AWS MFA QR Code tool

Posted on by

As someone with administrator responsibilities on several AWS accounts, I have MFA (multi-factor authentication) enabled for lots of AWS identities – SSO logins, IAM users and root users. I use a virtual MFA device – i.e., a mobile phone running Google Authenticator. The QR codes that AWS displays when activating MFA have some irritating properties…

… the main one being that contain a really long prefix that is always the same, so all the AWS entries display in Google Authenticator like this:

Amazon Web Services (KarlAuer@someaccount)

On a mobile phone in portrait mode, this means that the account part of the identifier is way off the right-hand side of the phone screen, so that is hard to tell which entry is which. Turning the phone to put it in landscape mode helps, but that’s irritating too, and if the user name is long, you may still not be able to see what the site is.

A second irritant is that the identifiers are real. If your IAM user name is FredBloggs and the AWS account has the alias “bloggscorp”, the entry that AWS will give you will look like this:

Amazon Web Services (FredBloggs@bloggscorp)

That’s useful information in the hands of someone who has somehow obtains your password, and then obtains your phone. It is also information that is easily read by anyone who can see your phone while you are using Google Authenticator. You may prefer to obfuscate that information.

A solution

One solution is not to use the QR codes! Instead, when setting up MFA, ask AWS to display the secret as text, then type that text into Google Authenticator along with the description of your choice.

This works really well – but you have to type a bunch of random Base32 characters into Google Authenticator, a very painstaking thing to have to do. And there is no way to edit the secret if you make a typo – you have to delete the defective entry and start again.

Another solution

Another solution is to use the script below. This script uses the qrencode program to generate a QR code from a secret and your description. You can cut and paste the secret off the AWS MFA activation screen, add the description of your choice, and the result is a Google Authenticator entry that is a lot sleeker.

#!/bin/sh
# Create a Google Authenticator compatible QR code.

SECRET="$1"
TEXT="$2"
FILE="$3"

echo -n "otpauth://totp/$TEXT?secret=$SECRET" | qrencode -o "$FILE"

If you name the above script (say) mkqr.sh, then this command (with a proper secret):

mkqr.sh 1234567890 "blah blah blah" test.png

…will get you a PNG file called test.png that you can display and scan into Google Authenticator. Or any suitable TOTP generator, like the Microsoft Authenticator or Authy.

Instead of the long prefix, you will get something like this (where 999 999 is the next TOTP code):

blah blah blah
999 999

I generally use a text something like “AWS (kauer@account)”, which gets me this display:

AWS (kauer@account)
999 999

If you want to obfuscate things, you can enter “coded” details; values that you will recognise but others will not. For example, I always just put “kauer” as the user – it’s just a placeholder for whatever my actual username is in that account. This is not very strong security, I hasten to add! But it will help against casual snoops or if you lose your phone.

The qrencode program can be installed on Ubuntu using apt-get install qrencode.

Error checking and other enhancements to the above script are left to the reader 🙂

[Updated 26 September 2022 – KA]

Leave a Reply

Your email address will not be published. Required fields are marked *