Feature: Use TOTP from authenticator apps

[pohlt]

To secure the HTTP requests even over a unencrypted connection, it would make sense to include a TOTP in the URL or the HTTP request header. In principle, one could implement a TOTP generator in JavaScript, but it would be more convenient, if one could use an installed authenticator app (e.g. Google Authenticator) to provide the TOTP.

A HTTP request could then look like http://some-domain.com/open_door?totp=583549. Of course, the server would have to check the TOTP, but there are implementations available for most relevant languages.

Does that make sense?

[Waboodoo]

AFAIK the Google Authenticator app does not provide a way to programmatically retrieve a TOTP. If it did then that would significantly increase their attack surface. This means that ultimately there's only 2 ways of achieving this:

• Implement a TOTP generator inside the app (and store the generation key/seed there as well somehow)
• Rely on manually copying a TOTP from an authenticator app

Both of these are already possible, though neither of them are a particularly good solution.

I would also like to mention here that sending a password over an unencrypted channel, even if it's a one-time password, is not exactly secure either, for it could be intercepted by a man-in-the-middle.

Could you maybe provide some more details as to what your use case is, and how you would go about implementing your own TOTP generator? I have little experience with this myself.

[pohlt]

Thanks for taking the time to answer my suggestion so promptly. Your points are all valid. I was not sure about Google Authenticator (GA) providing the TOTP programmatically, but I can see how it could lower the security of the TOTPs.

I guess many users of your excellent tool will be using it to send messages to their home automation installation using some DynDNS and HTTP. Using HTTPS would be difficult in this context, but I guess that's why you added the option to ignore the certificate. In any case, a TOTP significantly lowers the usefulness of an intercepted message for the man-in-the-middle.

For the implementation, I don't think that people would need or expect the full functionality of GA handling many tokens, scanning QR codes, etc. Instead, a single secret and easy access to the TOTP would be sufficient I guess.

Completely off-topic: I'm sure you would get a few bucks from enthusiasts like me if you set up a Patreon account or something similar. Just saying...

[pohlt]

Most likely redundant, but the TOTP should be RFC 6238 of course. :-D

[Waboodoo]

I will keep this on the backlog. Implementing it would add quite a bit of complexity, to make sure that keys are securely stored and such. I'd be interested in this feature, though I don't know how much it would actually be used.

Completely off-topic: I'm sure you would get a few bucks from enthusiasts like me if you set up a Patreon account or something similar. Just saying...

Unfortunately, it would be against the Play Store policy to offer such ways of payment, i.e., ones that do not use Google Pay or the Play Store billing features. I might add an in-app payment option at some point, but for now I'm ok with this app being completely unmonetized and free.

[clach04]

@pohlt re-enforcing @Waboodoo's comment about http/https. I strongly encourage you to use https. The major pain point for me with https is that I like to use self signed certs and so with HTTP-Shortcuts you have to disable the check which still makes one vulnerable to MITM attacks but at least prevents eves dropping. You could use Lets Encrypt if you are on a budget for a free named cert.

I'm using https://github.com/mwarning/trigger which has an option to disable hostname checks BUT it will still validate the certificate matches the expected one which avoid those headaches. Take a look at https://github.com/clach04/pirest for a simple Python server.

On TOTP, I read an interesting blob post (sorry I do not have a reference) for a multi-user makerspace where they used TOTP and they had an issue with collisions so they could not identify in all cases who the person was with a TOTP alone.

Random thoughts:

• HTTP-Shortcuts enhancement request for certificate checks but ignoring hostname failures would be a useful enhancement. Not something I need so I've not opened an issue for this
• If you use a tool like https://github.com/helloworld1/FreeOTPPlus then the TOTP code is copied to the clipboard when "pressed", you could either paste that into a HTTP-Shortcuts variable via the prompt option and/or you could open an enhancement request for HTTP-Shortcuts to have a new variable type that takes the contents of the clipboard (see https://github.com/Waboodoo/HTTP-Shortcuts/issues/121)
• with the Javascript support in HTTP-Shortcuts you could copy/paste TOTP code (and the seed) to generate this automatically - which I think was one of @Waboodoo's suggestions

[Waboodoo]

I'm doing some cleanup of the open issues. With this one I'm not sure what to do. @pohlt or anyone who's interested, please drop a comment if this is still relevant for you, otherwise I'll close this soon.

As a side-note to give an up-to-date comment regarding other topics that were discussed in this issue:

• The app now supports certificate checks without verifying the hostname, which should make it easier to use HTTPS via self-signed certificates

[pohlt]

Thanks for asking, but I think I wouldn't use TOTPs now anyway.

[Waboodoo]

Alright, thanks for the reply. In that case I'm closing this issue now.