Homebrew [WIP] TinyTot - TOTP 2FA One-Time Password generator (like Google Authenticator)

[jsa]

Hey, GBAtemp.

I've been working on a two-factor authentication application for the 3DS over the past few days in my spare time, and I've managed to get it to work so thought I'd share it.

GitHub: https://github.com/thejsa/tinytot
3DSX: Go compile it.

Usage: Drop a file named secret.txt in the same folder as the 3dsx (or on the SD root if for some reason you build this as a CIA) containing your TOTP secret (encoded in base32, looks somewhat like this: JSAISLEETCODERAMIRITEPEOPLEZLMAO).

Next, launch the 3DSX while connected to the internet - the TOTP algorithm uses the current time in UTC as part of its algorithm and the 3DS doesn't have any concept of timezones, so the app gets the time from my server and works out the difference between it and the 3DS time. (I'll modify the source so it saves this offset information soon, thus allowing offline usage.)

Let me know what you think - still todo:

• QR code scanning
• Multiple accounts
• HOTP algorithm support (not often used, but just for completeness)
• Save time offset info (allowing offline TOTP generation)

 

[DarkRioru]

what does this app do?? create otp files or is it a login sort of thing??

 

[jsa]

what does this app do?? create otp files or is it a login sort of thing??

OTP, in this circumstance, stands for One-Time Password, ie. the 6 digit code you get from a thingy and enter as the 2nd factor in two-factor authentication, not the special region in the 3DS NAND.

So yeah, a login thing,

--------------------- MERGED ---------------------------

what does this app do?? create otp files or is it a login sort of thing??

OTP, in this circumstance, stands for One-Time Password, ie. the 6 digit code you get from a thingy and enter as the 2nd factor in two-factor authentication, not the special region in the 3DS NAND.

So yeah, a login thing

 

[Xenon Hacks]

the 6 digit code you get from a thingy

Wut

 

[Ryccardo]

Wut

Those things some banks give to you for e-banking, this is a similiar software-only technology http://www.tokenguard.com/images/tokens/SID700.gif

 

[Brawl345]

Awesome! Can't wait for QR code support and multiple accounts!

 

[Selver]

I've been working on a two-factor authentication application
...
GitHub: https://github.com/thejsa/tinytot
3DSX: Go compile it.

Pull request sent to fix a minor typo, when you moved away from your hard-coded secret.
Excellent start, looking forward to seeing this blossom!

 

[Tjessx]

This is very nice,
I was working myself on a token based OTP system, but i might just use this.

 

[Ricken]

Maybe the title should be changed to One Time Password generator?
I can't be the only one who thought this would make most of the Plailect guide obsolete

 

[Psi-hate]

I understand a little about what this can do, with passwords and accounts, but can someone explain a little more? I don't want to sound dumb but I'm not sure what specifically it could be used for.. Regardless of my knowledge, this looks pretty interesting!

 

[Selver]

I understand a little about what this can do, with passwords and accounts, but can someone explain a little more? I don't want to sound dumb but I'm not sure what specifically it could be used for.. Regardless of my knowledge, this looks pretty interesting!

Two-Factor authentication (2FA) provides a second "proof" that you are who you say you are. These are often setup to use a one-time-password (OTP). A specific type of OTP was created that uses a secret value and the current time to generate the OTP using one-way cryptographic functions. One-way cryptographic function is a fancy way of saying that, even if an attacker is given many, many outputs, they cannot derive the secret. (Thus, one-way conversion from secret to OTP, but no way to go from OTP to the secret value.)

Google, Microsoft Account (aka Passport, aka LiveID, aka ...), and many others use this standardized method of OTP for their 2FA.

 

[jsa]

Maybe the title should be changed to One Time Password generator?
I can't be the only one who thought this would make most of the Plailect guide obsolete

Yes, haha, I agree.
Could a mod change it?

 

[SomeGamer]

Yes, haha, I agree.
Could a mod change it?

Just report your own thread.

 

[raulpica]

Yes, haha, I agree.
Could a mod change it?

Done!

 

[Suiginou]

Hey, GBAtemp.

I've been working on a two-factor authentication application for the 3DS over the past few days in my spare time, and I've managed to get it to work so thought I'd share it.

GitHub: https://github.com/thejsa/tinytot
3DSX: Go compile it.

Usage: Drop a file named secret.txt in the same folder as the 3dsx (or on the SD root if for some reason you build this as a CIA) containing your TOTP secret (encoded in base32, looks somewhat like this: JSAISLEETCODERAMIRITEPEOPLEZLMAO).

Next, launch the 3DSX while connected to the internet - the TOTP algorithm uses the current time in UTC as part of its algorithm and the 3DS doesn't have any concept of timezones, so the app gets the time from my server and works out the difference between it and the 3DS time. (I'll modify the source so it saves this offset information soon, thus allowing offline usage.)

Let me know what you think - still todo:

• QR code scanning
• Multiple accounts
• HOTP algorithm support (not often used, but just for completeness)
• Save time offset info (allowing offline TOTP generation)

Idea for security:

Encrypt the database (mbedtls is now in the standard portlibs) using AES-GCM or some other authenticated encryption scheme. Use the SHA-256 of cfg:i#SecureInfoGetSignature (0x08150042) or cfg:s#GetLocalFriendCodeSeedData (0x04040042) to derive the key; both should be console-unique and have high entropy, so they should be fairly suitable for this. You can optionally SHA-256 in a user-given password using swkbd as long as you do it before the SecureInfo signature (length extension attacks come to mind).

Note that in order to get the cfg:i, you'll need to make an XML file for HBL that targets mset. I don't know what titles have cfg:s (or maybe cfg:s is accessible without a <targets> directive in the first place).

 

[jsa]

Idea for security:

Encrypt the database (mbedtls is now in the standard portlibs) using AES-GCM or some other authenticated encryption scheme. Use the SHA-256 of cfg:i#SecureInfoGetSignature (0x08150042) or cfg:s#GetLocalFriendCodeSeedData (0x04040042) to derive the key; both should be console-unique and have high entropy, so they should be fairly suitable for this. You can optionally SHA-256 in a user-given password using swkbd as long as you do it before the SecureInfo signature (length extension attacks come to mind).

Note that in order to get the cfg:i, you'll need to make an XML file for HBL that targets mset. I don't know what titles have cfg:s (or maybe cfg:s is accessible without a <targets> directive in the first place).

Hmmm. This is a good idea, but I need access to CAM:U (QR code scanner, WIP in a Git branch right now) and HTTP:C (Time synchronization) too.

Right now I have other priorities (eg. making QR scanning work and multiple account support) but you're welcome to contribute - just submit a pull request.