Show HN: AuthWin – Authenticator App for Windows (authwin.com)

3 points by yashg ↗ HN
I have been using Authy on desktop to generate TOTP for 2FA. Recently got a message that they are shutting down the desktop client. I tried looking for a stand-alone and simple (as simple as Google Authenticator) app for Windows but did not find any, so I built one myself. It can generate Time-based OTP and can also import the QR code exported from Google Authenticator.

Currently it supports only TOTP because that's what most services seem to use.

The app utilises -

OTP.Net for TOTP generation https://github.com/kspearrin/Otp.NET

ZXing.Net for reading QR codes https://github.com/micjahn/ZXing.Net

QRCoder for creating QR codes https://github.com/codebude/QRCoder

Google protobuf for reading Google QR code protobuf message https://github.com/protocolbuffers/protobuf

Utilising .proto file from https://github.com/scito/extract_otp_secrets

10 comments

[ 2.6 ms ] story [ 39.1 ms ] thread
Very nice, thank you very much for this. I didn't run it yet, but reading through your page I see no self-defence mechanisms, like master password, data encryption, windows hello integration and such. How safe the app really is?
The accounts data is saved in an encrypted file. Didn't implement any master password etc because I do not see a need. It's an OTP generator. A hacker would first need to know your main login and password and the have access to your computer in order to generate the OTP. Not different than someone having access to your mobile and accessing Google Authenticator. Even Google Authenticator doesn't have any primary password. It can be implemented easily though because the file is already being encrypted. All I need to do is ask the suer to provide the password instead of using a hardcoded key.
FreeOTP+ on android does have "android hello" integration. In other words, I can hook it up to my fingerprint, same like my bank apps. Always remember: security is like onion skin and works best in layers. The more layers we have - the better. That's because not everyone's use case is the same and not all hacking attempts are the same. Here's a simple example: if I'm using a portable browser that already has all of my passwords saved, and I'm using your app in portable mode, then, a hacker can have all of my keys just by getting my files, even from a backup. So, as always, striking a balance between convenience and security is a delicate matter, and every little bit of that onion skin matters. Thanks.
Yup even Authy mobile app has fingerprint integration. Thanks for your feedback.