[WIP] TinyTot - TOTP 2FA One-Time Password generator (like Google Authenticator)

Discussion in '3DS - Homebrew Development and Emulators' started by jsa, Jul 9, 2016.

  1. jsa
    OP

    jsa GBAtemp Regular

    Member
    213
    196
    Oct 21, 2015
    United Kingdom
    Devon, UK
    Hey, GBAtemp.

    I've been working on a two-factor authentication application for the 3DS over the past few days in my spare time, and I've managed to get it to work so thought I'd share it.

    GitHub: https://github.com/thejsa/tinytot
    3DSX: Go compile it.

    Usage: Drop a file named secret.txt in the same folder as the 3dsx (or on the SD root if for some reason you build this as a CIA) containing your TOTP secret (encoded in base32, looks somewhat like this: JSAISLEETCODERAMIRITEPEOPLEZLMAO).

    Next, launch the 3DSX while connected to the internet - the TOTP algorithm uses the current time in UTC as part of its algorithm and the 3DS doesn't have any concept of timezones, so the app gets the time from my server and works out the difference between it and the 3DS time. (I'll modify the source so it saves this offset information soon, thus allowing offline usage.)

    Let me know what you think - still todo:
    • QR code scanning
    • Multiple accounts
    • HOTP algorithm support (not often used, but just for completeness)
    • Save time offset info (allowing offline TOTP generation)
     
  2. DarkRioru

    DarkRioru Dream Beeeeeaaaammmm!!!

    Member
    1,993
    423
    Aug 29, 2015
    United States
    looking up at the stars
    what does this app do?? create otp files or is it a login sort of thing??
     
  3. jsa
    OP

    jsa GBAtemp Regular

    Member
    213
    196
    Oct 21, 2015
    United Kingdom
    Devon, UK
    OTP, in this circumstance, stands for One-Time Password, ie. the 6 digit code you get from a thingy and enter as the 2nd factor in two-factor authentication, not the special region in the 3DS NAND.

    So yeah, a login thing,

    — Posts automatically merged - Please don't double post! —

    OTP, in this circumstance, stands for One-Time Password, ie. the 6 digit code you get from a thingy and enter as the 2nd factor in two-factor authentication, not the special region in the 3DS NAND.

    So yeah, a login thing :)
     
    DarkRioru likes this.
  4. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,115
    3,412
    Nov 13, 2014
    United States
    Wut :mellow:
     
    wormdood likes this.
  5. Ryccardo

    Ryccardo WiiUaboo

    Member
    3,372
    1,621
    Feb 13, 2015
    Italy
    Imola
  6. Brawl345

    Brawl345 GBAtemp Regular

    Member
    223
    234
    Jan 14, 2012
    Germany
    Awesome! Can't wait for QR code support and multiple accounts!
     
  7. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    209
    277
    Dec 22, 2015
    Pull request sent to fix a minor typo, when you moved away from your hard-coded secret.
    Excellent start, looking forward to seeing this blossom!
     
    jsa likes this.
  8. Tjessx

    Tjessx GBAtemp Maniac

    Member
    1,157
    508
    Dec 3, 2014
    Belgium
    This is very nice,
    I was working myself on a token based OTP system, but i might just use this.
     
  9. Ricken

    Ricken And you must keep your soul

    Member
    2,245
    2,485
    Jan 19, 2016
    United States
    Shibuya, The small one from Vegas
    Maybe the title should be changed to One Time Password generator?
    I can't be the only one who thought this would make most of the Plailect guide obsolete
     
    Seriel and jsa like this.
  10. Psi-hate

    Psi-hate GBATemp's Official Psi-Hater

    Member
    1,665
    1,057
    Dec 14, 2014
    United States
    Houston
    I understand a little about what this can do, with passwords and accounts, but can someone explain a little more? I don't want to sound dumb but I'm not sure what specifically it could be used for.. Regardless of my knowledge, this looks pretty interesting!
     
  11. Selver

    Selver 13,5,1,14,9,14,7,12,5,19,19

    Member
    209
    277
    Dec 22, 2015
    Two-Factor authentication (2FA) provides a second "proof" that you are who you say you are. These are often setup to use a one-time-password (OTP). A specific type of OTP was created that uses a secret value and the current time to generate the OTP using one-way cryptographic functions. One-way cryptographic function is a fancy way of saying that, even if an attacker is given many, many outputs, they cannot derive the secret. (Thus, one-way conversion from secret to OTP, but no way to go from OTP to the secret value.)

    Google, Microsoft Account (aka Passport, aka LiveID, aka ...), and many others use this standardized method of OTP for their 2FA.
     
    jsa and Psi-hate like this.
  12. jsa
    OP

    jsa GBAtemp Regular

    Member
    213
    196
    Oct 21, 2015
    United Kingdom
    Devon, UK
    Yes, haha, I agree.
    Could a mod change it?
     
    I pwned U! and Ricken like this.
  13. SomeGamer

    SomeGamer GBAtemp Guru

    Member
    5,796
    2,759
    Dec 19, 2014
    Hungary
    Just report your own thread.
     
  14. raulpica

    raulpica With your drill, thrust to the sky!

    Supervisor
    11,036
    7,349
    Oct 23, 2007
    Italy
    PowerLevel: 9001
    Done!
     
    I pwned U! and jsa like this.
  15. Suiginou

    Suiginou (null)

    Member
    565
    588
    Jun 26, 2012
    Gambia, The
    pc + 8
    Idea for security:

    Encrypt the database (mbedtls is now in the standard portlibs) using AES-GCM or some other authenticated encryption scheme. Use the SHA-256 of cfg:i#SecureInfoGetSignature (0x08150042) or cfg:s#GetLocalFriendCodeSeedData (0x04040042) to derive the key; both should be console-unique and have high entropy, so they should be fairly suitable for this. You can optionally SHA-256 in a user-given password using swkbd as long as you do it before the SecureInfo signature (length extension attacks come to mind).

    Note that in order to get the cfg:i, you'll need to make an XML file for HBL that targets mset. I don't know what titles have cfg:s (or maybe cfg:s is accessible without a <targets> directive in the first place).
     
  16. jsa
    OP

    jsa GBAtemp Regular

    Member
    213
    196
    Oct 21, 2015
    United Kingdom
    Devon, UK
    Hmmm. This is a good idea, but I need access to CAM:U (QR code scanner, WIP in a Git branch right now) and HTTP:C (Time synchronization) too.

    Right now I have other priorities (eg. making QR scanning work and multiple account support) but you're welcome to contribute - just submit a pull request.