[HN Gopher] TOTP tokens on my wrist with the smartest dumb watch
___________________________________________________________________
TOTP tokens on my wrist with the smartest dumb watch
Author : alexmolas
Score : 242 points
Date : 2024-07-26 19:20 UTC (1 days ago)
(HTM) web link (blog.singleton.io)
(TXT) w3m dump (blog.singleton.io)
| 627467 wrote:
| I love this, and have thought of doing the same with a dumb
| smartwatch but... is it good opsec to have top so
| visible/available? What about losing the watch or getting stolen?
| 0cf8612b2e1e wrote:
| Unless the owner walks around proclaiming, "This is my second
| factor", a casual observer is just going to think it is a
| broken watch.
| hn92726819 wrote:
| Also the firmware supports multiple faces. The default face
| can just be the time
| denysvitali wrote:
| This is why you create a blog post and share it with the
| world /s
| marcus0x62 wrote:
| What's the threat model here? An attacker is going to read
| this person's blog post, track them down in real life, and
| steal their watch to get access to their github account?
| That seems...unlikely.
| mcsniff wrote:
| Eh, I keep TOTP codes on my Pebble and am fine with it, they
| are labeled in such a way that doesn't make it obvious what
| services they're for.
|
| There's basically no lock mechanism or security on a Pebble,
| but it's just a second factor.
|
| If you have my randomly generated password, have done your
| intel to know I might have the TOTP on my wrist, and can
| physically steal my watch, you've got me beat and I'm okay with
| that for the convenience it provides.
| collingreen wrote:
| All security is a balance if the threat risk and the
| potential loss. I love that you have a mix that works for you
| while staying reasonable about it.
|
| We all have terrible, terrible tumbler locks on our doors
| because they are good enough to stop the extremely casual
| attempts but anywhere with unbarred windows is one rock from
| "unlocked" and we're generally fine with this for 99% of
| things.
| eurleif wrote:
| Security film is another option for windows.
| justincormack wrote:
| Early totp devices were designed to look like pocket
| calculators when these things were less well known. But you
| are supposed to reset the key if you lose the device.
| patrickdavey wrote:
| Less obvious than a ubikey though right?
| paulnpace wrote:
| "...so he hid it, in the one place he knew he could hide
| something..."
| hisamafahri wrote:
| dang, this is so cool
| agscala wrote:
| This is awesome. I've always wished someone made something like
| this for one of Casio's calculator watches
| amelius wrote:
| Still waiting for that credit-card sized general-purpose
| computer.
|
| https://www.casio-intl.com/asia/en/calc/products/SL-760LC-BK...
| driverdan wrote:
| Pi Zero is smaller than a credit card.
| pxx wrote:
| if you're wondering why you see a weird [?] symbol from time to
| time on the demo, it's a "small 7" because the watch ties the top
| and bottom segments of the first and third digits (segments A and
| D) together.
|
| https://joeycastillo.github.io/Sensor-Watch-Documentation/wi...
|
| it's really amazing how much efficiency they packed in this
| display. in normal use, these digits only need to display the
| numbers 0-5 [for the first digit, the clock only needs 0, 1, 2,
| but the chronometer goes up to 59:59.99], none of which need to
| distinguish between those segments. technically I guess the
| chronometer could have gone up to 69:59.99 without breaking
| anything though, but I guess "one hour" is sufficient? the
| numbers 8 and 9 also illuminate both the top and bottom segment,
| so it's only 7 that is an issue.
| slim wrote:
| oddly specific objects is working on a advanced replacement lcd
| 8organicbits wrote:
| I think that's this one:
|
| https://www.oddlyspecificobjects.com/products/lcdwing/
| matheusmoreira wrote:
| No, that's another LCD meant for arduino boards. It's not
| compatible with the watch.
|
| GP was referring to the fact Joey Castillo has posted
| pictures of a custom F-91W LCD in the discord channels. It
| has more icons and segments, and it can address all of them
| independently. It's a better, more readable, less limited
| display. I don't think it's available for purchase yet but
| hopefully it will be soon.
| Kwpolska wrote:
| Having to recompile and reflash your wristwatch is probably going
| to limit the number of things you use TOTP for.
| matheusmoreira wrote:
| Love this project, use it literally every day.
