Google Auth 2FA TOTP Client for Samsung Gear, Android, Android Wear, Fitbit

Purpose

An idea was to have a Google Auth/2FA TOTP Client running on all Android-bound phones and watches. It includes:

  • Contemporary high end Android phones running ver 6.0 or higher
  • Contemporary Samsung Gear devices such as Gear S2, S3, Sport, Galaxy
  • Android Wear watches
  • Fitbit Versa and Ionic watches

The major benefit is that it integrates phone’s, Wear and Gear’s 2FA apps in a single solution and allows transferring accounts between peers in any direction: from phone to watch or vise versa. There is no need for Google’s stock app anymore, because the companion includes all GA functionality and adds features that stock GA app is currently missing.

The companion allows scanning Google’s QR bar code, which is a client/server shared secret used for generating one time passwords (OTP).

In addition, the Android’s companion can be also used to backup and restore all 2FA accounts. Backups could be encrypted using a password based encryption (PBE) with HMAC signature intended for verifying  backup’s integrity (e.g. signature verification will fail if a password is not valid).

Plain backups are also supported, but not recommended, since they are stored in Android’s “Download” directory that can be accessed by other applications that are granted “read storage” permission.

Using Google Drive for backup/restore operations makes syncing accounts across all your Android, Gear and Wear devices simple.

Where and How to Start

To create a 2FA account on your phone using this app, you’ll need a shared secret, which is a Base32 code generated by your 2FA provider. How to get that code depends on a provider and the code is generated at the time when you enable 2FA in your web app. Instructions for getting the code for all Google accounts are provided here:

https://credelius.com/?p=108

However, those instructions change often, so the best way is to read recent 2FA enabling instructions for each provider. The app was tested and actively used with the following 2FA providers:

  • Google
  • WordPress
  • Twitter
  • Fastcomet
  • DHS
  • Sonic Internet Provider

The number of websites supporting 2FA grows fast and the list above will grow as well. Check also this to learn what other websites support TOTP: websites supporting 2FA

App Flavors and Their Usage

How to Choose Right App in Google Play Store

There are two apps in Google’s Play store and the simple guidance below will help you to make the right choice.

  1. “GAC – 2FA TOTP Auth Client ” supports Samsung’s Gear and Android Phone. Choose this one if you want to have an authenticator that works as a standalone app on an Android phone, or if you want an Android phone and Gear app to work together. The Android app is free,
  2. “GACW – 2FA TOTP Auth Client for Wear” is very similar to the first one, except that in addition to Gear, it supports Android Wear and Fitbit devices as well. It also doesn’t have any ads. Choose this one if you need support for both Gear and Wear or Fitbit devices, don’t like ads, and don’t mind to spend $2.

How to Choose Right App in Samsung Store

There are three GAC apps in Samsung’s App store, and the guidance below will help you to to select the right one:

1. First Client for 2FA TOTP Google Authenticator without Android’s companion was created in 2015, supports many legacy devices such as Gear, Gear 2, Gear Neo, and Gear S, along with newer Gear S2, Gear S3, and Gear Sport. Buy this application only is you need support for legacy devices. If you have S2, S3 or Gear Sport, consider other two choices.

NOTE: This app has been decommissioned since 11/9/2019 due very low demand and confusion coming from not reading instructions.

2. Client for 2FA TOTP Google Authenticator with Companion was created in 2017, supports Gear S2, S3 and Sport only, and requires Android’s companion to work. Use this app if you have S2, S3, Sport, or Galaxy and like additional Android’s companion features such as bar code scanning and backups, and don’t need support for Android’s Wear and Fitbit devices.

3. “GACW – 2FA TOTP Google Auth Client for Gear, Wear, Android” was created in 2018, has the same functionality as “Client for Google Authenticator with Companion”, but in addition, it also supports Android’s Wear devices. Use this app if you have Gear S2, S3, Sport or Galaxy, and need support for Android Wear or Fitbit watches as well. It’s free in Samsung store, but GACW companion will cost you $2 in Play Store, so in the end the price is the same as for other two.

Prerequisites

Supported Phones

  • All Android Phones with Android version 6 and higher should be supported
  • iPhones are not supported and there is no plans to support it in the future

Supported Smartwatches

The following Gear devices are supported:

  1. Gear S2
  2. Gear S3
  3. Gear Sport
  4. Galaxy

The following Fitbit devices are supported:

  1. Ionic
  2. Versa

Theoretically, all Android Wear devices should be supported by GACW as well. Since there are too many of different models in this category, we were not able to test all of them, so if you see any problem with your specific Wear watch model, please provide device details to us and we’ll try to fix.

