mattrubin / Authenticator

Two-Factor Authentication Client for iOS
https://mattrubin.me/authenticator
Other
843 stars 112 forks source link

Would Authenticator backups on macOS work? #383

Open kikeenrique opened 2 years ago

kikeenrique commented 2 years ago

Hi,

I'm an Authenticator app user on macOS, it works properly. But, I've just migrated my computer via Time Machine backup, and my Authenticator accounts are missing. Almost all my keychain item were migrated, except these items, as far as I've detected.

I'm wondering if anyone could tell me if what I'm trying to do is possible. I'm trying to manually migrate them, in order to avoid a new setup of all my 2FA accounts (which are enough to try to avoid it). I try to copy an item, and then paste it in other new keychain that I would like to export, but on paste I'm asked for a password I don't know. I guess it's a kind of app password, am I right? could I find it somewhere? Is it possible to migrate this keychain items?

I've already read related issues, Are 2FA secrets backed up with an encrypted Finder backup? and Keys are saved as part of iCloud backup, but I didn't get an answer from them.

Image 15-12-21 at 22 22 Image 15-12-21 at 22 26

beaucollins commented 2 years ago

If you want to see the contents of one of those items, you can use the security command line tool to see their contents. The tokens are encoded as otpauth:// URLs.

In Terminal.app:

security find-generic-password -s me.mattrubin.onetimepassword.token -g

If your keychain is locked you'll be prompted for your macOS account password. It will print out the first one it finds and the last line should say something like:

password: otpauth://REST_OF_URL

If you copy/paste that entire url into Safari on your iPhone with Authenticator installed it should try to import the code. Actually, Safari might prompt you to open Settings on your phone because the Keychain now has 2fa built in!

The querystring of that URL (the contents after the ?) has all of the pieces you need to set up the token. Specifically in the secret=SOME_VALUE portion the SOME_VALUE is the secret part that you can use in the "Secret Key" portion of the manual entry screen in Authenticator.

https://github.com/mattrubin/OneTimePassword/blob/bd2a8fa24057916e4e543ae323e34f75ae744db8/Sources/Token%2BURL.swift#L118-L144

kikeenrique commented 2 years ago

Thanks a lot for your support! Unfortunately the command does not work, it finds nothing 🤔.

 ~  security find-generic-password -s me.mattrubin.onetimepassword.token -g
security: SecKeychainSearchCopyNext: The specified item could not be found in the keychain.

I've also tried using param -a with the account id I can see on the keychain app, but doesn't work either. I've even tried adding each keychain name at the end just in case, using the security list-keychains items.

kikeenrique commented 2 years ago

Does anyone knows why the command does not work for me?

kikeenrique commented 2 years ago

@beaucollins Could you confirm that it worked for you?