TOTP: It's not Google Authenticator

I’ve been meaning to write about this since Twitter announced that only the eight-dollar-checkmark class would have access to SMS-based 2-factor authentication (2FA)1. Infosec circles got back into heated debates about the security implications of SMS-based authentication compared to the risk of losing access to the more-secure option of TOTP. This post isn’t really about that debate, but the major takeaways from either side are that:

User friction is a very real issue, and TOTP will always be more frictional than SMS; I can’t solve that in this post. Personally, I prefer to use TOTP when available due to the risk of a SIM-swapping attack2. This post, however, is more concerned with the matter of keeping your secret portable and within your control if you decide to use TOTP for 2FA.

If you’ve made it this far without knowing what TOTP is, well, that’s almost certainly by design. I would hazard that most people who are aware of it know it exclusively as Google Authenticator. Getting an increasingly-vital, open standard to be almost exclusively associated with one shitty app from one shitty company is certainly very good for that company, but very bad for everyone else. So the first order of business here is to clarify that whenever you see a site advertising 2FA via ‘Google Authenticator,’ what they actually mean is TOTP, or more accurately RFC 6238, an open standard3. Additionally, if you’re reading this and you currently implement TOTP on a site you manage or are planning to, I implore you to describe it accurately (including Google Authenticator as one of several options, if necessary) rather than feeding into the belief that the magical six-digit codes are a product of Alphabet.

So what, then, is TOTP? Even if you know it isn’t A Google Thing, the mechanism by which a QR code turns into a steady stream of six-digit codes is not entirely obvious. This is, typically, how we set up TOTP – we’re given a QR code which we photograph with our authenticator app, and suddenly we have TOTP codes. The QR code itself contains just a few pieces of URI-encoded data. This may include some specifics about the length of the code to be generated, the timing to be used, the hash method being used, and where the code is intended to be used. Crucially, it also contains an important secret – the cryptographic key that, along with a known time reference, is the foundation from which the codes are cryptographically generated. Essentially, a very strong password is kept secure, and from this an easily-digestible temporary code is generated based on time. Because it comes from a cryptographic hash function, exposing one (or more) of these codes does not have the same security implications as exposing the key itself.

Keeping the key itself secret is, in fact, extremely important. Vendor lock-in aside, I assume this partially contributes to the opacity of what happens in between scanning the QR code and having a functional 2FA setup. A large part of the debate over whether ‘Google Authenticator’ is a good 2FA solution is the fact that once your secret is in the Google Authenticator app, it is not coming out. If your app data gets corrupted, or if something misbehaves during a phone transition, you’re out of luck. Hopefully you’ve kept the recovery codes for your accounts safe somewhere. If to you, as to most people, TOTP means Google Authenticator, then this is a very real concern. One goof could simultaneously lock you out of all of your accounts that are important enough to you that you enabled their 2FA.

When I was de-Googling myself years ago, I went through the somewhat-laborious process of generating all new codes to put into Authy. In addition to (or in lieu of, I’m not entirely sure) local storage, Authy keeps your TOTP info in the cloud, allowing you to keep several devices in sync, including a desktop app. While this is a better solution than Google Authenticator, I’m not linking to it as I still think it’s a pretty bad one. The desktop app is an awful web-browser-masquerading-as-desktop-software creation. The system of PINs and passwords to access your account is convoluted. And, while in theory you can put the desktop app into a debug mode and extract your data, there’s no officially-supported path toward data portability. The unofficial method could go away at any time; in fact, while I will credit Indrek Ardel with the original method4, it seemingly no longer works and one must find more recent forks that do. On top of this, the aforementioned bad desktop app and confusing set of passwords meant that it was still just easier to start fresh with new codes when I recently switched away from Authy. Finally, Authy is another corporate product. It’s owned by Twilio, and they seem to want a piece of that lock-in pie as well, offering their own 2FA service that is a quasi-proprietary implementation of TOTP5, as outlined by Ardel.

For years, I’ve been using various KeePass implementations in conjunction with one another as a portable password management solution. I can keep a copy of the database in my OneDrive (or whatever cloud storage I happen to have access to; right now it’s OneDrive but frankly that’s because it’s cheap — not because it’s good) and have access to it from my phone and various computers. I can sync copies to flash drives if necessary, or drop a copy on an M-Disc with other important files to stash in a safe. I was, for a long time, using an unmaintained fork, KeePassX, because it simply vibes better with how I want computers to look and feel than its replacement, KeePassXC does. On mobile, I’ve been using Strongbox6. At some point, I noticed they added support for TOTP codes! The app will happily scan a QR code and add the relevant data to an entry.

