Momentum-Apps

Flipper Authenticator

What is it?

Flipper Authenticator is a software-based authenticator that implements two-step verification services using the Time-based One-time Password (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm. It is like Google Authenticator, but for Flipper Zero device.

How to get it?

If you don't want to build the app yourself then just pull FAP file from latest release and put it to your Flipper Zero device by copying it to /ext/apps/Misc. After that you should be able to run it on your Flipper.

How to build it?

Pull the repo with recursive submodule initialization and then run ./build.ps1 command to build the app. Once done FAP files will be available in the build directory.

Where is config file?

At first start app will create new config file (default location is /ext/apps/Misc/totp.conf).

Detailed description of file format can be found here

Is it secure?

Flipper Authenticator stores token secrets in config file in encrypted form. Encryption is done using standard Flipper Zero API, which states that it is using AES encryption with built-in into flipper secret key and initialization vector (IV) generated by the app at initial setup XOR-ed by user's PIN (or Flipper UID, if PIN not setup by user).

So in theory to get plain token secret it is necessary to have original Flipper Zero device where config file was generated and know user's PIN (if user setup PIN).

If user provides plain token secret manually straight to a config file, once app will be launched it will detect plain token, will encrypt it and will replace plain token secret with encrypted copy.

Let me know if you have an ideas of how we can make Flipper Authenticator even more secure.

How to support author?

• Buy me a coffee here or here
• BTC: bc1qu9k48q93uhvr9w5cn8fzz5yxuvh4e27c6hnczq
• ETH: 0xa12163eD56e35d3B38F7087B573384E40b2785e1
• DOGE: DAa3nu1RCWwxZdAnGVga77bgxDFP1nhahj