TOTP

[atideath]

Hello. When you can implement TOTP? I would like to replace google authenticator to this.

[parkerhoyes]

Unfortunately since the Nano S doesn't have a real-time clock, it's not possible to implement TOTP without requiring that the device be connected to a computer to get the current time.

This isn't a security issue, but it is a bit of an inconvenience. Right now the only way to make this work would be to require users to install the Ledger Python tools and run a Python script as a time server on their computer, while connecting the device with the OTP 2FA app running.

In the next version of the Nano S firmware, it will be possible to implement the time server in JavaScript and communicate with the device via U2F from a browser. That way users could just go to a webpage and connect the device to their computer, and then the webpage would provide the device with the time.

As such, I'll probably wait until the next firmware version to add TOTP support.

[mrose17]

@parkerhoyes - hi! i have about 70 TOTP secrets spread across three yubikeys (the yubikey limit is 32), and i'd like to replace those yubikeys with a totp app on my ledger nano s and a chrome-based companion app. it's not clear to me why the companion app couldn't supply the time to the nano.

i suspect that a companion app is going to be needed to do things such as scanning QR codes containing totp:// URLs and allowing manual entry of secrets.

does this make sense at all? thanks!

[parkerhoyes]

@mrose17 A companion app would solve the problem. The reason for the delay is that I would like the companion app to be a web app instead of a desktop app / chrome app, so I'm waiting until the next Nano S firmware version, when it will be easier to write web-based companion apps.

[mrose17]

@parkerhoyes - thanks! when that firmware is out (i've pinged thomas), i'd like to help on this project if you wish.

best,

/mtr

[parkerhoyes]

I've just pushed TOTP support (as well as support for the new Nano S firmware) to the develop branch.

Authenticating with TOTP requires that you connect the device to a host computer which can give the device the current time. At the moment I have a Python implementation of a timeserver in the scripts folder. I'm going to wait to release a new version until I have a working JavaScript implementation of the timeserver that works over U2F that I can host on my website.

Until then, it would be helpful if some people did some testing to make sure everything is working properly, or let me know if there's anything that I should change.

[mrose17]

@parkerhoyes - wonderful! i hope to take a look this afternoon!

[mrose17]

@parkerhoyes - you know there are "tons" of NTP servers in the internet... could they be used instead of having to host your own?

[parkerhoyes]

@mrose17 Unfortunately not, the server needs to communicate with the device directly over a custom APDU-based protocol that is specific to this app. NTP is an Internet protocol, we're dealing with something much lower level (the device has no Internet capabilities).

At the moment the device can only communicate with the host over an APDU protocol built on top of HID or U2F. HID would require a custom desktop app (something that would work like scripts/timeserver.py), but a protocol built on top of U2F allows a webapp to communicate with the device (with a custom JavaScript implementation and a browser that has U2F support).

[orcinus]

There are readily available JS NTP client libs, that completely abstract the protocol from you, and just spit out the timestamp. Instead of using a service of your own for the time, you could just make the JS layer use NTP.

I think that's what @mrose17 was aiming at.

[parkerhoyes]

Ah I see. Yes getting the time in JS is trivial, the part that will require a bit of work is writing the code to communicate with the device (using this package).

[mrose17]

@orcinus - yes, exactly... thanks for clarifying it.

[mrose17]

@parkerhoyes - just checking. is this the URL for the download page? https://parkerhoyes.com/bolos-apps/bolos-app-otp2fa

[parkerhoyes]

@mrose17 That's the download for the latest release - but if you want to test the new features (TOTP support) you'll have to download the latest version of the develop branch and compile it yourself (I haven't issued a new release with those features yet, so it's not on my website at the moment).

[mrose17]

@parkerhoyes - any chance i could talk you into doing a binary? yes, i can download, etc., but it'd be nice...

also, as a teaser, here is something that i'm hoping to integrate with the browser-side part of this app... https://github.com/brave/otpauth-recovery

[parkerhoyes]

@mrose17 Sure, I'll try to remember to upload a binary later today.

Also, if I understand correctly, the repository you linked to is for generating a file to recover your OTP keys in the event that your device is lost / destroyed. Perhaps an encrypted backup to host feature (see #5) could be just as useful?

Although a feature to import otpauth URIs / QR codes into the device directly from the browser (eliminating the need to type the key into the device manually) could be quite useful.

[mrose17]

@parkerhoyes - thanks@

the repo let's me keep a file in a secure location (i use an encrypted USB stick kept in a safe...) that let's me reproduce the otpauth URLs if i happen to lose my yubikey. if i do lose the yubikey, then i plug the usb stick into an offline computer, generate the HTML/QRcode file and re-initialize a new yubikey using Yubico Authenticator.

in our case, we'd have a browser app that would scan the QR code and do the same thing. it is good that you can't get the otpauth URLs from the yubikey/ledger, there just needs to be a way of recovering in the case of device loss/damage...