This was interesting and novel, and I was already thinking about moving all of my codes into it, simply because storing them that way meant the data was easily recoverable. If I wanted to switch again in the future, I now had access to the secret and any other relevant parameters, and could generate a new QR code from them if need be. But then I happened to notice that KeePassXC, the desktop software I had been avoiding, also supports TOTP codes. And Strongbox’s implementation is fully compatible with KeePassXC’s! This changed things – suddenly this was a portable solution for accessing my TOTP codes and not merely the data behind them. I generated new codes for everything I use (and upgraded my security on a few things that had implemented TOTP without my noticing) and ditched Authy.

While you can add TOTP codes directly in the KeePassXC desktop app, you can’t do it directly from a QR code. Windows is fond of capturing screenshots to the clipboard7; I would love to see an option in KeePassXC that scans an image in the clipboard for a QR code (and then clears the clipboard). Getting codes out is extremely straightforward. Since the data is just in normal entries in my database, a code I scan in via Strongbox will show up in KeePassXC once OneDrive catches up. It is worth noting that this rather shatters the ‘something you know / something you have’ model of 2FA, but the flexibility is there to manage codes and passwords however the user is comfortable. The most important aspect for me was liberating my TOTP data from a series of lockboxes for which I lacked the key.

Ultimately, I don’t think average users care much about data portability until they’re forced to. By the time their hands are forced, the path of least resistance tends to just be to stick with the vendor that’s locked them in8. With TOTP, the ramifications of this can be extremely annoying. More importantly, however, I think Google has done a very good job at preventing users from even knowing that TOTP portability is possible. Whether I convince anyone to store their codes in KeePass databases or not is immaterial; I really just want people to know they have options, and why they might want to use them. I want people to give just a small amount of thought to the implications of having a login credential that you not only have zero knowledge of, but also have zero access to. Frankly, I want people to stop doing free advertising for Google. And finally, I genuinely want a return to an internet where, occasionally, we make our users learn one little technical term instead of letting multi-billion dollar corporations coöpt everything good.

Unicode bloats and emoji kitchens

Unicode 13 is coming, and bringing with it a handful of exciting things. Particular to my interests is a new Legacy Computing section with characters like seven-segment display numerals and graphics characters like those found on the Commodore 64 and other machines of the era. Of course, new emoji are coming as well, including among other things a magic wand, a beaver, and the trans pride flag (finally!). Unicode is doing a lot of necessary language work behind the scenes as well; the 12.

Cats, dogs, and birbs (according to my phone)

2021-02 update: Because the turds at Viacom have removed all of the cross-posts of Garfield comics from, I have changed the link to the Garfield comic in the birds section to point to GoComics. This is bullshit.

I’ve never really used iOS’s automatic thing-detection for photo categories before, but I was looking for a specific picture of a dog from my ~8 years worth of photos, so I gave it a shot.

The 231 photos my phone thinks are of cats include:

The 214 photos my phone thinks are of dogs include:

The 76 photos my phone thinks are of birds include:

NIRB, Birb don’t want nirb scirbs a scirb is a birb that can’t get nirb lirb from birb!

Part Time UFO

Somehow, I missed that HAL Laboratory (creators of the Kirby franchise) had broken into the mobile market earlier this year with the game Part Time UFO1. I tend to be oblivious to even these big mobile releases because I’m just generally not that into the mobile game scene2. Touch controls are limiting at best, and the market is saturated with free-to-play snares. If anybody is going to release a mobile gem, though, HAL is bound to, so I snatched this thing up as soon as I heard about it.

In Part Time UFO, you control a flying saucer (oddly reminiscent of UFO Kirby) with a claw-game-esque grabber attached to it. Every level has a bunch of objects, and a place to put them. Some of the objects are mandatory, others might net you extra points or help you meet a bonus goal. The primary goal is usually straightforward – put all of the important objects on the target, get five objects on the target, get the objects to fit a particular shape on the target, etc. Each stage additionally has three bonus goals. One is usually a timer, and the other two either involve stacking things perfectly, not dropping things, stacking more things than required, etc. The real trick comes from the fact that the target area is small, so you pretty much have to stack things. The physics of swinging something four times your size from a flaccid claw make this stacking less than simple.

