CubeAuthn transforms a Bluetooth-enabled Rubik's cube into a WebAuthn-compatible authenticator by using the cube's physical state to deterministically generate cryptographic keypairs for passkeys.
Note
Check out the demo video to see it in action or get it here on the Chrome Web Store!
Warning
This is a proof-of-concept implementation. Currently only supports the GAN 356 i3 smart cube.
Unlike traditional security tokens that store credentials, CubeAuthn uses the cube's physical state (one of 43 quintillion possible configurations) as part of a cryptographic seed. Keys are generated deterministically only during authentication, eliminating persistent credential storage.
- WebAuthn/FIDO2 compatible - works with any passkey-enabled website
- Deterministic key generation from cube state + secret
- No credential storage - keys exist only during authentication
- Optional Chrome sync/local support for secret
- Scramble verification before authentication
CubeAuthn explores a different approach to authentication security:
- No persistent keys: Cryptographic material is generated on-demand and never stored
- Physical dependency: Requires the cube in the exact physical configuration
- Reduced attack surface: No stored keys means no keys to extract via side-channel attacks
- Trade-offs: Bluetooth communication and browser extension architecture introduce their own vulnerabilities
- Architecture: Browser extension built with Plasmo framework
- Cube Interface: Web Bluetooth API for GAN i3 communication
- Cryptography:
- Ed25519 keypairs derived from cube state
- PBKDF2-SHA512 for key derivation
- AES-128 decryption of cube messages
- WebAuthn Integration: Intercepts
navigator.credentialscalls via content script injection - State Encoding: Cube configuration encoded as 64-bit integer using mixed-radix system
- Install from Chrome Web Store
- Connect your GAN 356 i3 cube
- Register cube MAC address
- Set your secret scramble
- Authenticate on any WebAuthn site
Star the repo, submit PRs, and connect on LinkedIn!
- Tell the user if their mac address isn't setup in the overlay
- Setup the key gen properly, generate a random id with each key that is generated - this can be hashed with the secret+cubeNum to generate the private key
- Setup the key decoding on for the authentication - calculating the private key from hashing the secret with the given cube number
- Setup the authentication to actually work
- Fix state management so when we re-register the cube is correctly displayed
- Have a random UUID generated for each request from bg -> cs/tab so we don't get confused with multiple requests
- Use an Iframe to display a tab page which handles the connection to the cube
- Using an Iframe will require the user to click an extra button, but will not show the user that the extension is trying to connect to the cube - worse UX for no greater security.
- Sidebars CANNOT be used practically either as they cannot be opened upon navigator.credentials.{create, get} functions being called
- The only solution here would be to open a popup window/new tab to let the user authenticate with the cube.
- Have an option to use a virtual cube (for testing)
- Add a timeout timer so we don't overrun the given timeout from the site
- Make a WASM script to brute force the MAC address on onboarding
- Make sure we set the secret to undefined when the user chooses to do so
- Allow the user to encrypt the secret with a device passkey as an extra layer of security