[altafan]

@parkerhoyes Hi! I would like to test the TOTP feature of your app, but I can't compile the project. I set up the toolchain and SDK, but when I make this error is prompted: make: *** No rule to make target 'obj/app.o', needed by 'bin/app.elf'. Stop..

[parkerhoyes]

@altafan I seem to remember that problem being caused by using an outdated version of Make (possibly the one that ships with macOS). Perhaps try updating to a newer version of Make? (Or try on Linux where the build process is much more stable.)

[altafan]

Hey @parkerhoyes ! I managed to solve my problem and tried to test the TOTP version but compilation fails with a bunch of errors and warnings:

[CC]      obj/app.o
src/app.c:75:56: error: unknown type name 'bui_event_t'
static void app_handle_bui_event(bui_ctx_t *ctx, const bui_event_t *event);
                                                       ^
src/app.c:124:2: warning: implicit declaration of function 'bui_ctx_set_event_handler' is invalid in C99
      [-Wimplicit-function-declaration]
        bui_ctx_set_event_handler(&app_bui_ctx, app_handle_bui_event);
        ^
src/app.c:125:2: warning: implicit declaration of function 'bui_ctx_set_ticker' is invalid in C99
      [-Wimplicit-function-declaration]
        bui_ctx_set_ticker(&app_bui_ctx, APP_TICKER_INTERVAL);
        ^
src/app.c:138:2: warning: implicit declaration of function 'bui_ctx_seproxyhal_event' is invalid in C99
      [-Wimplicit-function-declaration]
        bui_ctx_seproxyhal_event(&app_bui_ctx, true);
        ^
src/app.c:370:56: error: unknown type name 'bui_event_t'
static void app_handle_bui_event(bui_ctx_t *ctx, const bui_event_t *event) {
                                                       ^
src/app.c:371:2: warning: implicit declaration of function 'bui_room_forward_event' is invalid in C99
      [-Wimplicit-function-declaration]
        bui_room_forward_event(&app_room_ctx, event);
        ^
src/app.c:388:29: error: use of undeclared identifier 'BUI_CLR_BLACK'
        bui_ctx_fill(&app_bui_ctx, BUI_CLR_BLACK);
                                   ^
src/app.c:391:3: error: use of undeclared identifier 'bui_room_event_data_draw_t'
                bui_room_event_data_draw_t data = { .bui_ctx = &app_bui_ctx };
                ^
src/app.c:392:3: error: use of undeclared identifier 'bui_room_event_t'; did you mean 'bui_room_enter'?
                bui_room_event_t event = { .id = BUI_ROOM_EVENT_DRAW, .data = &data };
                ^~~~~~~~~~~~~~~~
                bui_room_enter
bui/include/bui_room.h:187:6: note: 'bui_room_enter' declared here
void bui_room_enter(bui_room_ctx_t *ctx, const bui_room_t *room, const void *args, uint16_t args_size);
     ^
src/app.c:392:19: error: expected ';' after expression
                bui_room_event_t event = { .id = BUI_ROOM_EVENT_DRAW, .data = &data };
                                ^
                                ;
src/app.c:392:20: error: use of undeclared identifier 'event'
                bui_room_event_t event = { .id = BUI_ROOM_EVENT_DRAW, .data = &data };
                                 ^
src/app.c:392:28: error: expected expression
                bui_room_event_t event = { .id = BUI_ROOM_EVENT_DRAW, .data = &data };
                                         ^
src/app.c:393:3: warning: implicit declaration of function 'bui_room_dispatch_event' is invalid in C99
      [-Wimplicit-function-declaration]
                bui_room_dispatch_event(&app_room_ctx, &event);
                ^
src/app.c:393:43: error: use of undeclared identifier 'event'
                bui_room_dispatch_event(&app_room_ctx, &event);
                                                        ^
src/app.c:392:3: warning: expression result unused [-Wunused-value]
                bui_room_event_t event = { .id = BUI_ROOM_EVENT_DRAW, .data = &data };
                ^~~~~~~~~~~~~~~~
6 warnings and 9 errors generated.
make: *** [obj/app.o] Error 1

[parkerhoyes]

@altafan This is just a guess, but have you checked out submodules as well? It looks like bui is missing.

Try git submodule update --init --recursive (see https://stackoverflow.com/questions/3796927/how-to-git-clone-including-submodules).

[mrose17]

@parkerhoyes - hi! what's the status on the TOTP version?

[parkerhoyes]

@mrose17 Hi - sorry, life sort of got in the way. The app on the develop branch has full TOTP support when used with the Python timeserver script, I just haven't found the time to finish the JavaScript companion app yet.

I'm still working on it, it's just going to take some time. Sorry for the delay.