The levels are adorably-themed, and the themes tend to influence the overall challenge. For instance, my least favorite are the ‘Lab’ levels, which require you to fit Tetris-like blocks into a precise shape – which feels like a bit much going on all at once. But this adds a nice bit of variety, I think there will be some themes that a given person really looks forward to unlocking more of, and some that are less captivating (though still enjoyable).

Points equate to money, and money can be used to buy new outfits for the UFO. Aside from being cute (and occasionally referential to other HAL properties – Kirby’s parasol comes to mind), these affect the control of the UFO in various ways. Certain challenges benefit more from some outfits than others, but generally it seems like you can pop one on that gives you a boost in control that makes you more comfortable, and just leave it. I made the mistake of buying a speedy outfit first, and became very quickly frustrated with the game.

Make no mistake, the game can be frustrating. But never to the point where it feels insurmountable or stops being fun. Part of it is probably just how charming and sweet the whole thing is. The challenges are goofy (stacking cheerleaders, balancing hamsters on a circus elephant, and of course placing cows onto a truck), and even when successfully completed, the end result is often uproarious. This is one thing I wish they had included – some kind of gallery feature of all your wacky stacks.

I haven’t completed the game yet, so I’m not sure how many levels there are. I definitely think it’s worth $43 – it’s just so joyful, well-polished, and fun – everything I expect from HAL. I do think the default controls – a fake analog stick and button type deal – are awful. That control scheme is bad enough for games in landscape orientation, but even with my tiny hands and Plus-sized phone, I could not figure out how to hold my phone so it would work. Fortunately there’s a one-handed control that’s a little bit awkward, but still streets ahead of the faux stick.

The death of Miitomo

Well, damn. Come May 9, Nintendo is shuttering Miitomo. I don’t know that it was ever terribly popular – it was Nintendo’s earliest venture onto mobile, but it wasn’t really a game. There were some game-like elements, primarily throwing your body into a pachinko machine to win clothes, but ultimately it was a dollhouse. A game of dress-up.

Entertainment, in all forms and across all media, is often a tool for escape. Some wish to lose themselves in a setting, others as a passive bystander in a plot, still others seeing pieces of themselves in fictional characters. A dollhouse experience is largely concentrated on this third aspect – expressing yourself, consequence-free, as this blank canvas of a person. While certainly a valid means of escape for anyone, this seems especially valuable to trans folks and people questioning their gender identity. The answers and comments on in-game questions revealed a staggering number of trans Miitomo users. I don’t really know of another game of dress-up that will serve as a viable replacement to Miitomo, and this is heartbreaking.

The May 9 date will put Miitomo’s lifespan at just over two years. Unfortunately, the app is entirely dependent upon the service, and assets users have acquired will not be retained locally, etc. While it seems plausible that local copies could be downloaded so that users could still fire up the app and change into any number of outfits they had previously purchased1, this will not be the case2. This is not a matter of ‘no more updates’, this is ‘no more app’. And that’s… a fairly short lifespan, even for a niche non-game. This absolute dependence on hosted assets makes me wonder about some of Nintendo’s other mobile forays. When Super Mario Run stops being worth the upkeep, will there be no more updates, or will the game cease to function altogether? Nintendo is in a weird spot where a lot of their casual gaming market has been overtaken by mobile. Obviously they want to get in on that and reclaim some market, but they just haven’t proven that they quite ‘get it’ yet. Or perhaps rendering a game entirely ephemeral is meant to prove to us the value of a cartridge. I… doubt it.

On January 24, Nintendo stopped selling in-game coins and tickets3 for real-world money. Daily bonuses, which used to be a handful of coins or a single ticket, are now 2,000 coins and 5 tickets every day. That’s a lot of in-game purchasing power for the next few months, and I’m glad that Nintendo is saying ‘here, just go nuts and have fun while it lasts’. Better than making this announcement on May 1, and operating as usual (including in-app purchases) until then.

