Two Factor Authentication from Dumped Sqlite Databases

Some of you may be using Google’s “Authenticator” app for Android in order to achieve a higher security level for your Google account.

(If you are not yet using it, I recommend setting it up, you can find the details here).

In this post, I’m going to present my Python implementation of the authentication algorithm.

I used to have my web browser set up to always launch in incognito mode (not saving cookies, etc), and as such, Google regularily prompted me for the two-factor authentication token. I did not want to switch to my phone every time, so I decided to reimplement the Google Authenticator as Python script on Windows.

The general algorithm is well known and documented in RFC 6238. There is even a pseudo code implementation available on Wikipedia, so my contribution is the Python implementation featuring simplified usability by reading from an sqlite database.

In order to use the script, you will have to get the “secret” keys from your Android phone to your computer. This is easily possible if you already have root access to your Android phone. In this case, you can use the Android Debugging Bridge (adb) to pull the database from /data/data/ An excellent tutorial on how to acquire the database can be found here.

In the end, for other reasons, I decided to switch out of Chrome’s incognito mode, so I don’t use the authentication script as often as I used to. But I decided to share it anyways: