Building a 2FA TOTP generator using a Raspberry Pi Pico and MicroPython
I have recently become very interested in microcontrollers, particularly the Raspberry Pi Pico. Not only is it ridiculously affordable (just over £3), but it also provides extensive scope for use in various projects. One such project I wanted to explore was building an independent Time-based One-time Password (TOTP) device.
I have been using the likes of Google Authenticator and Authy for many years but wanted to gain a deeper understanding of the specific building blocks that Time-based One-time Passwords are built upon. This led me to investigate the viability of building such a solution using a Raspberry Pi Pico, combined with MicroPython and the Pico Display Pack. Thanks to some great resources, I was able to do just that.
Features
Below is a list of the feature set that the built device provides:
- Complete MicroPython implementation of the TOTP specification (including underlying HMAC-SHA1 and Base32 dependencies).
- Customisable background colours per TOTP.
- A progress bar to show how long until the TOTP expires.
- A flashing alert LED when the TOTP is about to expire.
- An initial configuration screen to set the current UTC time - to correct the Raspberry Pi Pico’s RTC.
Usage
Once you have downloaded the project from GitHub, follow the instructions below to set up the device:
- Connect the Pico Display Pack to the Raspberry Pi Pico.
- Create a
codes.json
file (based oncodes.json.example
) that includes the desired TOTP keys. - Flash the Raspberry Pi Pico with the latest MicroPython with Pimoroni Libs.
- Copy the codebase to the Raspberry Pi Pico.
- Upon boot, you will be required to specify the current UTC time (click
B
once set). - Now you can cycle through your TOTPs using the
X
button.
Conclusion
I have been amazed at how easy it is for someone like myself, coming from a high-level programming background, to pick up MicroPython and build non-trivial systems using microcontrollers. I found researching and implementing the functionality that performed HMAC-SHA1 to be a lot of fun, allowing me to demystify what can seem to be a very magical process. Additionally, investigating how to set the Pico’s RTC was an interesting aside, combined with presenting this correction using a purpose-built configuration display screen.
Having success in completing this project has already sparked other ideas that I will discuss in upcoming articles!