Time-based One-Time Passwords with an Arduino

Get your feet wet with Time-based One-Time Password (TOTP) security by building your own Arduino OATH system. OATH is an open standard authentication system that provides a platform to generate tokens, making your login more secure than a password alone would.

The TOTP approach is what is used with many companies that issue hardware-based dongles for logging in remotely. This security may have been compromised but it’s still better than passwords alone. Plus, if you’re building it around an Arduino we’d bet you’re just trying to learn and not actually responsible for protecting industrial or state secrets.

The hardware setup requires nothing more than the Arduino board with one button and a screen as a user interface. Since the board has a crystal oscillator it keeps fairly accurate time (as long as it remains powered). It will push out a new token every thirty seconds. The video after the break shows that the Arduino-calculated value does indeed match what the test box is displaying.

Comments

  1. GotNoTime says:

    OATH and TOTP in particular aren’t anything to do with RSA the company. The only thing in common is that the RSA SecurID tokens and OATH both implement a form of two factor authentication.

    The problem with the SecurID tokens was that somebody broke into the RSA servers and stole information. This doesn’t mean that all two factor authentication devices like this Arduino TOTP device have been compromised.

  2. GameboyRMH says:

    …or if you don’t want to purchase hardware, you can do it in software. The only advantage of doing it in hardware is that it’s harder to steal.

  3. M says:

    Actually, the video after the break just demonstrates that the Arduino can generate a 6 digit value and push it to a serial console.

  4. onyxphase says:

    I implemented Google authenticator into an arduino recently. This allows you to use the Google Authenticator app as a 2-factor solution with the arduino.

    I implemented a web service that required user,password,and Google Authenticator token to login and use the service.

    I’ll post some more info later.

  5. killr says:

    Expanding on what GotNoTime said:

    RSA stored information about the keys on their own servers as well as putting them on the keyfobs. This is bad security practice, as you want the key information to be stored in the same location as what it protects, therefore if anyone breaks in and gets the key, they’ve already broken in. Its as simple as RSA is dumb and they did not set their security model properly.

    • dan says:

      pray tell how you think the 2fa service works?

      each fob has a fob ID,
      each fob has an individual seed value that is used to generate the time dependant code (from the seed value)

      at the other end the server has to determine the fobID (based on the source address, and username)

      and that the key sent is indeed correct.

      in order to know that the key code that is sent is correct, the seed value must be stored on the server along with the fob ID

      it’s not bad practice, it’s just how it works, and indeed could not work without it.

      try pulling you head out your anus and actually understanding what you’re talking about before making such ludicrous remarks!

  6. Laxmen says:

    Yo, this looks great! We have a project on school like this. I would appreciate very much it if you could sent me the sourcecode! The link above doesn’t work anymore:)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,345 other followers