|
| Not too long ago I implemented a new interface for defining the
| TOTP codes from within the source code. Unfortunately that work
| has invalidated the instructions in this article. It works like
| this now: static totp_t credentials[] = {
| CREDENTIAL(2F, "JBSWY3DPEHPK3PXP", SHA1, 30),
| CREDENTIAL(AC, "JBSWY3DPEHPK3PXP", SHA1, 30), };
|
| https://github.com/joeycastillo/Sensor-Watch/blob/main/movem...
|
| I also added user calibration to the pulsometer in order to allow
| it to be used as an asthmometer. It has already helped save
| lives.
|
| It's also got calibration and thermal compensation features which
| enhance the watch's accuracy to about 10 seconds per year.
|
| It's got a growing community. A lot of people have showed up to
| hack on the firmware. Recently someone made an endless runner
| game for the watch:
|
| https://github.com/joeycastillo/Sensor-Watch/pull/419
|
| The maintainers are really nice people too.
|
| If you're looking for a great open source project to sink some
| time into, this is it.
| thomasbbrunner wrote:
| I imagine you'd use a common watch battery to power this. Can
| you comment on the battery life? Could not find it in the docs.
| matheusmoreira wrote:
| Same battery as the original watch. Most of the watch's parts
| are reused, including the battery clip and the battery
| itself. Only the circuit board is replaced.
|
| The original module lasts about 10 years on a single coin
| cell. The sensor watch can't match that incredible lifespan
| but it's still very respectable. Power profiling and testing
| has shown that it has over a year of endurance. There's a
| builtin battery voltage sensor which serves as a power
| reserve meter. Maximum power would be 3 V and low power would
| be something like 2.2 V.
|
| I modified the low power mode timers to make it go to sleep
| after ten seconds in order to extend it as much as possible.
| Low power mode means the CPU wakes up once per minute instead
| of once per second. The only drawback is the lack of seconds
| display but the truth is I've come to consider that a
| feature. If I want to know the seconds, I push the alarm
| button to wake the watch up.
| dvh wrote:
| I used totp first time yesterday on GitHub and I don't understand
| it's point. I had to install otpclient app (from Ubuntu
| repository) where I typed 4 strings and it spit out one number
| which I typed back to GitHub. Attacker could do this as well, so
| the only thing totp does is to prove I can read and write. What
| am I missing here?
| mercora wrote:
| It's supposed to be on another independent device.
| deredede wrote:
| Doesn't have to be. While storing them on your computer does
| not protect you from an adversary with access to your
| computer, it still protects you against an advrsaey e that
| intercepts (or guesses, maybe after a breach) your password.
| 0x073 wrote:
| It doesnt have to be yes, but it's called 2 factor auth
| because of the reason that your computer is 1 factor and
| another device is 2.
|
| It won't protect you from the intention 2fa was created.
| joshribakoff wrote:
| E-mail or sms codes are not 2fa then either, if the
| attacker has your device (presumably with the e-mail app
| logged in already and the password saved). But this seems
| like a dubious distinction, its like saying 2fa is no
| longer 2fa if the attacker has access to the second
| factor. Thats not particularly remarkable.
|
| You can call it 2sv, though. Two step verification. But a
| user can certainly chose to use in a way that makes it
| 2fa by storing the totp secret on a dedicated device. The
| bottom line for most use cases is that it stops people
| from getting in even if they guess or crack your
| password.
|
| With hardware tokens, it still has tradeoffs. What
| happens when the "user" (read attacker) claims they lost
| or damaged the yubi key? What factor do you use to verify
| them before sending a new yubikey in the mail? What
| happens if someone breaks into the user's mail? Etc. no
| method is perfect.
| kevindamm wrote:
| The second factor isn't about a second device. It is
| additional to something you know (password), typically
| the second factor is something you have (device, yubikey,
| etc.).
|
| The idea being that the intersection of {people who can
| get your password, such as through phishing or other
| digital attack} and {people who have physical proximity
| and can steal your physical device} are typically much
| smaller than the set of people in either category.
| PhilipRoman wrote:
| >something you know (password)
|
| Conveniently saved in your browser :) Might not be easy
| to extract from a logged-out device, but grabbing the
| device quickly can bypass both "factors" simultaneously.
|
| Makes me wonder how functions like CryptProtectData
| protect against physical disk access with hex editor. The
| hash of the login password can be changed to anything and
| obviously they cannot access the actual password since it
| should be destroyed after hashing. So unless TPM is
| involved I don't see how it can be secure.
