Homebrew [WIP] TinyTot - TOTP 2FA One-Time Password generator (like Google Authenticator)

  • Thread starter jsa
  • Start date
  • Views 4,679
  • Replies 15
  • Likes 11

jsa

Well-Known Member
OP
Member
Joined
Oct 21, 2015
Messages
224
Trophies
0
Location
Devon, UK
Website
muffinti.me
XP
396
Country
United Kingdom
Hey, GBAtemp.

I've been working on a two-factor authentication application for the 3DS over the past few days in my spare time, and I've managed to get it to work so thought I'd share it.

GitHub: https://github.com/thejsa/tinytot
3DSX: Go compile it.

Usage: Drop a file named secret.txt in the same folder as the 3dsx (or on the SD root if for some reason you build this as a CIA) containing your TOTP secret (encoded in base32, looks somewhat like this: JSAISLEETCODERAMIRITEPEOPLEZLMAO).

Next, launch the 3DSX while connected to the internet - the TOTP algorithm uses the current time in UTC as part of its algorithm and the 3DS doesn't have any concept of timezones, so the app gets the time from my server and works out the difference between it and the 3DS time. (I'll modify the source so it saves this offset information soon, thus allowing offline usage.)

Let me know what you think - still todo:
  • QR code scanning
  • Multiple accounts
  • HOTP algorithm support (not often used, but just for completeness)
  • Save time offset info (allowing offline TOTP generation)
 

jsa

Well-Known Member
OP
Member
Joined
Oct 21, 2015
Messages
224
Trophies
0
Location
Devon, UK
Website
muffinti.me
XP
396
Country
United Kingdom
what does this app do?? create otp files or is it a login sort of thing??
OTP, in this circumstance, stands for One-Time Password, ie. the 6 digit code you get from a thingy and enter as the 2nd factor in two-factor authentication, not the special region in the 3DS NAND.

So yeah, a login thing,

--------------------- MERGED ---------------------------

what does this app do?? create otp files or is it a login sort of thing??
OTP, in this circumstance, stands for One-Time Password, ie. the 6 digit code you get from a thingy and enter as the 2nd factor in two-factor authentication, not the special region in the 3DS NAND.

So yeah, a login thing :)
 
  • Like
Reactions: DarkRioru

Tjessx

Well-Known Member
Member
Joined
Dec 3, 2014
Messages
1,160
Trophies
0
Age
27
XP
952
Country
Belgium
This is very nice,
I was working myself on a token based OTP system, but i might just use this.
 

Psi-hate

GBATemp's Official Psi-Hater
Member
Joined
Dec 14, 2014
Messages
1,750
Trophies
1
XP
3,439
Country
United States
I understand a little about what this can do, with passwords and accounts, but can someone explain a little more? I don't want to sound dumb but I'm not sure what specifically it could be used for.. Regardless of my knowledge, this looks pretty interesting!
 

Selver

13,5,1,14,9,14,7,12,5,19,19
Member
Joined
Dec 22, 2015
Messages
219
Trophies
0
XP
426
Country
I understand a little about what this can do, with passwords and accounts, but can someone explain a little more? I don't want to sound dumb but I'm not sure what specifically it could be used for.. Regardless of my knowledge, this looks pretty interesting!

Two-Factor authentication (2FA) provides a second "proof" that you are who you say you are. These are often setup to use a one-time-password (OTP). A specific type of OTP was created that uses a secret value and the current time to generate the OTP using one-way cryptographic functions. One-way cryptographic function is a fancy way of saying that, even if an attacker is given many, many outputs, they cannot derive the secret. (Thus, one-way conversion from secret to OTP, but no way to go from OTP to the secret value.)

Google, Microsoft Account (aka Passport, aka LiveID, aka ...), and many others use this standardized method of OTP for their 2FA.
 
  • Like
Reactions: jsa and Psi-hate

Suiginou

(null)
Member
Joined
Jun 26, 2012
Messages
565
Trophies
0
Location
pc + 8
XP
738
Country
Gambia, The
Hey, GBAtemp.

I've been working on a two-factor authentication application for the 3DS over the past few days in my spare time, and I've managed to get it to work so thought I'd share it.

GitHub: https://github.com/thejsa/tinytot
3DSX: Go compile it.

Usage: Drop a file named secret.txt in the same folder as the 3dsx (or on the SD root if for some reason you build this as a CIA) containing your TOTP secret (encoded in base32, looks somewhat like this: JSAISLEETCODERAMIRITEPEOPLEZLMAO).

Next, launch the 3DSX while connected to the internet - the TOTP algorithm uses the current time in UTC as part of its algorithm and the 3DS doesn't have any concept of timezones, so the app gets the time from my server and works out the difference between it and the 3DS time. (I'll modify the source so it saves this offset information soon, thus allowing offline usage.)

Let me know what you think - still todo:
  • QR code scanning
  • Multiple accounts
  • HOTP algorithm support (not often used, but just for completeness)
  • Save time offset info (allowing offline TOTP generation)
Idea for security:

Encrypt the database (mbedtls is now in the standard portlibs) using AES-GCM or some other authenticated encryption scheme. Use the SHA-256 of cfg:i#SecureInfoGetSignature (0x08150042) or cfg:s#GetLocalFriendCodeSeedData (0x04040042) to derive the key; both should be console-unique and have high entropy, so they should be fairly suitable for this. You can optionally SHA-256 in a user-given password using swkbd as long as you do it before the SecureInfo signature (length extension attacks come to mind).

Note that in order to get the cfg:i, you'll need to make an XML file for HBL that targets mset. I don't know what titles have cfg:s (or maybe cfg:s is accessible without a <targets> directive in the first place).
 

jsa

Well-Known Member
OP
Member
Joined
Oct 21, 2015
Messages
224
Trophies
0
Location
Devon, UK
Website
muffinti.me
XP
396
Country
United Kingdom
Idea for security:

Encrypt the database (mbedtls is now in the standard portlibs) using AES-GCM or some other authenticated encryption scheme. Use the SHA-256 of cfg:i#SecureInfoGetSignature (0x08150042) or cfg:s#GetLocalFriendCodeSeedData (0x04040042) to derive the key; both should be console-unique and have high entropy, so they should be fairly suitable for this. You can optionally SHA-256 in a user-given password using swkbd as long as you do it before the SecureInfo signature (length extension attacks come to mind).

Note that in order to get the cfg:i, you'll need to make an XML file for HBL that targets mset. I don't know what titles have cfg:s (or maybe cfg:s is accessible without a <targets> directive in the first place).
Hmmm. This is a good idea, but I need access to CAM:U (QR code scanner, WIP in a Git branch right now) and HTTP:C (Time synchronization) too.

Right now I have other priorities (eg. making QR scanning work and multiple account support) but you're welcome to contribute - just submit a pull request.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • No one is chatting at the moment.
    SylverReZ @ SylverReZ: Murica