DEV.co
Open-Source Security · scito

extract_otp_secrets

Extract_otp_secrets is a Python tool that extracts OTP (one-time password) secrets from QR codes exported by 2FA apps like Google Authenticator. It supports multiple input methods (camera, image files, text files) and exports to JSON, CSV, or console QR codes. The tool is available as a Python script, Docker container, or standalone executable.

Source: GitHub — github.com/scito/extract_otp_secrets
1.6k
GitHub stars
157
Forks
Python
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryscito/extract_otp_secrets
Ownerscito
Primary languagePython
LicenseGPL-3.0 — OSI-approved
Stars1.6k
Forks157
Open issues10
Latest releasev2.13.0 (2026-03-08)
Last updated2026-06-22
Sourcehttps://github.com/scito/extract_otp_secrets

What extract_otp_secrets is

GPL-3.0 Python application using protobuf for OTP protocol parsing and QR code libraries for decoding/encoding. Supports Python 3.10–3.14, runs on Linux/macOS/Windows, and includes 83% test coverage. Decodes otpauth:// URIs from QR data and handles TOTP/HOTP secret extraction and re-export.

Quickstart

Get the extract_otp_secrets source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/scito/extract_otp_secrets.gitcd extract_otp_secrets# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

2FA Secret Migration & Backup

Extract OTP secrets when migrating between authenticator apps or creating encrypted backups of 2FA credentials stored in JSON/CSV format for disaster recovery.

Batch Onboarding & Account Setup

Extract secrets from multiple QR codes at once and import into password managers (e.g., KeePass) or bulk-configure 2FA across many accounts in corporate environments.

Forensic Analysis & Compliance Audits

Extract and audit OTP configurations from exported QR codes for security reviews, compliance verification, or incident response documentation.

Implementation considerations

  • GPL-3.0 license requires source disclosure if distributed as part of a proprietary application; consider compliance implications before integration.
  • Extracted secrets are stored in plaintext (JSON/CSV) on-disk; implement filesystem encryption and access controls for sensitive environments.
  • Camera capture requires system permissions and may not work in headless or restricted environments; text/image file input is more reliable in such contexts.
  • Python 3.10+ is required; older environments may need prior version pinning or alternative tooling.
  • Executable startup has ~30–60 second delay (PyInstaller unpacking); consider pre-staging or direct Python script execution for performance-critical workflows.

When to avoid it — and what to weigh

  • Real-time 2FA Code Generation — This tool only extracts secrets; it does not generate time-based codes. Use a dedicated authenticator app (Google Authenticator, Authy) for generating TOTP codes.
  • GUI-only or Non-Technical Users — While executables are provided, setup on macOS requires terminal commands and manual quarantine removal. Less accessible for users without CLI familiarity.
  • High-Volume Production Secret Management — Not designed as an identity management or provisioning platform. For enterprise-scale TOTP/HOTP deployment, use dedicated identity platforms (Okta, Auth0).
  • Proprietary 2FA Format Support — Handles only standard otpauth:// URIs and Google Authenticator exports. Closed-source or non-standard 2FA apps may not be compatible.

License & commercial use

Licensed under GPL-3.0 (GNU General Public License v3.0). This is a copyleft license requiring any derivative work or integrated distribution to also be GPL-3.0 and provide source code. Purely standalone use or internal-only deployment has no restriction.

GPL-3.0 permits commercial use, but with copyleft obligations: if you modify and distribute the tool (or software incorporating it), you must release modifications under GPL-3.0 and provide source code. Standalone use (e.g., extracting secrets for your own 2FA management) requires no compliance action. Requires legal review if embedding or modifying for commercial products.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationStrong
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Tool handles plaintext OTP secrets; output files (JSON/CSV) contain unencrypted keys and must be protected by filesystem permissions and encryption at rest. No built-in encryption of exported secrets. Camera capture and QR decoding are handled by upstream libraries (security posture of those libraries not evaluated here). Input validation for QR data uses protobuf parsing; malformed input could cause parsing errors (require manual review of input sanitization). Executable distribution via PyInstaller has known false-positive antivirus alerts; consider code review or direct Python script use if security scanning is required.

Alternatives to consider

Authy (Twilio) Export

Authy provides native encrypted backup and export of secrets; no third-party extraction needed if migrating within Twilio ecosystem.

Password Manager Native Support (Bitwarden, 1Password, KeePass plugins)

Many password managers have built-in TOTP entry or plugins; reduces need for separate extraction tool if secrets are already in-manager.

Identity Platforms (Okta, Auth0, Microsoft Entra ID)

For enterprise 2FA provisioning and audit, use dedicated IDaaS platforms with native TOTP/HOTP support and compliance reporting.

Software development agency

Build on extract_otp_secrets with DEV.co software developers

Our team can assist with GPL compliance review, secure secret management workflows, and enterprise 2FA deployment strategies. Contact us for a consultation.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

extract_otp_secrets FAQ

Can I use this tool to recover lost 2FA codes?
Only if you have access to the exported QR codes or generated backup files from your authenticator app. This tool cannot recover secrets from the app itself or circumvent 2FA.
Is the extracted JSON/CSV secure?
No—output files contain plaintext secrets. You must encrypt them at rest and restrict file permissions. Do not commit to version control or share unencrypted.
Does this work with Microsoft Authenticator or Authy?
Unknown. The tool is designed for Google Authenticator and other apps exporting standard otpauth:// URIs. Proprietary export formats may not be supported; requires testing.
Can I use this in a commercial product?
Yes, but you must comply with GPL-3.0: if you distribute or modify the tool, release source code and apply GPL-3.0 to derivatives. Internal use has no restriction. Consult legal counsel for your specific use case.

Software developers & web developers for hire

Adopting extract_otp_secrets is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Need Help Integrating OTP Secret Extraction?

Our team can assist with GPL compliance review, secure secret management workflows, and enterprise 2FA deployment strategies. Contact us for a consultation.