of course they hadn't.

Well, so long FreeOTP .. the experience was .. mediocre, at best.

Spent this morning migrating to andOTP, they seem to have nailed all of the features that FreeOTP couldn't. Loving the ability to protect the app with a password/phrase or pin code, the backup and restore functionality, the OpenPGP integration, themes, the ability to use icons for each entry .. and really loving the fact that every, single, OTP code isn't being gratuitously copied to the clipboard for every app to be able to view.

[hydrian]

I've also migrated andOTP. Their development team seems much more responsive to needs.

[ffuentes]

Same here, after doing a lot of reading in old issues I finally migrated to andOTP for the import / export capabilities.

[npmccallum]

I am about to push a new version of FreeOTP which migrates tokens to the Android KeyStore. This provides much stronger security guarantees. Once keys go in, they can't come out again. This makes backups difficult at best.

The bigger problem is that backups are useless for HOTP if the server doesn't provide synchronization. Servers need to provide 2FA account recovery and synchronization for OTP to work. Backups just paper over this issue on the client side. The servers need to be fixed. I am closing this request.

[suoko]

It would be nice to be able to export to freeotp+ at least

[dsommers]

The arguments that there is a "trust level" between the OTP token provider and the FreeOTP is utter bogus. Why? Screenshots. You can simply do a screenshot of the browser window before FreeOTP scans the code and you continue. This is a poor-mans backup. But a solution I've had to use many times due to some services NOT providing backup codes. And migrating between phones or even upgrading to LineageOS etc just gets painful.

So to avoid this poor-mans backup approach, I'm seeing my self in need to move away from FreeOTP to an approach which does allow me to export the token database. I would personally fancy a solution using Open Keychain.

I must simply accept FreeOTP rejects this feature. But it doesn't mean other OTP apps will do it.

[npmccallum]

I have decided to try to support this feature. I think I have a way to make it sane.

[AdamWill]

@npmccallum just to kick you one more time ;) There's even a good use case for this for a single device. My device is a OnePlus 5T. I don't run the stock firmware because I'm not a complete idiot. I run LineageOS. But the LineageOS 14.1 build I run was discontinued (so is insecure) and installing LineageOS 15.1 requires me to do a factory reset on the device. So in order to keep using my tokens on this single device I need a way to make them survive the factory reset.

[dsommers]

@AdamWill This is exactly why I've started the migration over to andOTP instead. Pity, but as long as that provides me with what I need, that's where I'm headed.

[AdamWill]

FWIW - and I am going to pin @npmccallum down next time I see him and make him promise not to fix this :P - backing up and restoring with Titanium Backup still works even with the most recent changes, it seems (I just did that when reflashing my phone with LOS 15.1, and it kept my tokens).

[ghost]

re If phone isn't rooted but the .apk was compiled as debug app, you can access tokens.xml via first adb shell run-as org.fedorahosted.freeotp, see example: https://github.com/xftroxgpx/freeotp-android/issues/1#issuecomment-452037667

This is an issue but I'm too lazy to recompile and unsure how to make it non-debug app, at the moment. Also don't remember how to list all debug apps in the phone.

[cyrrill]

Hi @npmccallum thanks for your work on FreeOTP.

It's been nearly a year since you re-opened the issue, though no update from you regarding progress. I understand this is an open source free project, and your time may be limited. However, I would appreciate a frank indication of if this feature will be implemented anytime in the near future?

Reason is I need to move my OTPs to a new device. If FreeOTP will not provide the backup option, I will opt for using another program which allows me to avoid the burdensome task of manually re-configuring the large number of accounts I would need to reset.

Thanks again! :+1:

[tmikaeld]

Been using FreeOTP for a few years now and work at an agency, I have hundreds of OTP codes and now I find that it's impossible to export them? (None of the adb methods work any more). It will literally take days to login and setup new codes. All wasted time!

I don't get the reasoning behind not providing backup, people change phones every 2-3 years due to manufacturers not providing updates any more - it's simply not secure to generate OTP's on non-updates phones, malicious apps can get root access and retrieve whatever they want (clipboard content, screen access, run apps in the background etc..). I'll be switching to andOTP.

[nyovaya]

Just tell me where the FreeOTP folder with the keys is - and I can copy them myself.

[ghost]

Just tell me where the FreeOTP folder with the keys is - and I can copy them myself.

folder: /data/data/org.fedorahosted.freeotp/shared_prefs/ file: tokens.xml details

[tmikaeld]

@nifker You can only access that file if you have a rooted phone, I think that's something most people don't have.

[ghost]

remember that it works if the app was compiled as a debug app too, if phone isn't already rooted that is.

[nyovaya]

Uhm I cant even find the org.fedorahosted.freeotp folder in data

[tmikaeld]

@howaboutsynergy It isn't, when and why is an app compiled as a debug app?

[ghost]

Uhm I cant even find the org.fedorahosted.freeotp folder in data

@nifker You have to be logged in as that specific user!(if you're not 'root' already)

this would work if freeotp was compiled as debug app(already): adb shell run-as org.fedorahosted.freeotp

@howaboutsynergy It isn't, when and why is an app compiled as a debug app?

I think there's some option in Eclipse(or was it Idea? or just /opt/android-studio/bin/studio.sh), I don't remember exactly where/how.

[tmikaeld]

@howaboutsynergy adb shell run-as org.fedorahosted.freeotp doesn't work, so i guess it isn't then. run-as: package not debuggable: org.fedorahosted.freeotp

[nyovaya]

I guess I forgot to root it when I installed the custom ROM, Ill add the keys then manually.

[ghost]

so i guess it isn't then. run-as: package not debuggable: org.fedorahosted.freeotp

yup, it isn't, so you can't access that folder, unless you're root(rooted phone? have never tried that)

[tmikaeld]

@howaboutsynergy I was unable to access it, permission denied. I also tried the adb backup method, doesn't work wither - the .xml file is not in the backup binary.

[tmikaeld]

@nifker I hope you have fewer keys than I do, I've been at it for hours now and have only done a fraction of the total... :-/

[ghost]

maybe you could try recompiling freetop as debug apk, and reinstall over? then use that shell command

come to think of it, this may take even more time than manually doing the codes...

[tmikaeld]

@howaboutsynergy I'm not willing to gamble on that, would rather do it manually.

Thanks for the suggestion though!

[chk1]

maybe you could try recompiling freetop as debug apk, and reinstall over? then use that shell command

That won't work, the newer apk needs to be signed with the same key as the old one (signed by Redhat I suppose) or Android will not let you update the app while keeping data

[tmikaeld]

@chk1 I had a feeling this would be the case, glad I didn't gamble on that. Thanks for the clarification

[ghost]

maybe you could try recompiling freetop as debug apk, and reinstall over? then use that shell command

That won't work, the newer apk needs to be signed with the same key as the old one (signed by Redhat I suppose) or Android will not let you update the app while keeping data

I only tried installing apks via USB debugging on non-internet connected tablet, so I had no idea you need signatures like that. Also my particular freeotp installation seems to have been debug apk from the start (compiled by myself and most likely not signed by anything), so I wonder if I were to try installing-over a non-debug apk of the same freeotp, would it really not let me keep the data? (considering no signing is required for my particular thru-USB installation)

[tmikaeld]

@howaboutsynergy If you have the time to test it, it would be very good to know!

[ghost]

maybe you could try recompiling freetop as debug apk, and reinstall over? then use that shell command

That won't work, the newer apk needs to be signed with the same key as the old one (signed by Redhat I suppose) or Android will not let you update the app while keeping data

Now that I think about it, it kinda doesn't make sense, if the signing key expires and new apk update is signed with newer key, do you auto-lose all data? shouldn't be the case. I think it all depends on using the same id org.fedorahosted.freeotp. As long as that's the same, I think you keep the data. But if you first uninstall the app, you probably lose the data. Or if you clear cache(or what's called).

[ghost]

@howaboutsynergy If you have the time to test it, it would be very good to know!

eh, why not, let's see :D (I am kinda curious xD) UPDATE I failed to compile apk on first and second tries: https://gist.github.com/howaboutsynergy/f2282242c52207659bd38c90623e31a6 probably need to update everything, but using the exact things that worked before now no longer work (bit rot?)

nvm Also, I'd be curious to install that redhat-signed apk over my non-signed debug freetop apk, if anyone has a link or pointer to where to find it(official/trusted places only tho). Just to see if installing it over makes it lose the codes or not.

UPDATE2: gave up

[ghost]

tl;dr: adb push file.apk /storage/sdcard1 and run the apk from android device to install it by keeping the data. Avoid adb install file.apk (it's useless, unless it's the first install I suppose). This works for , at least, debug apk, which ./gradlew clean build creates in ./app/build/outputs/apk/debug/app-debug.apk

hey I allocated more time today and I finally did it, well sort of:

I couldn't install an (unsigned) release .apk due to weird -103 error that at least one user was getting too when tried to install signed(!) released apk. Ok, -103 is INSTALL_PARSE_FAILED_NO_CERTIFICATES (src) So I guess I can't install a release without proper certs/signature! Unsure if it works installing a debug one over a release one, but according to the presented dialog it would work for a release one on top of a debug one, at least.