| Dylan16807 wrote:
| > Makes me wonder how functions like CryptProtectData
| protect against physical disk access with hex editor. The
| hash of the login password can be changed to anything and
| obviously they cannot access the actual password since it
| should be destroyed after hashing. So unless TPM is
| involved I don't see how it can be secure.
|
| It derives a key from your password when you log in.
| Changing the authentication hash will only let you log
| in, not figure out what the key was.
| PhilipRoman wrote:
| Oh that's smart, not storing the password anywhere but
| using the user as an input source for it.
| withinboredom wrote:
| Even if the TPM is involved, it can be cracked. But as
| with any hack, once someone has physical access to your
| computer, all bets are off.
|
| The odds of someone stealing your computer to hack into
| your accounts instead of simply selling it on eBay are
| practically zero for most people.
| deltaknight wrote:
| For what it's worth, whilst your point somewhat stands,
| generally just 2 devices are not considered 2 factors.
|
| Usually, the factors are considered as:
|
| - something you know (e.g a password)
|
| - something you have (e.g. a device token)
|
| - something you are (e.g. a fingerprint or other
| biometrics)
|
| Single factor with uses just one of these, which is why
| you can unlock your phone with either a passcode and a
| biometric with the same level of security (when talking
| about factors)
|
| Two factors should have two unique ones of these, and in
| this case a TOTP generator on the same computer as you
| are logging in on is fine because the computer counts as
| "something you have" and the password you enter counts as
| "something you know". An attacker who takes your computer
| still only gains 1 factor (disregarding secure enclaves
| and password protection etc) and doesn't have both.
|
| Of course if an attackers manages to access both your
| password manager and your TOTP generator (whether or not
| they're on the same device), then both factors are
| compromised because the "something you know" factor has
| been broken due to the things you know being stored
| somewhere.
|
| Of course, the way you practice the security of each of
| the factors is important and can vary greatly depending
| on how you effort you want to put in to it. For instance,
| keeping TOTPs on just hardware tokens which you never
| keep plugged in protects against your device being
| stolen.
| deredede wrote:
| GitHub sent you those 4 strings while you were logged in and
| they are now stored on your computer. GitHub will not send them
| to an attacker that is not already logged in.
| SyrupThinker wrote:
| You are missing that the TOTP secret will only be presented
| once during setup.
|
| It is now a second factor because you need to prove possession
| of the secret by entering the current TOTP code during login.
| It will not be presented again, so an attacker needs to have
| been able to intercept the initial secret exchange. (well or
| phish for it etc.)
|
| You are usually prompted to enter the code during setup to
| ensure the secret has actually been put into some authenticator
| and is not immediately going to be lost.
| jmprspret wrote:
| > Attacker could do this as well,
|
| No they cannot. They should not/will not be able to view that
| initial TOTP generation code. That is the "secret" that
| determines what digits are generated at one time.
| numpad0 wrote:
| In classical proprietary implementations, the TOTP physical
| keychain is sent you out-of-band via snail mail. Secret is
| never sent to you electronically.
|
| Modern phone app reimplementation do it in-band on-line, with
| hope that it has to be harder for opportunistic adversaries to
| capture that initial handshake.
| guenthert wrote:
| > To add the secret to the watchface code, you need to convert it
| to hexadecimal bytes. This cryptii.com page will allow you to do
| that conversion. Note you'll have to enter your TOTP secret in
| uppercase.
|
| I wouldn't be comfortable entering my TOTP secret into a random
| web page. In Linux (Ubuntu here, probably other distributions as
| well) you might have the `base32` and `od` tools already
| installed (package 'coreutils').
|
| Otherwise the project is awesome (just the watch is fugly :))
| matheusmoreira wrote:
| The board is also compatible with the A158W and A171W, they
| look much better.
| Loughla wrote:
| Those both look like old man watches.
|
| At least the 91 looks like it belongs to someone under the
| age of 85. Granted, it's someone under the age of 85 who
| believes fashion is high socks, sandals, and cargo shorts
| with a tucked in polo while relaxing at home. But still under
| 85.
| fortran77 wrote:
| @dang, please remove this ageist comment.
| matheusmoreira wrote:
| Now I'm wondering what a fashionable young man's watch is
| supposed to look like. I think the synthwave aesthetic is
| really cool but maybe it's just me.
| filoleg wrote:
| F91W from the article is unironically cool now (and has
| been since forever afaik). Especially in streertwear
| circles. I've legitimately seen plenty of people from
| early 20s to mid 30s wear F91WF, with Balenciaga tier of
| the outfit to match. From the streets to night clubs to
| literally anywhere, both men and women. Definitely not
| the "socks and sandals and polo shirts crowd."
