Guide to extract Authenticator Tokens (TOTP URI) from the Authy iOS App with MITMProxy.
This is an improved and fully automated, documented, improved, and easy to use version of the original repository created by AlexTech01.
In this fork, I've modified the original scripts to be more user-friendly, including documentation, virtual environment setup, requirements.txt, .env, .gitignore, and a Makefile for easy setup and usage. Not only that, for the files decrypt.py, I've improved the code quality, readability, and split big functions into smaller ones for better maintainability. Also, the original script.py was broken in the QR code generation, so I fixed it, splitting the script.py into two files: generate_uris.py for the URI generation and generate_qr_codes.py for the QR code generation. The original script to generate QR Codes was also more complex and used the pillow lib. I rewrote the code to be simpler and more efficient. There was also the addition of the main.py file, which is the main entry point of the script, and it will call all of the three scripts (authenticador_tokens.py, generate_uris.py, and generate_qr_codes.py) to make it easier to use. Not only that, but I've added the Proton Authenticator support, which a few people asked for. Lastly, I've updated this README file to include all of the new features and improvements made in this fork. With all that said, this is an improvement over the original project, which was already a great project, and it is now easier to use and more user-friendly, but obviously the original authors deserve all the credit, as I would not be able to do this without their work.
It took a lot of work to make this fork, so I hope you enjoy it and find it useful. If you have any questions or suggestions, feel free to open an issue or a pull request.
- Authy-iOS-MiTM.
This repository provides a guide and scripts to extract authenticator tokens from the Authy iOS App using MITMProxy (Man-in-the-Middle proxy). Authy is a popular two-factor authentication (2FA) app that provides an additional layer of security for your online accounts. However, it does not provide a built-in way to export or backup your tokens. Also, since the Authy Desktop App was discontinued, exporting tokens from the Authy Desktop App is no longer an option.
So, by using MITMProxy, it enables you to capture HTTPS traffic, extract encrypted tokens, and decrypt them to obtain authenticator seeds.
In a short way, you install MITMProxy, set manually the proxy on your iOS device to be the MITMProxy installed on your computer, so, when you log-out and log back in, as your computer is the proxy for your iOS device, it will capture the HTTPS traffic from the Authy app, which contains your authenticator tokens file (authenticator_tokens.json) in encrypted form. After that, you can decrypt the tokens using a Python script and your backup password, which will give you access to your authenticator Time-based One-Time Password (TOTP) Uniform Resource Identifier (URI) for many Authenticator apps, such as 2FA, Aegis, Google Authenticator, and Microsoft Authenticator. With those URIs, you can import your tokens into any of those apps, or scan the generated QR codes for them. Proton Authenticator is now supported, but it requires a special JSON format for import, which is automatically generated as proton_authenticator.json by the script. See below for details.
Note
You can also store the TOTP URIs in a password manager that supports TOTP, such as Bitwarden. BitWarden, inside each login, there is a field below the password field called "Authenticator Key (TOTP)", where you can paste the TOTP URI, and BitWarden will automatically generate the TOTP codes for you. Unfortunately, to actually view the 30-second codes, you need a BitWarden Premium subscription, but this is a good option to store your TOTP URIs securely for backup purposes, rather than storing them in a text file or a JSON file, which is not secure.
Honestly, I would recommend you store the TOTP URIs in Bitwarden and then export the Bitwarden vault periodically as a backup and import it into the Apple's Passwords app, as it will detect the TOTP URIs and generate the TOTP codes for you, so you can use the Passwords app as your main authenticator app. This way, you can have a secure backup of your TOTP URIs and also use them in the Passwords app, which I'm pretty sure is built-in in iOS and MacOS for a few years now and is completely free to use.
- A computer (Windows/Mac/Linux)
- An iOS/iPadOS device (using a secondary device is recommended)
- A basic understanding of the command line and running Python scripts
- mitmproxy installed on your computer
- Python 3.13.1+ installed on your computer
- Make installed on your computer (optional, but strongly recommended to simplify setup and usage)
- Windows-specific: Microsoft Visual C++ Build Tools (part of "Build Tools for Visual Studio") — required by some Python packages that need compilation.
