mooltipass / minible

Github repository containing the firmwares running on the Mooltipass Mini BLE
GNU General Public License v3.0
98 stars 21 forks source link

Steam TOTP #366

Open EugeneRymarev opened 1 year ago

EugeneRymarev commented 1 year ago

Missing feature

Steam TOTP

Justification

Why not? 😊

Workarounds

Using WinAuth or Steam Android App πŸ‘Ž

import base64
import binascii
import hashlib
import hmac
import sys
import time

CHARS = '23456789BCDFGHJKMNPQRTVWXY'

def generate_steam_totp(secret_key):
    byte_time = binascii.unhexlify('%016x' % int(time.time() // 30))
    digest = hmac.new(base64.b32decode(secret_key), byte_time, hashlib.sha1).digest()
    start = ord(digest[19:20]) & 0xF
    full_code = int(binascii.hexlify(digest[start:start + 4]), 16) & 0x7fffffff
    code = ''
    for _ in range(5):
        code += CHARS[int(full_code) % 26]
        full_code /= 26
    return code

def main():
    print(generate_steam_totp(sys.argv[1]))

if __name__ == '__main__':
    main()
Jan-NiklasB commented 1 year ago

@EugeneRymarev Where do you get the TOTP-Key from? I tried this a while before but couldn't find it anywhere...

EugeneRymarev commented 1 year ago

Where do you get the TOTP-Key from?

@Jan-NiklasB, you can get it from rooted Android device or rooted WSA. image instruction from WinAuth.

Jan-NiklasB commented 1 year ago

Ah okay, so no 'legit' way to get hold on it... And I thought I mieses something. ..

But I will try of I can emulate a rooted android device and extract the key, maybe someone here can use this info

Am 28. Dezember 2022 10:31:28 MEZ schrieb Eugene Rymarev @.***>:

Where do you get the TOTP-Key from?

@Jan-NiklasB, you can get it from rooted Android device or rooted WSA.

-- Reply to this email directly or view it on GitHub: https://github.com/mooltipass/minible/issues/366#issuecomment-1366503476 You are receiving this because you were mentioned.

Message ID: @.***> -- Diese Nachricht wurde von meinem Android-GerΓ€t mit K-9 Mail gesendet.

Ancyker commented 2 months ago

Just commenting to add that YubiKey/Yubico Authenticator does support Steam's OTPs as an undocumented feature. Starting an account name with Steam: (i.e. Steam:exampleuser) enables the feature.

image