I am truly sad about this; Miitomo has been oddly important to me. There is a lot of sadness and anger in the answers to the public in-game question running until May 9, ‘What was your favorite outfit in Miitomo? Show it off when you answer!’ Users are elaborately staging Miifotos with dead-looking Miis stamped ‘DELETED’, Miis crying on their knees, demonic-looking Miis labeled ‘Nintendo’ standing over innocent-looking Miis labeled ‘Miitomo’ with table knives sticking out of them. Ouch. We have #savemiitomo, #longlivemiitomo, #justice4miitomo (bit extreme, that) hashtags popping up. Suffice it to say, there is a frustrated community. I’ll be the first to admit that it never would have had the prominence of a Super Mario Bros. or Animal Crossing game, but Miitomo has been very meaningful to a lot of people.

As Queen, I keep dying

This post might contain spoilers for the games Reigns and/or Reigns: Her Majesty.

Reigns was a game that really kind of blew my mind when it came out. I guess the idea was to sort of frame a narrative around Tinder-esque interactions, which I didn’t really grasp (Tinder seems like the polar opposite of how I wish to find a mate). To me it was just this story, played over a whole bunch of games (some of which you had to fail), each game potentially affecting future games, and all handled via this incredibly simple decision tree mechanic. For the most part, you have two decisions at any given time (swipe left or right, that’s the Tinder-y bit). It was an oddly engaging game.

Now, in Reigns, you played as a king. So if they were to make a sequel, it would only be fitting that you would play as a queen. This is Reigns: Her Majesty. I don’t really make a habit of reviewing mobile games1 on this blog, but Her Majesty is fucking phenomenal. I don’t know if Leigh Alexander was involved in the first game, but she definitely has a writing credit on this one, and it shows. Reigns was clever, but Her Majesty is ridiculously tight, smart, and progressive.

Part of my draw to the game is likely bias — you play as a woman, a woman who I deeply respect wrote the thing, and the entire game just oozes with femininity and feminism. This has always been a sticking point for me, I will become far more invested in a game where I can play as a woman vs. one where I’m stuck as a man. That’s not necessarily a knock on any given game (or unwarranted praise on any other given game), it’s just my bias. But, trying to look past that bias, this Queen’s world undeniably gives Her Majesty far more depth than its predecessor.

If you never played the first game, it’s worth briefly describing what swiping left or right accomplishes. For any given scenario, swiping either direction may raise or lower one or more of your piety, popular favor, might, or financial2 stats. If any given stat maxes out or reaches zero, you die. This is the same in Her Majesty, but there’s a much bigger struggle (at least, how I’ve played it) with the church. Part of this is that a major aspect of the plot involves astrology and the occult, and diving into that essentially requires you to defy the church. Part of it is that you’re constantly given the opportunity to flirt with all the other women in the game and I mean, how could you not!? Oh, and occasionally the Cardinal asks you to conceal your pendulous melons (or something), which… no, I dress how I want.

And this is why I think the feminine aspect really gives the game depth. Personally, I find it hard to play in a way that defies my feminist sensibilities (and, in fact, a random owl occasionally pops up to tell you how feminist you are or situate you in various fandoms3), but this is often detrimental to my score – you are, after all, ‘just’ the Queen, and in a sense must maintain your place. But beyond my personal hangups, this still adds a great depth to the game. Choices aren’t as clear-cut, and your level of control isn’t always what it seems. Layer the whole astrological woman magic icing on top, and it’s an even more impossibly complex swipe-left-or-right game than Reigns.

This complexity and my desire to be an empowered Queen means that I have been losing very quickly, very often. Which might be grating in a lesser game, but somehow losing Her Majesty usually feels pretty damned virtuous.

Animal Crossing: Pocket Camp

Animal Crossing: Pocket Camp has been available stateside for about a week now, and it is… strange. This post on ‘Every Game I’ve Finished’ (written by Mathew Kumar) mirrors a lot of my thoughts – I would recommend reading it before reading this. I haven’t really played a lot of Animal Crossing games before, and I tend to avoid free-to-play1 games. The aforementioned post is largely predicated on the fact that Pocket Camp doesn’t fully deliver on either experience. Which, I guess I wouldn’t really know, but something definitely feels odd about the game to me.

Early in his post, Kumar states that ‘[Pocket Camp] makes every single aspect of it an obvious transaction’, which is comically true. My socialist mind has a hard time seeing the game as anything but a vicious parody of capitalism. My rational mind, of course, knows this is not true because the sort of exploitative mundaneness that coats every aspect of the game is the norm in real life.