|
| Hell, there are photos of Obama wearing it well during
| his early days[0].
|
| 0. https://www.reddit.com/r/casio/s/sUKUFoyq2s
| johnisgood wrote:
| Yeah, why would anyone rely on a third-party, and a website one
| at that for something as simple as base-32 decoding... or
| generating TOTP. :P
| dps wrote:
| Author of the post here... Cool to see this back on HN! I was
| trying to provide instructions that anyone could use
| regardless of platform, hence the choice of web tools (both
| those linked process the data locally). If you know of a
| base32 decoder that's easily available on Windows, Mac and
| Linux I'd be delighted to update the post.
| alright2565 wrote:
| This is why I keep uMatrix around still
|
| https://i.imgur.com/9MYqLvj.png
|
| I can quickly disable XHR to confirm websites don't do anything
| server-side when I don't expect them to.
| BHSPitMonkey wrote:
| You'd really need to block fetch(), websockets, WebRTC, all
| external images/stylesheets/scripts added to the DOM later,
| and service workers (to prevent the upload from just being
| deferred). It's not easy to make sure a web page can't phone
| home.
| KTibow wrote:
| Throttling inside of Devtools should do all of those.
| pimlottc wrote:
| If you must use a web app, you can at least use CyberChef,
| which runs entirely in the client and is widely used in
| security testing.
|
| https://gchq.github.io/CyberChef/
| gchq-7703 wrote:
| Example recipe to do it for you: https://gc
| hq.github.io/CyberChef/#recipe=To_Upper_case('All')To_Base32(
| 'A-Z2-7%3D')
|
| It looks like 'cryptii' also appears to do all processing
| client-side.
| senectus1 wrote:
| why cant i get this on my smartest smart watch?
|
| Makes me want to go back to the old casio
| cuu508 wrote:
| A quick search turns up a TOTP widget for Garmin watches
| https://github.com/ch1bo/garmin-otp-authenticator
| curiousgal wrote:
| If only I could get this to work with SecurID tokens!
| hal0x2328 wrote:
| It's time to stop using TOTP, it's vulnerable to AitM phishing.
| Use FIDO2 hardware keys or passkeys instead.
| 0xbadcafebee wrote:
| Finally, the kind of content I come to HN for. =8')
|
| The F-91W is (I think?) the same form factor as the A158W[1],
| which is an absurdly good looking watch for the price. It goes
| with everything, stylish yet unobtrusive. I often wear it instead
| of more expensive watches. If you're concerned about the band
| snagging arm hairs, it's only done it _maybe_ twice in a year,
| way fewer than other economy metal bands.
|
| If you prefer a "smoky" alternative, the A168WGG[2] has a
| gunmetal gray tint to the band, the face is blacked out with
| clear letters, and the illuminator only lights up the letters.
| However, the A168 is just slightly larger than the A158, so I
| don't know if the internal modules fit the same (but larger means
| more room, so, probably?).
|
| (while I'm nerding out on watches: my workhorse/black band watch
| is a GA-B2100-1AJF[3]. pretty stylish for a G-Shock, and you get
| a ton of features for a non-smartwatch. the bluetooth model (vs
| cheaper models) has more contrasting face colors/tones so it
| works with more outfits.)
|
| [1] https://www.amazon.com/Casio-A158WA-1-Water-Resistant-
| Digita... [2] https://www.amazon.com/dp/B08195YQLQ/ [3]
| https://www.amazon.com/dp/B09YG8F41Y/
| matheusmoreira wrote:
| > so I don't know if the internal modules fit the same (but
| larger means more room, so, probably?).
|
| It is not compatible, sadly. The sensor watch board requires
| donated parts from a genuine casio module 593.
|
| A list of compatible watches can be found here:
|
| https://www.sensorwatch.net/docs/
|
| > Watches that will not work as they use different movements,
| although the button layout is the same: A168W, A700W, LA680W,
| B650W.
|
| > In general, if the watch is a 3 button digital Casio that has
| a nice 'illuminator' backlight rather than a side light, it's
| NOT a 593 and will not work.
| omoikane wrote:
| Looks like the WASM emulator does not emulate the classic Casio
| easter egg, or was I holding it wrong?
___________________________________________________________________
(page generated 2024-07-27 23:10 UTC)