Before running the project, ensure that both Python and the make utility are installed on your system. Follow the instructions below according to your operating system.
The project requires Python 3.9 or higher.
On Debian/Ubuntu-based distributions:
sudo apt update
sudo apt install python3 python3-venv python3-pip -yOn Fedora/RHEL-based distributions:
sudo dnf install python3 python3-venv python3-pip -yVerify installation:
python3 --version- Install via Homebrew (recommended):
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" # if Homebrew not installed
brew install python- Verify installation:
python3 --version- Download Python from the official website: https://www.python.org/downloads/windows/
- Run the installer and check “Add Python to PATH”.
- Verify installation:
python --versionThe make utility is used to automate tasks such as setting up the virtual environment and installing dependencies.
make is usually pre-installed. If not:
sudo apt install build-essential -y # Debian/Ubuntu
sudo dnf install make -y # Fedora/RHEL
make --versionmake comes pre-installed with Xcode Command Line Tools:
xcode-select --install
make --version- Install via Chocolatey:
choco install makeOr, install GnuWin32 Make.
- Verify installation:
make --version-
Clone the repository with the following command:
git clone https://github.com/BrenoFariasDaSilva/DDoS-Detector.git cd DDoS-Detector
With make:
make venv
source venv/bin/activate # Linux/macOS
venv\Scripts\activate # WindowsOr manually:
python -m venv venv
source venv/bin/activate # Linux/macOS
venv\Scripts\activate # Windows- Install Python packages:
With make:
make dependenciesOr manually:
pip install -r requirements.txtExtracting tokens works by capturing HTTPS traffic received by the Authy app after logging in. This traffic contains your tokens in encrypted form, which is then decrypted in a later step so that you can access your authenticator seeds. In order to receive this traffic, we use mitmproxy, which is an easy-to-use tool that allows you to intercept traffic from apps and websites on your device.
To begin, install mitmproxy on your computer, then run:
mitmweb --allow-hosts "api.authy.com"in your terminal to launch mitmweb (which is a user-friendly interface for mitmproxy) with HTTPS proxying on for api.authy.com. Once proxying has started, connect your iOS device to the proxy:
On iOS:
Settings → Wi-Fi → (your network) → Configure Proxy → set to "Manual"
Enter your computer's private IP for "Server" and 8080 for "Port".
Note
Your computer's private IP can be found in its Wi-Fi/network settings, and is typically in the format 192.168.x.x or 10.x.x.x.
Once your iOS device is connected to the proxy, you must install the mitmproxy root CA certificate. This is required for HTTPS proxying.
The root CA keys mitmproxy uses are randomly generated for each installation and are not shared.
- On your iOS device (with the proxy connected), open Safari and visit:
mitm.it - Under the iOS section, tap "Get mitmproxy-ca-cert.pem".
- Tap Allow on the iOS message asking to download a configuration profile.
At this point, the profile is downloaded but not yet installed.
-
Go to:
Settings → General → VPN & Device Management
Inside this menu, you will see the downloaded "mitmproxy" profile.
Tap it, then tap Install (top right corner), and confirm when prompted. -
Only after installing the profile, go to:
Settings → General → About → Certificate Trust Settings
Find mitmproxy in the list and toggle "Enable Full Trust for Root Certificates" to ON.
Important: Failure to install the profile via VPN & Device Management and then enable full trust in Certificate Trust Settings will cause Authy to fail with an SSL validation error.
At this point, you have completed the process of setting up mitmproxy to capture HTTPS traffic from your iOS device. Keep the proxy connected for the next step, which is dumping tokens received from the Authy iOS app.
Some users reported issues where mitmproxy didn’t capture traffic correctly, or where Authy failed with integrity/SSL errors.
If you face this, try the following sequence (thanks to fpwex9 for sharing a working setup on macOS + iOS in here):
1. File descriptor limit (macOS only)
If mitmproxy complains about “too many open files”, increase the limit before starting it:
sudo launchctl limit maxfiles 65536 200000
ulimit -n 655362. Start mitmproxy with limited interception (Command 1):
mitmweb --allow-hosts "api.authy.com"At this stage, you should be able to open the Authy client, enter your phone number, and send the confirmation request to your second device. The Flow List may still be empty at this point.
