A C# .NET WinUI3 app to handle state-of-the-art OATH two-factor authentication.
This repository hosts the code for an open-source application designed to run on Windows, using the Windows Cryptography Next Generation API, managing key storage under modern paradigms, such as TPMs. The app also allows you to protect the encryption key with a password handled by Windows only. The app uses a MSSQLLocalDB database to store its encrypted data.
This app was designed for educational purposes only and it is not regularly maintained and/or audited. Thus, no matter how secure it should be, you really shouldn't use this app for anything really important. Should you decide to use this app for any real accounts, you should also back up any two-factor configuration QR codes or at least the recovery codes privided by each account you set up 2FA on, as any loss of access to the app data – even for just forgetting your password or changing some hardware – will lock you out of your accounts.
This section assumes at least some degree of technical knowledge regrading hashes, symmetric encryption, secure elements and databases.
When installed, the app sets up an empty local database, where it will store some data for every account you will want to enable 2FA for. First, it identifies you based on your Windows user SID and asks that you create a local account for GetPass. The data required is minimal (a name) and is not communicated to nor seen by anyone else. This so-called registration only aims to create a secure AES key on your TPM, which will be identified by this SID (which is stored in the database).
Whenever you want to add 2FA for a service, you will be asked to open an image of a QR-code that the app reads to get all the needed information. It then encrypts the secret using your key it retrieves from the TPM and a dynamic IV, then writes everything to the database. The keys can be managed at any time.
As the user SID is used for primary authentication, data collisions among two or more users on the same compuer are not a problem.
When you open the app, your saved 2FA accounts are displayed. Upon click on one of them, the app tries to retrieve the key and you will be asked for permission and your password. Then, the app fetches the encrypted data from the database and decrypts using the key. The resulting secret is passed through the SHA-1 algorithm (implemented manually), along with the current date and time in Unix format, divided by 30, to generate and show the code for logging in in the next 30 seconds. The code is then updated at regular intervals as long as the app is open at its corresponding page.
The best option to install it is by using the MSIX package provided in the Package/ folder:
- Install MSSQLLocalDB. Refer to this page for more info. Briefly, though, you should run the SQL Server Express installer, but do NOT install the full program, but just download the MSSQLLocalDB installer from the Advanced Options. Then, you should run the newly downloaded
SqlLocalDB.msiand install it at the default locationC:\Program Files\Microsoft SQL Server\150\Tools\Binn\SqlLocalDB.exe. Atfer that, open teh command line and type"C:\Program Files\Microsoft SQL Server\150\Tools\Binn\SqlLocalDB.exe" create MSSQLLocalDB, then"C:\Program Files\Microsoft SQL Server\150\Tools\Binn\SqlLocalDB.exe" start MSSQLLocalDB, and then"C:\Program Files\Microsoft SQL Server\150\Tools\Binn\SqlLocalDB.exe" stop MSSQLLocalDB. - Download the MSIX package from the
Package/folder. If you trust this app, install the certificate used to sign it (found in Properties) under the Trusted People folder. - Run the installer and wait for it to finish.
- After the app opens, the My accounts tab should show a message that you haven't configured your account. If it displays an error, then you should refer to and double-check Step 1.
Alternatively, you can download the source code from the GetPass/ folder and open it is Visual Studio 2022, provided you have support for .NET 7 and all the Windows SKDs, then run it under development mode.
If the explanations on this page seem to be lacking detail, please refer to the dedicated page on my website fro more information regarding the concept behind this app.