The minimum Android version to run the companion app is Android 6.0

Downloads

  1. Android application can be downloaded from Play Store: GAC or GACW
  2. The most universal way of installing GAC application on Gear device is through Samsung’s Android Gear App: Gear App. To install GACW on your Wear watch, use Android’d Wear OS app.
  3. If you browsing apps from a Samsung’s Galaxy device, you can also try a direct link for GAC, but it doesn’t work in all browsers even on Galaxy devices:

Available on Samsung Galaxy Apps

Refunds, Reviews, Donations

Please check Google’s Play Store and Samsung Galaxy App Store refund policies before purchasing any paid app. Please also notice that Google and Samsung usually charge taxes and marketplace maintenance fees that only they can refund, so contacting them for a refund is your best option.

Samsung app store refund policies: https://www.samsung.com/us/support/answer/ANS00076970/

Google play store refund policies: https://support.google.com/googleplay/answer/2479637?hl=en

PLEASE READ THE POLICIES ABOVE AND DON’T BUY AN APP IF YOU DON’T AGREE WITH THE PROVIDED RULES.

If you submit a review, especially negative one, please provide as many details as you can, so we can review and help. We’ve seen quite a few responses without any details, and helping in those cases is difficult. Please also read this wiki for a quick start.

You can provide the details either in this wiki’s comments, or send a direct email to the admin whose email address can be found in the app’s description.

Expenses for supporting various Android and smartwatches apps are much bigger than income generated by app stores so far. Real smartwatches are often required to test apps on new models. Software emulators, especially Samsung’s ones are not very good, and do not reflect the real “look and feel”

That’s why, if you like this project and want to see more features and other smartwatches models supported, please donate to the project using the bitcoin donation box below.

  • Bitcoin
Scan to Donate Bitcoin to 1CRMQd91Lhm2EP8vSXcyyP2FsTfXXpAjF4

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Why Updating Old App Not Possible in Samsung Store

The old GAC app supports many legacy Gear devices such as Gear, Gear II, Gear Neo, and Gear S. Since all these devices are different, they require different binaries. Samsung App Store doesn’t allow mixing companion and non-companion binary types in a single app’s distribution. That’s why new app is needed to enable companion functionality. We will gladly merge versions as soon as Samsung changes their policies (the best scenario) or when we decide to stop supporting legacy devices.

Below is an error message, which is caused by an attempt to add a companion-based binary to the old non-companion style app

Adding New Account from Android on Gear or Galaxy

To add a new account from the phone you’ll need to select “Connect to Phone” menu on Gear first:

Pic 1. Menu Page on Gear

If the device is already paired with and connected to the phone through Bluetooth, an icon on the top will turn green and you’ll see the following message:

Pic 2. Gear Connected to Phone

At this point an account page should popup on the phone automatically. You can either select an existing account or tap “+” button to add a new one. Selecting ‘+’ button will bring you to Scanner page. Now you can point the phone’s camera to a QR bar code. When QR bar code is recognized, the blue border will be blinking and a scanned code will show up in an edit box located just above the camera window.

Pic 3. QR Scanner Page

Press “Send to Watch” button and the scanned account will be sent to your Gear device. You can also save the account to phone by pressing “Save” button. After an account is saved, the “Accounts” page will be displayed. Alternatively, you can get there by pressing an “Accounts” menu in the toolbar.

Pic 4. Accounts Page

At the “Accounts” page you could see a list of OTP tokens for all your accounts, and you can use the buttons on the bottom to perform the following actions (left to right):

  • Send selected accounts to Gear
  • Save all accounts to a backup file
  • Delete selected accounts from your phone
  • Restore all accounts from a backup
  • Add more accounts by either scanning QR bar code or by typing a shared secret manually

Tap a token if you want to zoom it. The token will be refreshed properly in the zoomed view as well. When a color of the border becomes red, a new token will be generated automatically.

Pic 5. Zoomed Token

You can scroll accounts on this page using left and right arrow buttons on the bottom.

Changing Account’s Order

By default the accounts are stored in an alphabetic order, but it’s possible to change the order by long pressing an account name and dragging it to the new place.

