Export your OTP secrets from 2FAS backups into scannable QR codes.
Turn a .2fas, .json, or .zip backup — encrypted or not — into one clean PNG QR code per service, ready to re-import into any authenticator app.
- 🔍 Automatic format detection — handles 2FAS
.2fas,.json, and.zipbackups out of the box. - 🔓 Encrypted backup support — decrypts password-protected 2FAS exports (PBKDF2 + AES-GCM).
- 🖼️ One QR per service — a clean PNG per entry, named
{issuer}_{account}.png(sanitized, collision-free). - ⚙️ Rich CLI — list entries, force a format, or run in verbose mode.
- 📦 Standards-compliant — emits standard
otpauth://URLs (TOTP & HOTP) that import into any authenticator.
The generated PNG files embed your 2FA secrets in plaintext (inside the QR code).
- Store them in an encrypted folder.
- Never sync them to a cloud drive.
- Delete them immediately after re-importing.
Treat the output exactly like you would treat the secrets themselves.
uv(Astral) available on yourPATH— verify withuv --version- Python
>= 3.8(provisioned automatically byuv)
This project is uv-only: no global installs, no bare pip, no manual venv.
This tool reads a 2FAS backup file — it does not pull from the app directly. In the 2FAS app: Settings → Backup → Export, then save the .2fas (or .json) file somewhere you can reach from your terminal. Encrypted (password-protected) exports work too.
Pick the method that fits your needs.
uvx runs the tool in a throwaway environment — nothing is installed into your project or your system.
uvx --from git+https://github.com/Hotion13/2FA-exporter 2fa-exporter backup.2fas ./qrcodesGet a persistent 2fa-exporter command on your PATH (isolated in its own environment, but globally available):
uv tool install git+https://github.com/Hotion13/2FA-exporter
# Then call it from anywhere
2fa-exporter backup.2fas ./qrcodes
# Uninstall when you're done
uv tool uninstall 2fa-exportergit clone https://github.com/Hotion13/2FA-exporter
cd 2FA-exporter
uv sync # creates .venv and installs dependenciesWhich method? For a one-off export prefer
uvx. For the tool always on hand useuv tool install(global). Clone +uv synconly if you want to modify the code.
Run the command that matches how you installed it:
# uvx (one-off, no install)
uvx --from git+https://github.com/Hotion13/2FA-exporter 2fa-exporter <backup_file> <output_dir>
# uv tool install (global command)
2fa-exporter <backup_file> <output_dir>
# from a cloned checkout
uv run 2fa-exporter <backup_file> <output_dir>output_dir is required (except with --list-only) and is created automatically. A relative path like ./qrcodes is resolved from your current directory. Each service is written to <output_dir>/{issuer}_{account}.png.
# List entries without generating any QR codes
uv run 2fa-exporter backup.2fas --list-only
# Verbose mode (per-entry details)
uv run 2fa-exporter backup.2fas ./qrcodes --verbose
# Force the 2FAS format (skip auto-detection)
uv run 2fa-exporter backup.zip ./qrcodes --format 2fas
# Full help
uv run 2fa-exporter --help# Standard export
uv run 2fa-exporter ~/Downloads/2fas-backup.json ./qrcodes
# Inspect contents before exporting anything
uv run 2fa-exporter backup.2fas --list-only
# Verbose export from a ZIP archive
uv run 2fa-exporter backup.zip ./exports --verboseWhen a backup contains encrypted data, the tool prompts for the password automatically.
- Run it in a real terminal. Don't pipe the password or run it in CI — non-interactive runs fail by design.
- You get 3 password attempts; after that the run aborts (just re-run to try again).
- A validated password is reused for the rest of the session — handy for ZIP archives bundling multiple encrypted dumps.
- Some 2FAS exports embed a direct AES key (
key/keyEncodedfield) instead. In that case the tool decrypts with it and never asks for a password. - Decryption uses PBKDF2-HMAC-SHA256 (10,000 iterations) feeding AES-GCM, via the
cryptographylibrary.
backup file
│
▼
BackupProcessorFactory ──▶ TwoFASProcessor (raw extraction + decryption)
│
▼
OTPFactory (standardized TOTP / HOTP objects)
│
▼
main.py (renders otpauth:// → PNG QR codes)
BackupProcessors/— multi-format raw extraction (Strategy + Factory). Currently: full 2FAS support; Google Authenticator and Authy are planned.OTPTools/— creation and validation of standardized OTP objects,otpauth://URL generation.src/utils.py— safe filename generation (forbidden chars, Windows-reserved names, Unicode normalization).
uv sync # install everything
uv run python tests/test_refactoring.py # run the test suite
uv lock # update the lockfile (commit it)Dependencies live in pyproject.toml (requirements.txt is generated — never edited by hand).
MIT © contributors