kyhwana

This is a quick hack to the Chrome Authy (version 2.5.0_1) extension (gaedmjdfmmahhbjefcbgaolhhanlaolb) https://chrome.google.com/webstore/detail/authy/gaedmjdfmmahhbjefcbgaolhhanlaolb?hl=en that will let you copy out your TOTP secret seeds. This is based off an existing blog post at https://www.pommepause.com/2014/10/how-to-extract-your-totp-secrets-from-authy/

Note that the secret seed is the "secret" that is used to generate the TOTP rolling code, so make sure you store it somewhere safe that is also encrypted, as anyone with this secret can generate TOTP tokens for whatever account this is for. I would suggest in a separate keepass database stored on a USB drive (bitlockered or Veracrypt) that you either keep on your keyring or in a safe.

Find where Chrome stores extensions for your OS:

Windows: C:\Users\<Your_User_Name>\AppData\Local\Google\Chrome\User Data\Default\Extensions

Linux: ~/.config/google-chrome/Default/Extensions/

OS X: ~/Library/Application\ Support/Google/Chrome/Default/Extensions

The authy extension will be in the gaedmjdfmmahhbjefcbgaolhhanlaolb directory and the "app.js" file we want to modify is under that, in the version number/js/. (2.5.0_1 as of 2018-01-24)

MAKE SURE YOU TAKE A BACKUP of app.js, in case something goes wrong or you want to restore the default app behaviour.

Open app.js in your favourite javascript IDE and beautify the code. (In Visual Studio Code, this is Alt-Shift-F)

Find the lines:

}, d.prototype.getOtp = function () {

return this.isEncrypted() ? "------" : this.otpGenerator.getOtp(this.decryptedSeed, this.digits)

and paste in the following lines below the above:

}, d.prototype.getSharedSecret = function() {

return this.isEncrypted() ? "?" : this.decryptedSeed

This will get the shared secret from an account.

Find the lines:

}), f(".copy").click(function (t) {

var n, r, o;

return n = f(this), o = function () {

return n.text("Copy")

}, r = n.parent().find(".tokenCodeString")[0], e.onCopyClicked(r), n.text("Copied"), setTimeout(o, 1e3)

and paste in the following lines below the above:

}), f(".copysecret").click(function (t) {

var n, r, o;

return n = f(this), o = function () {

return n.text("Copy Secret")

}, r = n.parent().find(".sharedSecret")[0], e.onCopyClicked(r), n.text("Copied secret"), setTimeout(o, 1e3)

Here we're adding a function to copy the secret to the clipboard when you click the "copy secret" button.

Next find:

}, TokensView.prototype.updateTokens = function (t) {

var e, r, o, i, s, a;

for (s = [], o = 0, i = t.length; o < i; o++) a = t[o], r = f(a), e = n.get().find(r.attr("data-token-id")), r.find(".tokenCode").html(e.formatToken()(e.getOtp())), s.push(r.find(".tokenCodeString").html(e.getOtp()));

and add:

for (s = [], o = 0, i = t.length; o < i; o++) a = t[o], r = f(a), e = n.get().find(r.attr("data-token-id")), r.find(".sharedSecret").html(e.formatToken()(e.getSharedSecret())), s.push(r.find(".sharedSecret").html(e.getSharedSecret()));

right underneath the for loop, but before "return s"

This finds the shared secret and displays it.

Lastly is the messy HTML bit: (Turn on word wrap for this)

Find "t.exports = '<div class="tokens-screen">\n\n {{> navbar}}\n\n {{> tokens_navbar}}\n\n <div id="tokens-view" class="container">\n {{#apps}}\n {{! This will be rendered if the app is decrypted}}\n"

Find "<span class="tokenCodeString">{{ getOtp }}</span>\n" and immediately after this paste in: "<br><span class="sharedSecret">{{ getSharedSecret }}</span>\n"

Then find the line that has "<button class="button-copy copy">Copy</button>\n" and add immediately after the \n but before the "</div>" the following:

"<button class="button-copy copysecret">Copy secret</button>\n"

This adds the "Copy secret" button, which will copy the secret to the clipboard when clicked.

Finally save this, close the authy extension window and reopen it.

A gist with the diff is available: https://gist.github.com/kyhwana/bdbbc35532d264143dcbe00e07b2c461