Inside Two-Factor Authentication Apps

Passwords are in a pretty broken state of implementation for authentication. People pick horrible passwords and use the same password all over the place, firms fail to store them correctly and then their databases get leaked, and if anyone’s looking over your shoulder as you type it in (literally or metaphorically), you’re hosed. We’re told that two-factor authentication (2FA) is here to the rescue.

Well maybe. 2FA that actually implements a second factor is fantastic, but Google Authenticator, Facebook Code Generator, and any of the other app-based “second factors” are really just a second password. And worse, that second password cannot be stored hashed in the server’s database, which means that when the database is eventually compromised, your “second factor” blows away with the breeze.

Second factor apps can improve your overall security if you’re already following good password practices. We’ll demonstrate why and how below, but the punchline is that the most popular 2FA app implementations protect you against eavesdropping by creating a different, unpredictable, but verifiable, password every 30 seconds. This means that if someone overhears your login right now, they wouldn’t be able to use the same login info later on. What 2FA apps don’t protect you against, however, are database leaks.

Continue reading “Inside Two-Factor Authentication Apps”

Wheel Of Password!

Before the rise of the Nintendo Gameboy, Tiger LCD games were the king of handheld gaming. Inexpensive and appealing to a wide audience, you still often find them “in the wild” or lurking in your house, even today. When [Lee] found a “Wheel Of Fortune” model laying low in a box, having a look inside and turning the handheld into something it’s not.

Being based on a game show, this specific model has a feature most Tiger handheld’s don’t: a cartridge slot. Originally intended to supply additional categories and phrases, the slot is a wide open bus to the internal CPU. It didn’t take long for the some probing with the Bus Pirate to decode the data protocol.

So what does one do with a hacked game show game? Well you could just make it say goofy stuff, or you could make it into a TOTP password generator. Future plans are to take off the computer umbilical cord and bit bang the cart slot with an AVR. Once done anyone, trying to break in to [Lee’s] PC will never suspect the innocent old toy is the key to the kingdom.

Join us after the break for a quick demo video

Continue reading “Wheel Of Password!”

Using Google Authenticator with an Arduino

Google Authenticator is an app that generates one time passwords (OTPs). These passwords are often used as a second factor of authentication, along with your normal password. OTPs work by having a shared secret and a synchronized clock on two devices. When you generate the password, a hash based on the secret and timestamp is created. This proves that you have access to the secret, and can only be used once.

To secure his Lego mini-figures, [Luca] built an authentication system using Google Authenticator and Arduino. A web app is used to generate a secret that can be configured into the Arduino using an array, and into Google Authenticator using a QR code. The Arduino is using a library that implements Time-based One Time Password authentication (TOTP).

There are some challenges, including keeping a good clock source on the Arduino, but this look like an interesting way to do authentication. After the break, watch a quick video overview of the project (for English captions, hit the CC button).

Continue reading “Using Google Authenticator with an Arduino”

Token authentication for Gmail using a eZ430 Chronos watch

Two-factor authentication allows you to use your chosen password, as well as a one-time password to help keep your services secure. The one-time passwords traditionally come from a dedicated piece of hardware, but there are also solutions for smart phones. [Patrick Schaumont] shows how a TI eZ430 Chronos Watch can be used to generate authentication tokens. After walking through the process he uses it to beef up his gmail login.

This method of token authentication is often called Time-based One Time Passwords (TOTP). It’s part of the Open Authentication (OATH) initiative, which seeks to sort out the password-hell that is modern computing. A portable device generates a password by applying an algorithm and a private encryption key to an accuarte time-stamp. On the server side of things a public key is used to verify the one-time password entered based on the server’s own time-stamp. In this case the portable device is the Chronos watch and the server is Google’s own TOTP service.

You can do this with other simple microcontrollers, we’ve even seen an Arduino implementation. But the wrist-watch form factor seen here is by far the most convenient — as long as you always remember to wear the watch.

[Thanks Oxide]

Time-based One-Time Passwords with an Arduino

Get your feet wet with Time-based One-Time Password (TOTP) security by building your own Arduino OATH system. OATH is an open standard authentication system that provides a platform to generate tokens, making your login more secure than a password alone would.

The TOTP approach is what is used with many companies that issue hardware-based dongles for logging in remotely. This security may have been compromised but it’s still better than passwords alone. Plus, if you’re building it around an Arduino we’d bet you’re just trying to learn and not actually responsible for protecting industrial or state secrets.

The hardware setup requires nothing more than the Arduino board with one button and a screen as a user interface. Since the board has a crystal oscillator it keeps fairly accurate time (as long as it remains powered). It will push out a new token every thirty seconds. The video after the break shows that the Arduino-calculated value does indeed match what the test box is displaying.

Continue reading “Time-based One-Time Passwords with an Arduino”