I could install debug apk but only via adb push file.apk /storage/sdcard1 first, then click it inside the android device, it allows "upgrading" (as the dialog says) without losing your existing data!

But debug .apk (or any apk really) would not install at all via adb install file.apk if it were already installed! So I temp-uninstalled it which caused loss of all data(ie. bye bye tokens.xml) and then installed the new .apk and everything was blank, so I had to restore tokens.xml via adb tricks(because I saved it previously since I was already running an old freeotp debug apk). Also the user id for the new app was different!

Bottom line: the only way to keep the data(tokens.xml) is to make sure the new .apk is on the device before "clicking" it to install it. And I remember that's how I used to update it before, when it kept all my tokens. So, adb push file.apk /storage/sdcard1 to copy it to android device is good, but adb install file.apk is bad (and wouldn't allow overwrites anyway!)

(I'll update that gist(well ok, made comment instead) with the gory details, in a few moments)

[PanderMusubi]

Updated method to export keys on Ubuntu.

1. Deinstall adb via sudo dpkg -P adb fastboot as long as https://bugs.launchpad.net/ubuntu/+source/android-platform-system-core/+bug/1828376 (please vote for this bug) hasn't been fixed. Then download platform-tools containing adb from https://developer.android.com/studio/releases/platform-tools. You can run adb from the top-level directory via ./adb. When the bug on launchpad has been fixed, install adb with sudo apt-get install adb.

2. Probably, you will have to run adb as root. Backup according to https://thevaliantway.com/2018/08/freeotp-migration/ Note to set USB Preferences on device to File transfer before attempting to backup.

3. Follow the instruction to create a zip file. The QR codes to import can be generated by https://rawgit.com/viljoviitanen/freeotp-export/master/export-xml.html Note to ignore the message gzip: stdin: unexpected end of file

4. Consider using FreeOTP+ for importing and exporting, see https://f-droid.org/en/packages/org.liberty.android.freeotpplus/

[williamdes]

@tmikaeld thanks for suggesting andOTP Switched to andOTP and when I see GPG exports I do not regret leaving freeOTP. And the auto copy into clipboard was so much of a pain!

Sorry dear freeOTP, I will not miss you, or maybe the icon only 😂

I do not want to say the at project is bad, it is not bad. It does not fit my needs anymore. I was thinking that some development would be done, but no.

[hotToddy92]

@tmikaeld thanks for suggesting andOTP Switched to andOTP and when I see GPG exports I do not regret leaving freeOTP. And the auto copy into clipboard was so much of a pain!

Sorry dear freeOTP, I will not miss you, or maybe the icon only joy

I do not want to say the at project is bad, it is not bad. It does not fit my needs anymore. I was thinking that some development would be done, but no.

I know this is an old discussion, but I'm currently researching authenticator apps and in response to @williamdes, you should know andOTP was written by a guy with (by his own admission) barely any coding experience and he has no understanding of cryptography, https://www.reddit.com/r/androidapps/comments/b45zrj/dev_aegis_authenticator_secure_two_factor/

would you consider this a red flag in security? I'm new to all this. freeOTP may be rough around the edges, but it's developed by Red Hat, so I'm settling on that one as my choice

[williamdes]

@tmikaeld thanks for suggesting andOTP Switched to andOTP and when I see GPG exports I do not regret leaving freeOTP. And the auto copy into clipboard was so much of a pain! Sorry dear freeOTP, I will not miss you, or maybe the icon only joy I do not want to say the at project is bad, it is not bad. It does not fit my needs anymore. I was thinking that some development would be done, but no.

I know this is an old discussion, but I'm currently researching authenticator apps and in response to @williamdes, you should know andOTP was written by a guy with (by his own admission) barely any coding experience and he has no understanding of cryptography

Thank you for the update, I am quite happy of my OTP app, I hope some audits have been done and that it is not vulnerable..

They provide backup solutions, including the very sexy GPG backup that was enough to convince me the app was okay for my needs. I can now store backups on my phone (replicated of course), no password to memorize.

Glad to know there is some truth to be known behind the app ;)

[flibblewibble]

I recommend if you're on Linux to install zbar tools and you can screenshot the QR code and decode the image and extract the secret key that way as some sites do NOT present the text representation of the QR code for inputting into a backup tool

I also recommend you consider using KeepassXC on Linux to backup your TOTP also in case your device fails

If FreeOTP don't want to implement export and import, then it's already been forked to one that does

https://github.com/helloworld1/FreeOTPPlus

Your machine and devices should be encrypted at the block level already anyway, if not, you're doing it wrong anyway

[jstasiak]

I recommend if you're on Linux to install zbar tools and you can screenshot the QR code and decode the image and extract the secret key that way as some sites do NOT present the text representation of the QR code for inputting into a backup tool

I also recommend you consider using KeepassXC on Linux to backup your TOTP also in case your device fails

I'm not a security specialist but I feel I have a general idea about what security specialists consider good practices here. With that in mind I would quite strongly recommend against those suggestions unless one truly understands the security implications of storing TOTP secrets on the same machine as regular passwords (whether its for day to day use or just as a backup plan).

