moolticute icon indicating copy to clipboard operation
moolticute copied to clipboard
verified publisher icon mooltipass

2FA for Nintendo

Open UnquenchablyEnragedSnail opened this issue 3 years ago • 8 comments

Expected behavior

Generate correct 2FA 6 digit code generation for a Nintendo Account via Mooltipass Mini

Actual behavior

Generated incorrect/rejected 2FA code

Step by step guide to reproduce the problem

Obtained secret from accounts.nintendo.com Copied secret via QR code to Authy Plugged in Mooltipass to Windows PC via USB-C to USB-C Cable Entered Credential Management Mode in Moolticute Verified pin on Mooltipass Mini Selected Nintendo Service from list with previously saved Login and Password Set Key After Login, Key After Password to None Selected Setup TOTP Credential Pasted the copied Secret as plain text Left settings at default Time step: 30 sec, Code size: 6 digits Saved changes Uploaded to Multipass Mini successfully From Mootlipass Mini (still connected via USB) Selected Type TOTP Nintendo website rejected the entered 6 digit code Pasted into a text doc from Mooltipass Mini to very a 6 digit code was being generated. Pasted code from text doc into Nintendo website with same result. Compared newly generated 6 digit code to Authy 6 digit code they were completely different numbers after multiple attempts and over the span of 30-40 minutes Verified Authy App was generating correct code.

Moolticute Version

  • V.0.55.0

Operating System

  • Windows 10

Mooltipass Extension

N/A

Mooltipass Device

  • The Mooltipass Mini BLE
  • Bundle Version: 8

UnquenchablyEnragedSnail avatar Jun 01 '22 22:06 UnquenchablyEnragedSnail

I have the same problem with setting TOTP for playstation. The problem is that Moolticute has a limit on size of secret: if secret is too long, it just gets truncated (silently, without any error messages 😒). Which is the case for playstation: it generates secrets exceeding moolticute limits. Is it possible to extend limits, or it's mooltipass limitation?

Playstation generated secret length: 102 Moolticute limit seems to be: 72

Limitation seem to be enforced here

survived avatar Sep 07 '22 18:09 survived

102 characters is just baffling... tagging @0x0ptr

limpkin avatar Sep 07 '22 20:09 limpkin

Worked for Playstation at one time. They are very paranoid because there's been so many account takeovers in the recent past.

opie4624 avatar Oct 13 '22 16:10 opie4624

102 characters is just baffling... tagging @0x0ptr

wait a half sec what? 102 characters base32 that's LITERALLY 510 bits

considering that hmac-sha1 is used which already throws the hash down to 160 bit that's already a ton of extra and then we only cut 6 digits out.

I would usually go around 25 characters in the around 120 bit section

if the Database field for TOTP has no waste it would BARLY fit in there. and I mean BARELY 64 Byte is 512 bit https://github.com/mooltipass/minible/wiki/Mooltipass-Database-Model

My1 avatar Feb 23 '23 22:02 My1

@UnquenchablyEnragedSnail I tried creating an account on Nintendo.com and enabling 2FA and it worked fine for me. I had no issues generating the correct TOTP with MiniBLE. The only thing I can think of that might cause it to not work for you would be:

  1. Time is not correct/synchronzied on your MiniBLE or whatever computer you synchronize to does not have the correc time.
  2. Double-check that the TOTP secret was entered correctly.

Hope you can get it to work!

0x0ptr avatar Feb 28 '23 03:02 0x0ptr

@survived @My1 @limpkin So agree the 512 bits is overkill. Essentially anything more than 160 bits is not adding any meaningful security since the output of the HMAC-SHA1 is 160 bits.

For MiniBLE we have room to store this key in the DB (64 bytes) as someone pointed out. That is all you really need to provide support for ANY length key. When the key is greater than the SHA1 block size (64 bytes) the key that is used in HMAC-SHA1 is first hashed once with SHA1 such that it is only 20 bytes. So if the key was greater than 64 bytes we could just store the SHA1 of that key. However, this only works if the key is greater than 64 bytes. For keys 64 bytes or less in length the actual key is used directly.

Unfortunately, the protocol that is currently used to send the TOTP secret key to the MiniBLE from Moolticute takes only 48 bytes as far as I can tell (https://github.com/mooltipass/minible/wiki/Mooltipass-Protocol#0x0027-store-totp-credential) so that is where the current limitation is. I do not know how compilcated or feasible it is to update this. That is question for @limpkin.

0x0ptr avatar Feb 28 '23 03:02 0x0ptr

I see. maybe they went down a bit by now, no idea. but the "if bigger than 64 bytes then sha1" is a neat little tidbit

My1 avatar Feb 28 '23 06:02 My1

after discussing with @0x0ptr it was agreed that in the future bundle release we could add a new store TOTP credential message to support 64 bytes. need to create a task in the minible repo for it...

limpkin avatar Mar 12 '23 10:03 limpkin