Editing Account

Tap an account name in the list to edit it. It will bring you to the Scanner page where you can edit account name, the bar code, or scan the code using the phone’s camera. Press store icon on the bottom to save the account to the phone.

Backing up and Restoring Accounts on Phone

Account restore page can be reached by tapping restore button (second from the right) on Accounts page.

Pic 6. Backup and Restore

By default restore logic will try to create an encrypted backup and password will be required to decrypt the accounts and to verify a signature created by a backup. You can use plain unencrypted backup by unchecking “Encrypt backup” option in Settings, but that option is strongly discouraged. If you want your app to remember the password, use “Remember password” option in Settings.

A button located below “From Watch” title can be used to restore phone’s accounts directly from a watch.

The backups that are not needed anymore can be deleted by selecting them in the backup list and pressing a “trash” button on the bottom.

Saving accounts to a backup file is similar and has two options as well: encrypted and unencrypted backups.

Google Drive can be used to backup and restore accounts as well. Use Google Drive button with a question mark to check what backups are available.

Legacy Backup and Restore

Legacy backup and restore are used to save or restore data in gac-codes.mp3 file that can be used for integrating with an older Gear’s GAC version that doesn’t have an Android’s companion app. Use either MP3 button on the bottom or Legacy Backup/Restore menu items in tool bar to create a backup or restore your accounts from it. The MP3 file will be created in Music directory that can be used by Samsung’s Gear App for transferring it further to your Gear device, where the file can be used to initialize the accounts through “Init from File” menu.

Working with Samsung Watch

Token Page

After accounts have been imported to the watch, they will appear in the main menu. Simply tap an account to see a token. To return to menu again tap a “list” button on the top of token page.

 

Account Deletion

To delete an account, tap an account name in the list and hold for a couple of seconds until it changes a color and starts buzzing. Confirm account deletion on the following screen:

Getting Help

To get more help on usage tap the “Help” item in the main menu.

Other Screens Seeing on Samsung Watch

When accounts are successfully received by Gear you’ll see the following screen:

Pic 7. Accounts Received from Phone

When messages are sent by Gear to phone, you’ll see the confirmation screen:

Pic 8. Accounts Sent to Phone

If Gear is disconnected from its peer, the green icon will turn red.

Pic 9. No Connection Page

 

GAC Widget

GAC widget can be used to see the last viewed account and is activated in the same way as any other Gear’s widget: you add it on home screen selecting and tapping the icon below (just swipe screens left until you see it).

Pic. 11 Adding GAC Widget

After widget is added and if a user had recently viewed an account in the GAC app, the latter account will be displayed in the widget. If there was no account previously selected by a user, the following screen will show up.

Pic. 12 Non-initialized Widget

Tap the widget to initialize it or if you want to change a previously selected account. After an account is selected, the widget will display it until another account is selected.

Pic. 13 Initialized Widget

Navigate to the home screen and slide screens left to see the GAC widget.

Adding New Account from Android on Wear

First, start GACW app on Android phone, then start the same on your Wear watch. The beacon icon will turn green on the watch and Wear OS icon will show up in phone’s app tool bar.

Select accounts on your phone and press a “Send to Watch” button or menu item. After accounts are transferred, the Android app is not needed anymore. You’ll see an account list on your Wear device:

Pic. 14 Account list on Wear

Now you can select an account from the list to see the token:

Pic. 14 Auth Token on Wear

Google Auth for Fitbit

Official Link in Fitbit Store

New Features Introduced in ver 1.1.3

The following new features have been implemented in ver. 1.1.3

  • App version is visible in app’s Settings (see General section)
  • App auto-close timeout setting was added. By default it’s off. Edit “Auto close app after n secs” property to setup the timeout in seconds. This can be used to avoid excessive battery usage if app was not closed.

Tested Devices

The following Fitbit devices have been tested:

  • Fitbit Versa (real device)
  • Fitbit Ionic (through simulator only)

Required Fitbit OS SDK

The first app’s version (1.0.5) was built with Fitbit SDK 1.0, which is supported by all known Versa and Ionic devices. However, starting from version 1.0.7 the SDK used was 3.1. It means that for using the latest versions of the app you’ll probably need a firmware upgrade. The minimum firmware version that supports SDK 3.1 on Versa is 32.33.1.30, for Ionic – 27.33.1.30. Updates are available in Fitbit’s mobile app when you choose your device in the dashboard. Use Settings/About on your Fitbit device to check its firmware version.

