The Good USB Turns a Bad USB Into an Arduino-Based Two-Factor Authentication Dongle
Using the same hardware as a payload-injecting Bad USB, this Good USB serves as a physical dongle for TOTP-based two-factor authentication.
Semi-pseudonymous maker Josh, of Optimum Unknown, has put together a homebrew two-factor authentication dongle powered by an Arduino or compatible — and, given its inspiration in the payload-injecting Bad USB project, he's dubbed the device the Good USB.
"Using two-factor authentication is a great way to add extra protection to your online accounts," Josh writes of the problem his project seeks to solve. "Looking up [the] codes on your phone and typing them in every time you access an important online account is a pain. There is always some time pressure to locate the code and type it in before it expires. It is easy to mistype the code. When you mistype you need to start all over."
While there are commercial devices to take the pain away, Josh points out that they cost around $50 each — while software-based alternatives capable of automatically filling in the code required to authenticate are vulnerable to attack. The solution: a custom-built two-factor authentication dongle, created using common low-cost hardware and open-source code.
"You will need an Arduino that can pretend to be a keyboard connected to your computer," Josh writes. "I have had good luck with the Arduino Leonardo, SS Micro, and BadUSB. I like the BadUSB since it is a nice looking USB stick. These are frequently used for nefarious purposes, but instead, we are using them for good and that is why I call this project Good USB."
"The Arduino works with a companion app that runs on your computer. The companion app is what you use to tell the Arduino which of your accounts to type the code for. Optionally, you can add a button to your Arduino that will type the 2FA code when you press the button. Without the button, the Arduino will type the code 2 seconds after you select the account in the companion app."
The companion software is built in JavaScript and Electron, communicating with an Arduino firmware running on the physical device itself. The random-number seed is stored on the Arduino, as a hard-coded value in the sketch, rather than on the host computer — though it's not encrypted and at present only one of the various two-factor authentication protocols, time-based one-time password (TOTP), is supported.
More details are available on Josh's website, while the project's source code has been published to GitHub under an unspecified open source license.