Comment by Sanzig

Comment by Sanzig 6 days ago

16 replies

View on Hacker News

Hmm. I wonder if there would be a market for a super simple TOTP authentication device with an e-paper display. Kind of like those RSA tokens with the LCDs, but more modern and able to hold any number of TOTP credentials.

Getting the credentials loaded could be a bit of a pain without a camera for QR code scanning. Easiest solution would be via Bluetooth to a companion app, which you would probably want anyway for periodic time sync (likely wouldn't be worth it to embed a GNSS receiver just to update the time).

Probably be a pretty small market, but as a niche Kickstarter device? I could see a small but loyal customer base.

HappMacDonald 6 days ago

Sounds like a job for a second phone, one which you'd just be extra careful to only use for one purpose. It can be cheap as balls, but it will have a QR-compatible camera and whatever else we may have come to expect from such a device. :)

Reply View 1 reply
  • mystifyingpoi 6 days ago

    Yup. Just use a secondary 5-year old phone for dirt cheap. I was actually considering doing it once, but the convenience takes a hit.

    Reply View 0 replies
myself248 5 days ago

Make sure your GNSS receiver supports OSNMA, and be _extremely_ trusting of your battery-backed RTC and profoundly skeptical of time jumps over a certain magnitude.

GNSS spoofing is trivial now and it's an extremely useful way to manipulate a target device's idea of time, which breaks all sorts of things. (SSL certificate validity periods...)

Reply View 0 replies
worldsayshi 6 days ago

I would love this, but only if it also successfully implemented a few disparate authentication protocols that essentially do the same things (prove identity) but are regrettably proprietary - like the de facto standard electronic ID in Sweden, BankID.

Reply View 0 replies
hbn 6 days ago

Yubikey?

Reply View 4 replies
  • Sanzig 6 days ago

    Yubikey does TOTP on-board, but you need to connect it to a phone or computer (no display or on-board power). It solves a different problem, where you want to have your TOTP credentials on a tamper resistant hardware security module. It doesn't solve the "don't want to carry around a phone for TOTP" problem.

    Reply View 3 replies
    • bawolff 6 days ago

      This doesnt make sense. If you need a 2FA code then you are obviously using some device like a laptop already. Yubikey totally solves the "need a second personal device" problem.

      Reply View 0 replies
    • WhyNotHugo 6 days ago

      > It doesn't solve the "don't want to carry around a phone for TOTP" problem.

      It does—if you carry the Yubikey you don't need a phone.

      Reply View 0 replies
    • tigereyeTO 6 days ago

      If you read a six-digit pin from an e-ink display, you have to type it into your computer.

      If you grab it from a plugged-in yubikey, you can copy and paste it. That seems way easier

      Reply View 0 replies
tigereyeTO 6 days ago

A yubikey works great for this

Reply View 1 reply
  • lazyeye 6 days ago

    I used to use a yubikey but have now moved onto a fingerprint sensor and passkeys. Doesnt work for all sites but does for most of them.

    Reply View 0 replies
fifticon 6 days ago

they exist, in my country they are available as alternative to smartphone apps for identity auth. (ie you can choose between android, iphone, and TOTP LCD device.)

Reply View 0 replies