Cool hack. That said:<p>A security reminder to anyone who is in the target audience here: if you're clever enough to have TOTP 2FA enabled on your Google account, get some cheap USB security keys and enable Advanced Protection, which completely disables non-hardware 2FA. It requires two different tokens (and you should really get one for each computer you have/use, plus at least one offsite backup) because once enabled it actually and completely locks anyone out of the account that does not possess one of the enrolled tokens.<p><a href="https://landing.google.com/advancedprotection/" rel="nofollow">https://landing.google.com/advancedprotection/</a><p>TOTP is not much better than SMS-based 2FA. It's still vulnerable to phishing, local device malware (that attacks your TOTP in your password manager), etc. It's best to use hardware tokens everywhere that support them, and both Google and GitHub do. (And Google supports a special hardware token only mode which I wish more sites would adopt.)
I just wanted to call out how cool it is to replace the guts of a 1980s-era wristwatch with a ARM Cortex M0+ microcontroller, while reusing the original display and buttons.
How accurate does the time have to be for TOTP to work? If the watch drifts a bit, will it no longer work? Compared to your phone which is synced with an NTP server.
Where does one buy the sensor board? Or is it only DIY?<p>[edit] <a href="https://www.crowdsupply.com/oddly-specific-objects/sensor-watch#products" rel="nofollow">https://www.crowdsupply.com/oddly-specific-objects/sensor-wa...</a>
Is there some Unix-ish tool to generate these TOTPs on a laptop? I don't like to keep the 2nd factor on a small mobile device that is easy to lose. So I ask about a laptop tool.<p>By Unix-ish I mean something that is small and does one thing well. Like pipe in a secret to it and it gives me a TOTP? Pipe in multiple secrets and it gives me multiple TOTPs? Then I don't have to remain beholden to a custom encryption format. I can encrypt my secrets with other Unix-ish tools, decrypt it, pipe it to this tool and get my TOTPs. Recommendations?
If you are not that a hacker but already own a Smartwatch such as the Apple Watch, Authy[1] is a pretty rock solid option. I use Authy for a few key credentials, and I have used my watch for the keys.<p>FYI, Authy was bought and is now owned by Twilio<p>1. <a href="https://authy.com" rel="nofollow">https://authy.com</a>
This is very cool, I just recently ordered a light phone 2 (a dumb phone) - and one of the things I am currently trying to solve is how I am going to access my google authentication codes for various work and personal project related accounts. Something like this would be very awesome, but also this post really demystifies how this type of auth works.
If you're a bit weirded out by the website secret pasting, I made a PR which lets the sensor watch load TOTP secrets from an Aegis export (essentially just a bunch of TOTP URIs):<p><a href="https://github.com/joeycastillo/Sensor-Watch/pull/95" rel="nofollow">https://github.com/joeycastillo/Sensor-Watch/pull/95</a><p>This is the reason I bought the board. It makes me happy not having to use my phone for this.
This is super cool but do folks really need their google and GitHub 2FA codes often enough to justify this? Browser sessions are pretty durable it seems. The one thing I could think of is GitHub admin type actions that prompt for a credential to enter “sudo” mode or whatever they call it. However in that case they’ll take your password as well (or a webauthn key in my case)
I didn't see anything on the site about where to get one, so here's the link to their crowd supply, 36$ for the board.<p><a href="https://www.crowdsupply.com/oddly-specific-objects/sensor-watch" rel="nofollow">https://www.crowdsupply.com/oddly-specific-objects/sensor-wa...</a>
The concept of programming a dumb watch is rather appealing; this project looks like one that's both practical and quite fun to work on.<p>It would be rather neat to have a dumb watch that can take in custom embedded code (say Lua) for people who enjoy hacking but are terrible at hardware. I'd buy one day one!
For the best smartwatch ever made I recommend Pebble Authenticator: <a href="https://github.com/Neal/pebble-authenticator" rel="nofollow">https://github.com/Neal/pebble-authenticator</a>
I have been wearing the F-91 every day for a long time. It’s such a classic piece, and the only digital watch that really appealed to me.<p>I’m quite excited at the idea of taking one my old ones and giving it new functionality.
There needs to be a button based passcode to view TOTP instead of just pressing one button once. That would add a layer of security. A combination of buttons and number of presses should still be somewhat added security.