AWS MFA QR Code tool

As someone with administrator responsibilities on several AWS accounts, I have MFA (multi-factor authentication) enabled for lots of AWS identities – IAM users and root users. I use a virtual MFA device – i.e., a mobile phone running Google Authenticator. The QR codes that AWS displays when activating MFA have some irritating properties…

… the main one being that they result in Google Authenticator putting a long prefix before the actual account identifier, like this:

Amazon Web Services (KarlAuer@someaccount)

Other services that use MFA often do something similar.

On a mobile phone in portrait mode, this means that the account part of the identifier is way off the right-hand side of the phone screen, so that is hard to tell which entry is which. Turning the phone to put it in landscape mode helps, but that’s irritating too.

A second irritant is that the identifiers are real. If your IAM user name is FredBloggs and the AWS account has the alias “bloggscorp”, the entry that AWS will give you will look like this:

Amazon Web Services (FredBloggs@bloggscorp)

That’s useful information in the hands of someone who has somehow obtains your password, and then obtains your phone. It is also information that is easily read by anyone who can see your phone while you are using Google Authenticator (a design flaw in Google Authenticator if you ask me). You may prefer to obfuscate that information.

A solution

One solution is not to use the QR codes! Instead, when setting up MFA, ask AWS to display the secret as text, then type that text into Google Authenticator along with the description of your choice.

This works really well – but you have to type 64 random Base32 characters into Google Authenticator, a very painstaking thing to have to do. And there is no way to edit the secret if you make a typo – you have to delete the defective entry and start again.

Another solution

Another solution is to use my script below. This script uses the qrencode program to generate a QR code from a secret and your description. You can cut and paste the secret off the AWS MFA activation screen, add the description of your choice, and the result is a Google Authenticator entry that is a lot sleeker.

#!/bin/sh
# Create a Google Authenticator compatible QR code.

USER="$1"
SECRET="$2"
FILE="$3"
ISSUER="$4"
PREFIX="$5"

echo -n "otpauth://totp/$PREFIX:$USER?secret=$SECRET&issuer=$ISSUER" | qrencode -o "$FILE"

If you name the above script (say) mkqr.sh, then this command (with a proper secret):

mkqr.sh "blah blah" 1234567890 test.png XXX YYY

…will get you a PNG file called test.png containing the details you need to add an entry into Google Authenticator. Just display it and scan it into your phone.

Instead of the long prefix, you will get something like this (where 999 999 is the next TOTP code):

999 999
XXX (YYY:blah blah)

Even better, if the prefix and issuer are the same, Google Authenticator will leave out the prefix, so this command:

mkqr.sh "blah blah" 1234567890 test.png XXX XXX

…results in this Google Authenticator display (where 999 999 is the actual next TOTP code):

999 999
XXX (blah blah)

I generally use “AWS” as the prefix and issuer, and my login and the account as the user, which gets me this:

AWS (KarlAuer@someaccount)

If you want to obfuscate things, you can enter “coded” details; values that you will recognise but others will not. This is not very strong security, I hasten to add! But it will help against casual snoops or if you lose your phone.

The qrencode program can be installed on Ubuntu using apt-get install qrencode.

Error checking and other enhancements to the above script are left to the reader 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *