An ESP32 MultiFactor TOTP Generator

A multifactor authentication device showing TOTP codes

MFA, or multifactor authentication, is a standard security feature these days. However, it can be a drag to constantly reach into one’s pocket, scroll to Google Authenticator (other MFA applications are available!), and find the correct TOTP code to log in to a site for a short while. [Allan Oricil] felt this pain point, so they took the problem by the horns and created a desktop MFA TOTP generator to make life just that little bit easier.

TOTP, which stands for Time-based One-Time Password, is a security measure that uses a device or application to provide unique codes that expire after a short time. Two-factor authentication requires a physical item (something you have), such as a key or swipe card, and knowledge of a fact (something you know), like a password, rather than relying on a single factor. This approach ensures a higher level of security. [Allan]’s project is a physical thing one would use with a password or key file.

Utilising the snappily titled Sunton ESP32-2432S028 EVB, based around the Espressif ESP32-WROVER-32 module and a generic touch screen, the neat little package is intended for custom IoT projects. However, we can use it for practically anything. The project uses the PlatformIO infrastructure and associated plugins for VSCode, which are a winning combination if you ask us. The service details and associated secret strings are stored as plain text files on an SD card, so moving from one physical device to another and adding new services is simple. If you’re wondering why a physical device needs a Wi-Fi connection, this is to sync the RTC (the local measure of ‘time’ for that TOTP) with a downstream NTP server. If you don’t do this, you quickly get out of sync with your target services, and your codes could expire prematurely or even fail outright.

If you want to read more, see our guide to Two-Factor Authentication. Regarding hardware implementations, here’s a sweet macropad-based solution, and a tiny one using a BadUSB for good.

20 thoughts on “An ESP32 MultiFactor TOTP Generator

          1. I added the cost for each part I included in the project. Take a look. I added a 3D printed case to the project. The fingerprint sensor arrived. So tomorrow I will be attempting to turn on and off the screen with fingerprint. Then I will be pay someone to create a custom 3D model to hold the fingerprint sensor in a confortable position to the left of the board, where there are no USB ports.
            Please give me a star on the project if you think I did a good job for a first project :D

    1. I didnt know this was possible, and it is now added to the list of TODOs. Thank you.

      I decided to use NTP because it was the option I had for the moment and I wanted to make this as cheap as possible. My next upgrade would be attaching a real RTC to the board, but that would also increase the cost. I will try both options, and then see which one is cheaper.

      1. Compare against the option of receiving any ground-based radio time source in your area, such as WWVB or DCF77, which may be cheaper than GPS. It can be compact enough to fit in a watch and cheap enough to be included in pretty cheap clocks, when produced at scale. I do not know of specific parts to buy or what the exact price may be.

  1. there are cheap Dallas RTC modules for offline use as well – my version of this type of credentials manager uses one as a backup. Primary is my own local NTP cause I cannot be arsed to make a menu to set the time.

    My version automagically types the login info based on modifier key into whatever text field I select. Picture for context:

    1. You are fucking creative! I liked the setup with buttons. I use the same strategy with my passwords. I have a external keyboard with 9 keys and 4 layers. There are (9-1)*4 [1 button is used to switch to a differen layer] options to find the correct password. Only I know which button to press because buttons are not labelled.

  2. “and associated secret strings are stored as plain text files on an SD card,”
    At least use the ESP32 crypto module to store the secrets, not totally safe either, but at least a little bit more secure than storing them plain text on an SDcard

    1. Sure! It is on the roadmap. I plan to require fingerprint/password/pin before allowing one to access it TOTP for a giving service. This feature will be configurable per service.

    1. Good idea! But fido keys aren’t used everywhere yet (e.g. dockerhub, npm). Moreover, I read that webauthn/passkeys seem to be the future for 2FA, and fido keys, like yubikey are gonna fade out with time. I needed a solution to work with 100% of the services I use, and not just a few. I will probably make this device to store passkeys too, in the future, If I find time.

      off topic: FIDO KEYS CANT PLAY DOOM!

      1. Why not just use a password manager? I use bitwarden self hosted and I just need to paste it in the field. As for fido keys, there’s a few services that unless I’m forced to and there are no other option, I want a physical key no matter what

          1. In my eyes, first 7 points are non issues, on my personal computer I have the client there and the password is tied to the totp so no need to pull my phone out at all. #8 yeah sure just don’t install the client on your phone. #9 migrating a docker install is also possible. Which really leaves 10, 11 and 12 which I can understand but to me don’t justify adding yet another device on my desk which is basically out in the open. But I mean doing things for fun is cool I made a dispenser for soap using a peristaltic pump when I could have used a measuring cup to have the measurement I wanted and leave that on the washing mashine.

        1. I remember a use case i use a lot. When using aws cli, using account which MFA is required, to auth to the cli you have to type in the totp code. Can bitwarden perform mfa login in CLIs? I never used it, so I really don’t know. I use nordpass and lastpass.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.