MFA, or multifactor authentication, is a standard security feature these days. However, it can be a drag to constantly reach into one’s pocket, scroll to Google Authenticator (other MFA applications are available!), and find the correct TOTP code to log in to a site for a short while. [Allan Oricil] felt this pain point, so they took the problem by the horns and created a desktop MFA TOTP generator to make life just that little bit easier.
TOTP, which stands for Time-based One-Time Password, is a security measure that uses a device or application to provide unique codes that expire after a short time. Two-factor authentication requires a physical item (something you have), such as a key or swipe card, and knowledge of a fact (something you know), like a password, rather than relying on a single factor. This approach ensures a higher level of security. [Allan]’s project is a physical thing one would use with a password or key file.
Utilising the snappily titled Sunton ESP32-2432S028 EVB, based around the Espressif ESP32-WROVER-32 module and a generic touch screen, the neat little package is intended for custom IoT projects. However, we can use it for practically anything. The project uses the PlatformIO infrastructure and associated plugins for VSCode, which are a winning combination if you ask us. The service details and associated secret strings are stored as plain text files on an SD card, so moving from one physical device to another and adding new services is simple. If you’re wondering why a physical device needs a Wi-Fi connection, this is to sync the RTC (the local measure of ‘time’ for that TOTP) with a downstream NTP server. If you don’t do this, you quickly get out of sync with your target services, and your codes could expire prematurely or even fail outright.
If you want to read more, see our guide to Two-Factor Authentication. Regarding hardware implementations, here’s a sweet macropad-based solution, and a tiny one using a BadUSB for good.
I came here for the Top Of The Pops generator.
The old switcheroo!
You could use GPS to sync time and keep it entirely offline.
one would need a GPS receiver for that..
Cheaply added $35.
more like $6-9 or even less
I added the cost for each part I included in the project. Take a look. I added a 3D printed case to the project. The fingerprint sensor arrived. So tomorrow I will be attempting to turn on and off the screen with fingerprint. Then I will be pay someone to create a custom 3D model to hold the fingerprint sensor in a confortable position to the left of the board, where there are no USB ports.
Please give me a star on the project if you think I did a good job for a first project :D
I didnt know this was possible, and it is now added to the list of TODOs. Thank you.
I decided to use NTP because it was the option I had for the moment and I wanted to make this as cheap as possible. My next upgrade would be attaching a real RTC to the board, but that would also increase the cost. I will try both options, and then see which one is cheaper.
Compare against the option of receiving any ground-based radio time source in your area, such as WWVB or DCF77, which may be cheaper than GPS. It can be compact enough to fit in a watch and cheap enough to be included in pretty cheap clocks, when produced at scale. I do not know of specific parts to buy or what the exact price may be.
there are cheap Dallas RTC modules for offline use as well – my version of this type of credentials manager uses one as a backup. Primary is my own local NTP cause I cannot be arsed to make a menu to set the time.
My version automagically types the login info based on modifier key into whatever text field I select. Picture for context: https://imgur.com/a/ctVPIbR
You are fucking creative! I liked the setup with buttons. I use the same strategy with my passwords. I have a external keyboard with 9 keys and 4 layers. There are (9-1)*4 [1 button is used to switch to a differen layer] options to find the correct password. Only I know which button to press because buttons are not labelled.
“and associated secret strings are stored as plain text files on an SD card,”
At least use the ESP32 crypto module to store the secrets, not totally safe either, but at least a little bit more secure than storing them plain text on an SDcard
Sure! It is on the roadmap. I plan to require fingerprint/password/pin before allowing one to access it TOTP for a giving service. This feature will be configurable per service.
Many, if not most of the websites that use TOTP as a 2nd factor, also allow the use of FIDO2 keys. Either as a 2nd factor, or for passwordless login alltogether.
If you don’t want to buy one (or better two), you can always use a RP2040 (Pi Pico) or an ESP32 to make one.
https://www.picokeys.com/
https://github.com/jocover/esp32_u2f
This even saves you the reading and typing.
Good idea! But fido keys aren’t used everywhere yet (e.g. dockerhub, npm). Moreover, I read that webauthn/passkeys seem to be the future for 2FA, and fido keys, like yubikey are gonna fade out with time. I needed a solution to work with 100% of the services I use, and not just a few. I will probably make this device to store passkeys too, in the future, If I find time.
off topic: FIDO KEYS CANT PLAY DOOM!
Why not just use a password manager? I use bitwarden self hosted and I just need to paste it in the field. As for fido keys, there’s a few services that unless I’m forced to and there are no other option, I want a physical key no matter what
Read the motives on the README.md
In my eyes, first 7 points are non issues, on my personal computer I have the client there and the password is tied to the totp so no need to pull my phone out at all. #8 yeah sure just don’t install the client on your phone. #9 migrating a docker install is also possible. Which really leaves 10, 11 and 12 which I can understand but to me don’t justify adding yet another device on my desk which is basically out in the open. But I mean doing things for fun is cool I made a dispenser for soap using a peristaltic pump when I could have used a measuring cup to have the measurement I wanted and leave that on the washing mashine.
I remember a use case i use a lot. When using aws cli, using account which MFA is required, to auth to the cli you have to type in the totp code. Can bitwarden perform mfa login in CLIs? I never used it, so I really don’t know. I use nordpass and lastpass.
I updated the code and now secrets can be written to the sd card using Node-red and mqtt!
Hi Everyone,
I would like to share that I’ve released v0.5.0. In this version, you can now protect your TOTPs with a PIN number. Please, take a look and give some feedback.
Thank you
The project was renamed to https://github.com/AllanOricil/esp32-mfa-authenticator
It is now possible to flash your board from the browser with the latest build
https://allanoricil.github.io/esp32-mfa-authenticator/