This becomes even more entertaining when you observe how players set prices in their Markets. For the uninitiated, when your character has a surplus of a thing, they can offer that thing for sale to other players. The default price is its base value, but you can adjust the sale price down a small amount or up a large amount. Eventually you’ll likely just max out your inventory and be forced to put things up for sale in this Market. More eventually, you’ll max out the Market and be forced to just throw stuff away without getting money for it. But in the meantime, people (strangers and friends) will see what you have to offer and be given the opportunity to buy it.

For the most part, if you need an item (I use the term ‘need’ loosely), it is common, and either hopping around or waiting a couple of hours will get you that item. So there should be no reason to charge a 1000% markup on a couple of apples. But (in my experience thus far) that is far more common than to see items being sold for the minimum (or even their nominal value). I don’t know if it’s just players latching on to the predatory nature of free-to-play games or what, and I’m really curious to know if it works. I’ve been listing things in small quantities (akin to what an animal requests) for the minimum price, and while I’ve sold quite a few items, most still go to waste – I can’t imagine anything selling at ridiculous markups.

So far this description of a capitalist hellscape has probably come off as though I feel negatively toward the game, which I really don’t. To return to Kumar, he leaves his post stating that he hasn’t given up on the game yet, but ‘like Miitomo, the first time I miss a day it’s all over.’ This comparison to Miitomo is apt, and a perfect segue into why I’m invested in this minor dystopia.

Miitomo (another Nintendo mobile thing) is really just a game where you… decorate a room and try on clothes. You answer questions and play some pachinko-esque minigames in order to win decorations and clothes, but it’s basically glorified dress-up. It seems like mostly young people playing it, but it’s also just a wonderful outlet for baby trans folks, people questioning gender, and any number of people seeking a little escape. I find Miitomo to be very valuable and underrated, and a lot of the joy Miitomo brings me is echoed by Pocket Camp.

While the underlying concept behind Pocket Camp is that you’re a black market butterfly dealer or whatever, there’s also a major ‘dollhouse’ component to it. You buy and receive cute clothes and change your outfits, which has no bearing on the game. You buy things to decorate your campsite which (effectively2) has no bearing on the game. You can drop 10,000 dollars bells on a purse that does nothing but sit in the dirt looking pretty. I guess it’s hypocritical to praise this meaningless materialism, but it’s a nice escape. A little world to mess around in and make your own.

I don’t know how long I’ll obsessively island-hop the world of Pocket Camp, but I think that (like Miitomo) once the novelty wears off, I’ll still pop in to play around with my little world when it occurs to me to do so. And the whole time, in my mind, it will remain a perfectly barbed satire on capitalism.

Super Mario Run

So, Super Mario Run has been out for half a day or so now, and I’m sure more meaningful opinions than mine are bouncing around all over the internet. It’s just too juicy to not set my own uninspired thoughts in pink internet stone, however. I’ve always been a Nintendo fan. These days I really don’t game much at all. The occasional weird indie, a nostalgic retro re-release here and there, but mostly if I’m gaming on a screen it’s either a roguelike on the computer or a board game adaptation or point-and-click (point-and-tap?) adventure on the phone. The last consoles I’ve owned were the original Wii and DS Lite. All this to say, having a Nintendo side-scroller on my phone is ridiculously exciting. The game is a ton of fun, well worth the cost of entry, and generally feels very much like a Super Mario Bros. game. A few thoughts:

A night of Pokémon Go

Tonight marked my first night spent actively hunting Pokémon; it was, in fact, the first time I’d ever bothered to catch one outside. Finding new critters in new places, seeking out pokéstops with lures attached, comparing notes with a friend… this was all fun but predictable. I guess I just also haven’t been on an evening walk in a while1, because the whole meatspace community aspect of the thing was new, and very unlike what I expected.

Walking through our main town park, which was technically closed since it was after dark, was fascinating. Where there were pokéstops, there were just masses of people huddled together… enough where it seemed rather unlikely to me that all these people actually knew each other… little social gatherings were forming in the middle of the night just out of the desire to catch virtual monsters. And while the basic idea here wasn’t surprising, the sheer scale of the groups, the sheer number of people glued to their phones and alerting others to the presence of a Goldeen really wasn’t something I had anticipated.