[lisper]

This site is down so I was not able to read the original article, but I would like to take this opportunity to draw HN's attention to my current project:

https://sc4.us/hsm

It's a fully open USB HSM based on an STM32F405 SoC. Includes an HWRNG, 1MB Flash, and 196k of RAM. Currently runs TweetNaCl and also functions as a FIDO U2F token. Technical details are here:

https://sc4.us/hsm/manual.html

Currently out of stock but we will be shipping again in early January.

[saganus]

I'm interested in buying a couple of these.

Howver I'm wondering if there's a way I can also use it as a TOTP to replace my Google Authenticator app for several accounts? I don't really like having it in the phone because when I lose it I need to reset everything and it's a pain.

Is it possible with SC4 to achieve this functionality?

[lisper]

TOTP is tricky because that requires a real time clock, which the SC4-HSM does not have. That would require adding a battery and associated power management circuitry, which would considerably increase the cost. However, you could run a driver on the host machine that provided the time to the HSM, which would still securely store your secret key. But then you could only use it on a machine that had this driver installed. So yes, it's possible, but it's not straightforward.

[lisper]

Also... why do you want TOTP rather than U2F? U2F is better in every way (unless you don't have access to a USB port).

[saganus]

Well, mostly because of those services that only implement TOTP, in particular those that I can use with my Google Authenticator App.

My use case is this. I have several business accounts (Heroku, Cloudinary, etc) that I like to enable 2FA on but which only support TOTP. I usually add those accounts to my Google Authenticator App and all is fine.

Except when I lose/wipe my phone, which happened recently. Then I have to go around resetting the 2FA setting, then re-enabling it with the new phone.

After a quick search, I found almost no solutions that fit this. Except something like [0]. I would love to buy let's say, 2 of those for each account I want to enable 2FA on, I keep one in the safe and the other one for regular use.

So then I remembered about SC4 and thought that if I can do TOTP on it, I can just buy 2 and put all my seeds there (or so I was thinking) and use that instead of the phone.

That was my reasoning. Maybe I'm doing something wrong here, but I would love to be able to de-couple 2FA from my phone for my business accounts... I guess it's not a common use case?

[0] https://www.protectimus.com/protectimus-slim-mini

[lisper]

I see. Yes, you are right that one SC4-HSM can store multiple keys. The only missing piece is the time. The simplest solution is to feed the time into the HSM from some external source, like a custom driver or a command line. Would that work for you?

Adding a RTC to the hardware is probably not viable. It would increase the cost too much. (If I were selling millions of units that would be different, but that hasn't happened yet.)

Another possible solution is to lobby the sites you care about to implement U2F. It's not particularly difficult. I wrote some minimalist reference code that you/they can find here:

https://github.com/rongarret/u2f-test/

And of course you can always point them in my direction if they want to hire a consultant :-)

[pekk]

Many more services implement TOTP and not U2F, so this would tend to be seen as a useful thing for end users even if the technology is unattractive.

[lisper]

Actually, I just thought of a way you could make this work with a terminal command instead of a driver. You'd have to type something like:

date > /dev/cu.usbmodem*

and the OTP would appear on the HSM display. Would that work for you?

[saganus]

Yeah, I guess that could work since I usually don't log in to my business accounts from anywhere else but my own computer, so even if it needs a bit of configuration it's not that bad.

Just an idea, is there any USB device class that could be used to get the date and time? such that if you configure the SC4 to work with TOTP, when you plug it in a USB driver is installed that allows it to query the date and time?

[lisper]

> is there any USB device class that could be used to get the date and time?

Not that I know of. But it's a good idea if it turns out that such a class does exist. If you find one please let me know!