3. Switch to full interception (Command 2):
mitmweb --listen-host 0.0.0.0 --listen-port 8080Starting directly with this command may cause an “Integrity check” error in Authy.
Instead, use this sequence:
- Start with Command 1.
- Launch Authy, enter your phone number, and send the confirmation request.
- Before confirming on the second device, stop mitmproxy and restart it with Command 2.
- Confirm on the second device.
- Authy should authorize successfully, and mitmproxy will capture the required data.
💡 Tip: You may need to retry 2–3 times with slightly different timing before it works. Be patient.
Note
In order for this to work, you must have your Authy tokens synced to the cloud and you must have a backup password set. It is recommended to dump tokens with a secondary device in case something goes wrong.
Warning
If you're only using Authy on a single device, don't forget to enable Authy multi-device before logging out. If you don't, you won't be able to log back into your account and you will have to wait 24 hours for Twilio to recover it.
The first step in dumping tokens is to sign out of the Authy app on your device. Unfortunately, Twilio did not implement a "sign out" feature in the app, so you must delete and reinstall the Authy app from the App Store if you are already signed in. With the proxy connected, sign back in to the app normally (enter your phone number and then authenticate via SMS/phone call/existing device), and then stop once the app asks you for your backup password.
Note
If you get an "attestation token" error, try opening the Authy app with the proxy disconnected, enter your phone number, and then connect to the proxy before you tap on SMS/phone call/existing device verification.
At this point, mitmproxy should have captured your authenticator tokens in encrypted form.
In the mitmweb UI, it’s common to see many smaller packets — often POST requests — each containing only a single token.
These are not the ones you want. The correct request contains all tokens together in a single response.
- In the Flow List tab, use the search box to look for
"token". - Among the results, locate the first GET request (not POST).
- Look at the Size column — the correct packet will be noticeably larger than the others (typically a few KB if you have many tokens).
- Open this GET request and check its Response; it should look similar to:
{
"authenticator_tokens": [
{
"account_type": "example",
"digits": 6,
"encrypted_seed": "something",
"issuer": "Example.com",
"key_derivation_iterations": 100000,
"logo": "example",
"name": "Example.com",
"original_name": "Example.com",
"password_timestamp": 12345678,
"salt": "something",
"unique_id": "123456",
"unique_iv": null
},
...
]
}💡 Tip: The right packet is usually one large GET request of 5–10 KB or more, depending on how many tokens you have.
Once found, switch to the Flow tab in mitmweb and click Download to save it as authenticator_tokens.
We strongly recommend renaming this file to authenticator_tokens.json, but if you don’t, the script will automatically detect it and add the .json extension as needed, but this is not recommended as it may cause unknown issues.
After that, disconnect your device from the proxy (select "Off" in Settings → Wi-Fi → (your network) → Configure Proxy) before exiting mitmweb (Ctrl+C in the terminal) and continuing to the next step.
Before decrypting your tokens, you need install all of the other requirements.
First, you must ensure you have Python 3.13.1+ installed on your computer. After that, verify that you have Make installed on your computer (it comes pre-installed on Linux and Mac, but Windows users can install it via Chocolatey with choco install make), then run make dependencies to set up a Python virtual environment and install the required dependencies. If you don't have Make installed, you can manually set up a Python virtual environment and install the dependencies by following these steps:
- Open your terminal and navigate to the repository folder.
- Create a virtual environment by running
python -m venv venv(orpython3 -m venv venvdepending on your system). - Activate the virtual environment:
- On Windows, run
venv\Scripts\activate - On Mac/Linux, run
source venv/bin/activate
- Install the required dependencies by running
pip install -r requirements.txt
After that, inside the repository folder, copy the .env-example file to a new file named .env and open it in a text editor. Replace YOUR_AUTHY_BACKUP_PASSWORD_HERE with your actual Authy backup password, then save and close the file.
Assuming you i've installed all of the requirements in the previous step, you can now decrypt your tokens.
Inside the repository folder, ensure you have the authenticator_tokens.json file you downloaded in Step 2 is in the same folder as the scripts (i.e., the root of the repository, Authy-iOS-MiTM). After that, run make, which will run the main.py script that will call all of the three scripts (authenticador_tokens.py, generate_uris.py, and generate_qr_codes.py) to decrypt your tokens, generate URIs for them (saved in the URIs.txt and URIs.json files), and optionally generate QR codes for them.
