How to extract seed data from a QR code using a PC

QR codes are often provided as a simple way to provide all data that is required in order to generate OTP codes (either using an authentication app, or for programming onto a programmable token). 

Normally the app will be populated with seed data using the "Scan" feature, however if you are unable to scan the QR code, then the following method may be used as an alternative manual method.

Extracting seed data from a QR Code using a PC

QR codes are just text messages presented in a computer friendly graphical form and we can use a google search feature to convert it back into the original text form.

The following procedure can be used to convert a QR code to its original text version using a web browser and an existing feature of the google search tool;

• Click here for conversion instructions ...

  First open up the google search engine in your web browser, then click on the image search icon (indicated below);

  

  You will then be presented with an area where the QR code can be pasted into; 

  

  For the purposes of this test we will copy the following QR code into the drag/drop area;

  

  Once the QR code has been pasted into this area the QR code section will be identified, and the text equivalent of the QR code will be displayed directly below it; 

  

The QR code used in this example includes seed data that would normally be added to an authentication app and looks like the following;

"otpauth://totp/MyLabel?secret=vqwsgdylmzqxfjwq&issuer=Microsoft".

Once you have obtained the seed data from the QR code, then then you can use the "Edit" button on the app and manually paste in the seed data.

This example is for a very basic TOTP QR code, but all valid TOTP QR codes will also still start with "otpauth://totp/", and is followed by the base32 encoded seed data after the prefix "secret=" (highlighted in red above). 

More complex versions of this QR code may include additional parameters (examples below);

&issuer           The name of the issuer of the token (in this example "Microsoft")

&algorithm     Usually this is not stated (and "SHA1" is assumed), but other algorithms may be specified (the alternatives are "SHA256" and "SHA512")

&period          Usually this is not stated (and "30" seconds is assumed), but alternatives to the default  may be specified (e.g. "60")

&digits            If not specified the default here is 6 digits, but  OTP codes with more digits are sometimes used.

If you intend to burn any programmable tokens with this extracted data, then you need to ensure that prior to burning the token the seed, algorithm and time window settings match those extracted from the QR code.

Identifying other types of QR code

A common reason why QR codes cannot be imported into an authentication app (or burned onto a programmable token) is that the QR code is not of the correct type. 

Normally if the token  starts "otpauth://totp/", and includes a parameter that starts "secret=", then the QR code will be suitable for scanning into an authentication app (or burning onto a programmable token).

If you find that the SafeID programmable token burning app is failing to scan the QR code that you present to it, then it is possible the QR code may be one of these alternative types;

• Click here for alternative QR Code examples ...

  HOTP TOKENS

  

  URL = "otpauth://hotp/MyLabel?secret=vqwsgdylmzqxfjwq&issuer=Microsoft&counter=0"

  This type of token is not for a time-based token (TOTP), but for an event based token (HOTP).  Event based tokens work in a similar way to time based tokens, but replace the time component with a sequential counter (hence the inclusion of the parameter at the end of the URL ("&counter=0")

  MICROSOFT AUTHENTICATOR APP QR CODES

  

  URL = "phonefactor://activate_account?code=593235058&url=https%3A%2F%2Fcys01pfpad02.phonefactor.net%2Fpad%2F944472174"

  This type of QR code does not contain seed data and will not be able to use this to add a token to any app (other than Microsoft Authenticator).

  MOBILEID AUTHENTICATOR TOKENS

  

  URL= "mobileid://www.deepnetsecurity.com/mobileid/install?sn=110000111&seed=ZMFTbGEgPdAUCuQXj6to3yqj&suite=OCRA-1:HOTP-SHA1-6:QN08-T1M&v=1&tn=Jeff%20Birks&ac=64849787"

  QR codes designed to add tokens to the MobileID authenticator app will all start with "mobileid://" and are designed to be used exclusively with this app.

  DEEPNET AUTHENTICATOR QR CODE

  

  QR Code converts to this text message:

  "{"sessionId":"342fed9516b242fcbeffe436ecaa0212","baseUrl":"'https://dualshield6.deepnetsecurity.com'"}"

  This QR code is not a token, but is used during the new device registration process of the Deepnet authenticator app.