How it works
- Secrets are imported as Base32 strings and encrypted with AES-128 before being written to EEPROM.
- The firmware keeps an 8-byte Unix epoch counter in plaintext (for simplicity) and increments it using the SAMD21 millisecond timer.
- Every 30 seconds the device computes
Truncate(HMAC-SHA1(secret, epoch / 30))and shows the result on the OLED.
Adding a TOTP secret
- Unlock the device and open the credential you want to protect.
- Use the local web manager or CLI to paste the
otpauth://URI provided by the service. - The tool extracts the
secret=parameter and sends it once over the secure serial channel. - ZeroKeyUSB encrypts the secret, stores it in the TOTP page, and flags the slot as 2FA-enabled.
Viewing codes
- Credentials with a TOTP secret show a
2FA → Touch to viewprompt beneath the password. - Tapping the center pad reveals the current 6-digit code and a countdown ring that refreshes each second.
- The screen auto-hides after 15 seconds of inactivity to keep codes private.
REQTIME and waits for the host to send the time once.
Keep it accurate
Epoch Synchronization
Understand how ZeroKeyUSB tracks Unix time and how to resync when drift occurs.
Web Time Sync Tool
Step-by-step guide for using the browser-based utility to keep the TOTP clock aligned.
Supported algorithms
| Algorithm | Status | Typical use |
|---|---|---|
| SHA-1 | ✅ Implemented | Most consumer services (Google, Microsoft, GitHub) |
| SHA-256 | ⏳ Planned | High-security deployments |
| SHA-512 | ⏳ Planned | Enterprise authenticator suites |
Best practices
- Resync time after long storage or travel across time zones.
- Keep an offline backup of your credentials before performing a factory reset.
- Treat printed or exported TOTP secrets as highly sensitive material.