Arduino TOTP Generator

Inspiration

Having a friend with an interest in cryptography and security, I wanted to create the perfect birthday present.

*This is a project I made as a birthday present and was created within tight time constraints (pardon the messy workmanship)

NOTE: The TOTP generation which is used in this project generates and utilizes 6 digit codes, but due to my current on-hand hardware, I opted to cut the trailing 2 digits and display and utilize 4, arguably (but not greatly) reducing the security.

General Information

This project generates a new code every 30 seconds using a preshared key and the current time (which is kept track of using the real-time clock module) and displays it on the display when the button is pressed. The most common use case would be two-factor verification based on Time-based One Time Password (TOTP) and HMAC-based One Time Password(HOTP) for authentication.

TOTP is an algorithm that computes a one-time password from a shared secret key and the current time. HTOP is an algorithm that uses the HMAC algorithm to generate a one-time password.

Companies such as Google, Microsoft, and Steam already use TOTP technology for their two-factor authentication

Interesting Links

Article explaining how Google uses this technology to authenticate users - https://medium.com/@tilaklodha/google-authenticator-and-how-it-works-2933a4ece8c2

JavaScript implementation of HOTP and TOTP that may be used when creating software utilizing this project - https://github.com/jiangts/JS-OTP

Crytographic library for Arduino used in this project - https://github.com/maniacbug/Cryptosuite

TOTP Paper - https://tools.ietf.org/html/rfc6238

Level of Expertise

This Instructable is for enthusiasts that are interested in security and may want to implement a nice hardware component to the generation of their TOTP. This instructable is written for an audience that already understands the basics of interpreting electronics diagrams and rudimentary programming, but if you plan on simply following this Instructable exactly, don't worry if you have no experience, and feel free to ask questions down in the comments! Furthermore, the project can be interesting for more experienced makers as well since the final product is not only a nice piece to have around (in my opinion), but has so much potential for expansion and new features without much hassle.

Materials:

1. 1x Arduino Nano (Amazon)
2. 1x DS3231 AT24C32 Real-Time Clock (RTC) Module (Amazon)
3. 1x SH5461AS Common Cathode 4 digit 7-segment (Amazon)
4. 1x Pushbutton (Amazon)
5. 1x 10k Resistor (Amazon)
6. OPTIONAL 1x 5x7cm PCB (Amazon)
7. OPTIONAL Wire for soldering to PCB
8. OPTIONAL 1x Breadboard for testing (Amazon)

Assemble all the components on the breadboard and wire them according to the attached wiring diagram (Fritzing file is here).

Make sure you have the Arduino IDE installed (it can be found online if you don't) and install the following libraries:

https://github.com/lucadentella/TOTP-Arduino

https://github.com/adafruit/RTClib

https://github.com/maniacbug/Cryptosuite

Download the attached sketch (can also be accessed here: https://gist.github.com/shiv213/569f01a54988cb0207966be9a65cc5ab), and open it using the Arduino IDE. Open this link (http://www.lucadentella.it/OTP/) and input any name in the account name field, and a custom secret key (10 characters long) in the following field, making sure to save both of those values in a safe place for backup. Copy the contents of the "Arduino HEX array:" field, and switch back to the Arduino editor, replacing the array on line 25 (hmacKey) with the one you copied from the site.

After double-checking each wire connection, make sure the RTC module has a coin cell in it, and connect the Arduino to your laptop using a USB mini cord, and upload the attached sketch.

After uploading, when the button is pressed, a number should show up on the screen. If you download the Google Authenticator app on a smartphone and go back to the site used to generate the HEX array, scanning the QR code or typing the "Google Authenticator code" into the app, you should see a number shown in the app. If everything is working correctly, when you press the pushbutton, the 4 digits displayed should match the first 4 of the current code shown on the smartphone app. If this is not the case, make sure that the computer being used to upload the Arduino code is set to UTC time and try again.

After making sure everything is in working order, you may transfer the components to the PCB and solder everything together however you seem fit. I have attached a PCB diagram in addition to the Fritzing file (available here). Note that I placed all the components on the top of the board for aesthetics, but can also be mounted underneath and then enclosed in some sort of housing to make it cleaner. I cut and hot glued popsicle sticks colored in with Sharpie to the sides of the PCB to create a makeshift box for the unit. Another optional step is to attach a 9-volt battery clip to the VIN and GND pins of the Arduino, making it battery-operated.

This is how my completed generator turned out, if you followed along and made one yourself, share it below!

Make sure to vote my Instructable for the STEM Contest if you see fit, and leave a comment/any questions you may have down below!