My first ArduBoy project: turn it into a 2fa security token


(Micah Silverman) #1

The big thing holding this back from being practical is the lack of a realtime clock that stays active even when you turn the arduboy off.

Still, it was a fun project.


(Scott) #2

See the last paragraph:


(Josh Goebel) #3

One problem is the “clock” in the Arduboy isn’t going to be precise enough over time (and likely varies per unit with the exactness of the oscillator)… it will skew and then something like this which requires per second precision will fail. And no clock in power down mode… although I suppose you could use the watchdog to wake up periodically and keep the “clock” moving.


(Pharap) #4

Certainly an interesting project, even if it’s not really usable.

My main complaints are:

  • It’s “Arduboy”, not “ArduBoy”.
  • I think calling it the “ArduBoy project” doesn’t really give it enough credit - this isn’t some little personal project in some guy’s bedroom, the Arduboy is a buyable product made in a factory and Arduboy Inc is a registered company

(Micah Silverman) #5

Yep. After about an hour, the clock had drifted enough from true that I had to reset the time.


(Scott) #6

Many years ago, I worked on systems that used a similar code generating security key.

If I recall correctly, the generated codes appeared for about 30 seconds before the next one was displayed. The host system that validated the code would actually accept the previous and following expected codes in addition to the one that would be valid if the fob’s time was correct.

This way, the clock in the fob could drift somewhat and, based on the code received, the host could tell if the fob was running slow or fast and compensate for this, on a per fob basis.


(Josh Goebel) #7

Yeah, that makes total sense. You could even allow more drift if you wanted. That’s not going to fly with modern 2FA, atomic clocks, and network time servers. :slight_smile:


(Miloslav Číž) #8

I love when people do these unusual projects :slight_smile:

@Pharap I think you’re nitpicking a little bit :smiley: Moon landing has been called a project too, I don’t think it implies something small or unprofessional. On the other hand anyone can set up a company nowadays without much hassle, so being a company doesn’t mean much to me personally.


(Pharap) #9

It’s been called “Project Apollo”, but that has a different nuance and was an actual title.
Naming something “Project X” has a bigger impact than calling something “the X project”.

Yes, but it’s still not something one does on a whim.

I was more emphasising that the Arduboy is a proper business that sells a decent product and has been going for at least 4 years now, calling it a ‘project’ diminishes that idea.

The dictionary definition of a ‘project’ is “A planned endeavor, usually with a specific goal and accomplished in several steps or stages”.
The Arduboy is no longer “a planned endeavour”, it has long since surpassed the final stage of the original plan - production and sale of Arduboy units.


(Miloslav Číž) #10

The word is unusual with Arduboy, that’s right. I see what you’re saying – when something’s called a project, it often means unfinished, to be finished etc. Arduboy has been finished, therefore you wouldn’t use it. However instead of unfinished it can and often is interpreted as active endless endeavour, such as Project Gutenberg. To me it’s definitely a strong and positive word and I see no problem in using it. It’s just my subjective feeling though.

I just wanted to counter that criticism a bit as I think this is a really nice first project :-]


(Pharap) #11

Historically ‘project’ has also been used pejoratively, as in:

(dated) An idle scheme; an impracticable design.

I’d say the word ‘project’ is a misnomer for such a case.
It’s more of a “programme” - “A set of structured activities.”,
or a “scheme” - “A systematic plan of future action.”

I criticised the article, not the project.


(Erwin) #12

Very weird use for the arduboy :stuck_out_tongue: I added it to the “Applications” category:
http://arduboy.ried.cl/ (this is entry number 200! :partying_face::partying_face::partying_face::partying_face:)

A future upgrade of your project could be to add support for USB keyboard, so you can enter the code directly from the arduboy to the phone/computer


(Josh Goebel) #13

That’d be an easy add I think.


(Micah Silverman) #14

There is some tolerance, but nowadays it’s on the order of seconds.


(Micah Silverman) #15

Thanks! That’s awesome!


(Micah Silverman) #16

Great idea! That said, I am proud of the interface. Most OTP examples I’ve seen have you hardcode the shared secret in advance of uploading the code to the Arduboy. I think the interface is reasonably usable given that you have 6 buttons to work with. And, it stores that shared secret, so that’s a one-time entry.

I love the idea of hooking up a keyboard too. Would it use the serial interface?


(Scott) #17

I think @eried meant:
Have the Arduboy appear as a USB keyboard, so it can enter the code directly into the field that it needs to be put in, instead of you having to read it from the Arduboy display and type it in manually.

https://www.arduino.cc/reference/en/language/functions/usb/keyboard/


(Pharap) #18

@eried did mean making the Arduboy appear as a USB keyboard.

A good example of using the Arduboy as a keyboard is this old password manager.
(It’s mostly educational now, the ‘encryption’ has been found to be weak to plaintext attacks.)

However, you can use Serial to read data sent over serial from a computer, as long as you have an intermediary program to accept the keyboard presses and transmit them over serial.

You can use the Arduino IDE’s serial monitor for that.
I once wrote a C# program to do it,
and I think it can be done in Python too.


(Erwin) #19

Yes, I was thinking of the USB virtual keyboard part, not Serial.

ALSO (as a hack) the keyboard led status could be used for set the secret, a js script in a website changes caps lock/num lock/etc in a sequence that you can decode in the Arduboy.