Using an application like andOTP and creating backups that are encrypted on the phone so that the computer never sees the plain text (except for initial setup when you scan the qr code from the screen) seems like a way to go. A relevant discussion on this topic: https://news.ycombinator.com/item?id=17593331

[flibblewibble]

I recommend if you're on Linux to install zbar tools and you can screenshot the QR code and decode the image and extract the secret key that way as some sites do NOT present the text representation of the QR code for inputting into a backup tool I also recommend you consider using KeepassXC on Linux to backup your TOTP also in case your device fails

I'm not a security specialist but I feel I have a general idea about who security specialists consider good practices here. With that in mind I would quite strongly recommend against those suggestions unless one truly understands the security implications of storing TOTP secrets on the same machine as regular passwords (whether its for day to day use or just as a backup plan).

Using an application like andOTP and creating backups that are encrypted on the phone so that the computer never sees the plain text (except for initial setup when you scan the qr code from the screen) seems like a way to go. A relevant discussion on this topic: https://news.ycombinator.com/item?id=17593331

Best of luck with having no secure backup, 1) you use LUKS on Linux and 2) KeepassXC encrypts the database

Do as you wish, YOU ARE NOT MY PROBLEM

" I'm not a security specialist" STFU then

[jstasiak]

I believe creating encrypted andOTP backups and storing them wherever you want in however many copies you want solves your concerns.

[novoid]

the security implications of storing TOTP secrets on the same machine as regular passwords (whether its for day to day use or just as a backup plan).

I encrypt the screenshots of the QR codes using GnuPG. As a practical tip: don't just download the QR-code as image. Some of them do not contain the strong contrast on the edge so that you can't read the QR code from screen without embedding it into a white background. Screenshotting the original page (including the surrounding area) and actually adding it to FreeOTP from that saved image file prevents this issue.

[guifel]

Google authenticator now supports export by simply showing the QR :eyes:

[SuperSandro2000]

Google authenticator now supports export by simply showing the QR 👀

Which scales not well to 50 entries.

[ncoghlan]

@SuperSandro2000 The Google Authenticator export solution can handle 10 accounts at a time, as the imported QR code is one generated by the "Transfer Accounts" feature in the app after you select the accounts you want to export, it isn't a regular OTP device registration QR code (presumably the 10 account limit is based on what they can fit in a single QR code).

Some attractive features of that approach are:

• no 3rd device required, only the old and new phones
• unlocking the original device is a required step in generating the export code
• the exporting device maintains a record of export activity

[ghost]

Not a professional in cryptography here, but where is the problem with the method suggested in https://github.com/freeotp/freeotp-android/issues/20#issuecomment-255749734 ? When performing the backup, I am asked to enter a passphrase, which I do. When I restore (in this way I transferred the data to an old phone of mine) I have to enter the passphrase again. AFAIK the backup is encrypted with AES (though I do not know which type of AES). This seems to be reasonable secure to me. In what way is this insecure? I do understand, however, that the sheer possibility of transferring the backup to another phone can be considered insecure, as this would allow hackers with access to my phone to access the TOTP on another phone without me even noticing it. But using a TOTP as single login credential seems crazy to me, so they should always be used in combination with a passphrase (or similar). As a second factor. So how is this insecure?

[shbitsus]

Seems this works. Would appreciate any feedback. Installed FreeOTP on two phones: my current and my previous. When presented with QR Code for new 2FA setup, I simply scan the code with both phones.

[bazichs]

Hi, i hope someone can help me, even today in 2022, since I see that the app is old and isn't being developed anymore. My problem is the one people talked about here i think. My friend had a token for her email address which she used for her school email. Her phone broke to the point that she can't even connect it to a PC or use it in any way. Now she can't enter anything related to her email since it asks for the code which the app FreeOTP generated... Does anyone know the solution to this problem since it's really important to be fixed asap. Thanks!

[yfdyh000]

Hi, i hope someone can help me, even today in 2022, since I see that the app is old and isn't being developed anymore. My problem is the one people talked about here i think. My friend had a token for her email address which she used for her school email. Her phone broke to the point that she can't even connect it to a PC or use it in any way. Now she can't enter anything related to her email since it asks for the code which the app FreeOTP generated... Does anyone know the solution to this problem since it's really important to be fixed asap. Thanks!

Contact the email provider to reset access; use the recovery key of email account if available.