The script will prompt you for your backup password if you didn't create the .env file, which does not show in the terminal for privacy reasons. After entering your password and hitting Enter, you should have a decrypted_tokens.json file, which contains the decrypted authenticator seeds from your Authy account. Please note that this JSON file is not in a standard format that you can import to other authenticator apps. The file that you can import to other authenticator apps is the URIs.json file, which contains the URIs for each of your tokens in a format that is compatible with the authenticator app that you choose during the generate_uris.py script execution (Select an authenticator app to generate URIs for: (1. 2FA, 2. Aegis, 3. Google Authenticator, 4. Microsoft Authenticator, 5. Proton Authenticator).
Proton Authenticator requires a specific JSON format for bulk import, which is different from the standard URIs.json file. When you select Proton Authenticator in the script, it will generate a file named proton_authenticator.json with the required format:
{
"version": 1,
"entries": [
{
"id": "...",
"content": {
"uri": "otpauth://totp/Adobe?secret=...&digits=6&algorithm=SHA1&period=30&issuer=",
"entry_type": "Totp",
"name": "Adobe"
},
"note": null
},
...
]
}This file can be imported directly into Proton Authenticator. The script will automatically create this file for you if you select Proton Authenticator as your target app. Other apps use the standard URIs.json and URIs.txt files.
Note
If you see "Decryption failed: Invalid padding length" as the decrypted_seed in your JSON file, you entered an incorrect backup password. Run the script again with the correct backup password.
Some users have reported that generated QR files may:
- Use incorrect extensions (e.g.,
.wavinstead of.png); - Contain invalid filenames or fail to save properly.
To resolve or prevent these issues:
- Ensure
Pillowandqrcodewere installed successfully inside the virtual environment. - Avoid special or reserved Windows filenames (e.g.,
CON,PRN,AUX, etc.). - If encoding issues persist, try running the QR generation script from a POSIX-like environment such as:
- WSL (Windows Subsystem for Linux)
- Git Bash
- macOS/Linux
- As a fallback, use the
URIs.jsonfile — it contains all otpauth URIs your authenticator app can import directly.
- Most apps (Google Authenticator, Authy, Bitwarden, etc.) support importing from URIs.
- Alternatively, use an external QR generator that accepts otpauth URIs.
The URIs.json file serves as a direct backup of all generated TOTP URIs.
If QR generation fails, you can still:
- Import
URIs.jsondirectly into your preferred authenticator app; or - Use an online/offline QR generator that accepts otpauth:// URIs to recreate the QR codes.
If you encounter environment or dependency issues, you can safely clean and rebuild everything:
# Remove the virtual environment and temporary files (PowerShell)
Remove-Item -Recurse -Force .\venv
Get-ChildItem -Recurse -Filter *.pyc | Remove-Item -Force
Get-ChildItem -Recurse -Directory -Filter __pycache__ | Remove-Item -Recurse -Force
# Recreate the environment
python -m venv venv
.\venv\Scripts\Activate.ps1
python -m pip install --upgrade pip setuptools wheel
pip install -r requirements.txtThis ensures a clean setup equivalent to running make clean && make.
This method will never work on unrooted Android devices due to the fact that the Authy app only trusts root certificates from the system store and rooting being needed to add certificates to the system store. If you have a rooted Android device and would like to use this guide, add the mitmproxy certificate to the system store instead, and you should be able to follow this guide normally. The reason this works on iOS is that iOS treats system root CAs and user-installed root CAs the same by default, and unless an app uses SSL pinning or some other method to deny user-installed root CAs, it can be HTTPS intercepted via a MiTM attack without a jailbreak needed. If Twilio wants to patch this by implementing SSL pinning, they absolutely can.
You can find some more information on the comments of this GitHub Gist: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93.
If something goes wrong while following this guide, please file a GitHub issue and I will look into it.
The guide for contributing is in the CONTRIBUTING.md file. If you have any suggestions or improvements, feel free to open an issue or a pull request.
This project is licensed under the MIT License.