Generate Battle.net OTP with PowerShell for 1Password

by | Sep 2, 2024 | Powershell | 0 comments

Disclaimer: This article is provided as-is, without any warranties. Use the code at your own risk. I am not responsible for any issues or mistakes that may arise. If you choose to use or reference this code, please make sure to avoid logging out of your Battle.net account and test it in a separate browser to ensure everything runs smoothly.

A while back, I stumbled upon a Python script that allowed me to add my Battle.net Authenticator OTP to my Authy account, which was super convenient at the time. However, as I started using 1Password more frequently, I decided to migrate all my OTPs there. Most sites were straightforward—just disable two-factor authentication set up in Authy, regenerate the QR code, and scan it into 1Password. But when it came to Battle.net, things got complicated. I went down quite the rabbit hole, and I’m sharing this guide to help you avoid the same hassle.

The Problem

I initially found a site that discussed the “old” method to transfer Battle.net OTPs, but Blizzard has deprecated that approach. They now use a bearer token method to access your account. While the page did link to what might be the original script and some troubleshooting advice, I found it a bit outdated.

My Solution

I started by setting up Python on my computer and attempted to use the code I found. While the last post on the GitHub article seemed to work, I prefer working in PowerShell, so I enlisted ChatGPT’s help to convert everything over. Here are the steps, with some credit to @BillyCurtis for his contributions.

Prerequisites

Before we dive in, ensure you’re logged into your Battle.net account and have an “Authenticator” added to your account.

Step 1: Get Your Login Token

  1. Open a browser and enable “Developer mode” (F12 in most browsers).
  2. Log in to Battle.net and go to the “Application” section of the developer tools.Look for the “Cookies” section and find the entry for https://account.battle.net.Locate the cookie named “BA-tassadar”—this is your login token.
  3. Copy its value and keep it handy.

Step 2: Generate Your Bearer Token

  1. Open PowerShell ISE and use the following script to generate your bearer token. Replace LOGIN_TOKEN with the token you copied in the previous step.
# Generates your access token "Bear Token"

# Define the headers
$headers = @{
    "content-type" = "application/x-www-form-urlencoded; charset=utf-8"
}

# Define the data
$body = "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=LOGIN_TOKEN"

# Define the URL
$url = "https://oauth.battle.net/oauth/sso"

# Make the POST request
$response = Invoke-RestMethod -Uri $url -Method Post -Headers $headers -Body $body -ContentType "application/x-www-form-urlencoded"

# Output the response
$response

Step 3: Generate Your Device Secret

  1. Create a new file in PowerShell ISE and use the script below to generate your device secret. Replace with the access_token from the previous step.
  2. You’ll also need your Authenticator “Restore Code” and “Serial” from the Battle.net website or phone app. In the Battle.net app, go to the “Authenticator” section, then click the gear icon, and select “Serial & Restore Codes”. Enter these details into the script below:
# Generates the authenticator deviceSecret

$headers = @{
    "Authorization" = "Bearer <BEARER_TOKEN>"
    "Accept"        = "application/json"
    "Content-Type"  = "application/json"
}

$body = @{
    serial      = "<SERIAL>"
    restoreCode = "<RESTORE_CODE>"
} | ConvertTo-Json

$url = "https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device"

Invoke-RestMethod -Uri $url -Method Post -Headers $headers -Body $body
  • If successful, this script will return your deviceSecret.

Step 4: Convert Your Device Secret to OTPAUTH

  1. Copy the following code into a new PowerShell script. Replace <DEVICE_SECRET> with the deviceSecret you received from the previous step.
# Function to convert a hex string to a byte array
function Convert-HexStringToByteArray {
    param (
        [string]$hexString
    )

    $hexString = $hexString -replace ' ', ''  # Remove any spaces if present
    $byteArray = @()

    for ($i = 0; $i -lt $hexString.Length; $i += 2) {
        $byteArray += [Convert]::ToByte($hexString.Substring($i, 2), 16)
    }

    return $byteArray
}

# Base32 encoding function
function Convert-ToBase32 {
    param (
        [byte[]]$bytes
    )

    $alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
    $output = ""
    $bitBuffer = 0
    $bitBufferLen = 0

    foreach ($byte in $bytes) {
        $bitBuffer = ($bitBuffer -shl 8) -bor $byte
        $bitBufferLen += 8
        while ($bitBufferLen -ge 5) {
            $output += $alphabet[($bitBuffer -shr ($bitBufferLen - 5)) -band 31]
            $bitBufferLen -= 5
        }
    }

    if ($bitBufferLen -gt 0) {
        $output += $alphabet[($bitBuffer -shl (5 - $bitBufferLen)) -band 31]
    }

    return $output
}

# Input: Hex string
$hexString = "<DEVICE_SECRET>"

# Convert the hex string to a byte array
$byteArray = Convert-HexStringToByteArray -hexString $hexString

# Encode the byte array to Base32
$base32Encoded = Convert-ToBase32 -bytes $byteArray

# Generate the OTPAUTH URL
$otpAuth= "otpauth://totp/Battle.net?secret=$($base32Encoded)&digits=8"

$otpAuth
  1. Run the script, and if all goes well, you should get a URL in the format “otpauth://totp/Battle.net?secret=…&digits=8”.

Step 5: Add to 1Password

  1. With the generated URL, you can now add a new OTP entry in 1Password.
  2. Paste the “otpAuth” into the “appropriate “one-time password code” field when creating a one-time password for your Battle.net account in 1Password.

Conclusion

It’s a bit complicated, but not impossible! With patience and the steps outlined above, you should be able to transfer your Battle.net OTP to 1Password successfully. Good luck!

Submit a Comment

Your email address will not be published. Required fields are marked *