If you don’t see the latest app’s version in the Gallery, it’s because your firmware was not upgraded.

Installing Google Auth on Fitbit

Fitbit app is approved and is available in the official Fitbit Store: https://gallery.fitbit.com/details/583cf908-87d4-4ae6-9331-ca0fbffd0ff0. To find and install it:

  1. Open Fitbit App on Android phone
  2. Tap Apps icon and type “Google Auth” to a search bar

Quick Start

  1. Open Fitbit App on Android and make sure that your Fitbit device is visible
  2. Open GACW App on Android. This step could be optional if you don’t mind typing your accounts manually
  3. Open Google Auth app on Fitbit device

The following screen will popup on Fitbit device:

Pic. 15 No Accounts Screen

4. To quickly check if the app is functional, click top-left button. It will import a testing account from settings:

Pic. 16 Account Received

5. Press green Ok button on the right and you’ll see an account list:

Pic. 17 Account LIst

6. Tap “Test” item to see a token:

Pic. 18 Test Token

7. If everything worked as described above, you can proceed to creating your own accounts. There are two ways of doing this: using GACW Android App and typing accounts manually in Fitbit’s Android App settings.

If you can’t import testing account, most likely you have a connection problem. Read the next section to troubleshoot the connection.

Troubleshooting Connection With the Phone

If buttons on the top do not work it’s certainly a connection issue. To troubleshoot go through the following steps:

  1. Open Android’s Fitbit App
  2. Make sure that Sync is not running. If it does connection from the watch will be ignored.
  3. Select your watch by clicking its name and press “Apps” button. If you see “Unable to Connect” message, you don’t have a connection. Make sure that Bluetooth and Location are on in your telephone settings.
  4. Exit the app on the watch
  5. Start the app on the watch again and check if top-left and top-right buttons work this time

If you tried everything and connection to the phone is still not available, you can always enter the accounts manually in the app’s Settings section from the phone.

Creating Accounts Using GACW Phone App

  1.  Open GACW, Android Fitbit App, Google Auth on Fitbit device
  2. Go to accounts page on Fitbit device and press beacon icon (top-right button)
  3. Device pairing dialogs will show on Fitbit and GACW:

Pic. 19 Pairing

4. Enter PIN from Fitbit to GACW and press enter. If paring is successful, you’ll see a confirmation message

5. Choose Ok button on Fitbit and GACW to close dialogs.

6. Beacon icon should be green on Fitbit’s accounts page. Fitbit icon will show up in GACW’s toolbar and “send to watch” button on the bottom-left will turn green. Select account that you want to transfer and press low left button on GACW to send them to Fitbit. If transfer is successful, you’ll see “accounts received” message on Fitbit.

   

Pic. 20 Accounts in GACW

7. Tap an account on Fitbit to see a token

Creating Accounts Manually

For each account that you want to create you’ll need:

  • Arbitrary account name, e.g. “Google”;
  • Shared secret in Base32 form.

 

  1. In Android’s Fitbit App find Google Auth and open its settings:

Pic. 21 Accounts in Fitbit’s Settings

2. Tap “Add Account” link and add a new account in the form: Account:SharedSecret. Make sure that there is no any errors in “Errors” section below.

Pic. 22 Settings Page

Alternatively starting with version 1.1.5

you can add optional parameters after the secret, e.g.

AccountName:f7gjhjrjaheksk6f:10:1:8

where

  • 10 is a sequential number of the account in the list (use it if you want to change the order of accounts when they are displayed
  • 1 indicates that HmacSHA256 will be used (default is 0, which is HmacSHA1)
  • 8 length of the token (default is 6)

The full syntax of the account string is as follows:

AccountName:secret:[order:[Algorithm:TokenLength]]

3. On Fitbit’s device tap left-top button to import accounts from setting. An “accounts received” page will show up if import is successful.

Pic. 23 Accounts Page

Auto Close App

To avoid app running forever and consume battery if a user forgot to exit it by pressing “back” button, auto close feature has been implemented starting from version 1.0.8. The default timeout is set to 0, meaning there is no timeout, but it can be changed in the app Settings page on the phone.

Pic. 23 Auto close app

Known Issues

Issues that have been fixed

Continue reading …