{"id":42891690,"url":"https://github.com/joekir/veerless","last_synced_at":"2026-01-30T14:59:08.835Z","repository":{"id":56167573,"uuid":"69064568","full_name":"joekir/veerless","owner":"joekir","description":"bi-directional 2FA prototype","archived":false,"fork":false,"pushed_at":"2020-11-23T06:55:24.000Z","size":190,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-03-18T00:22:07.937Z","etag":null,"topics":["chrome-extension","hotp","totp","two-factor","twofactorauth"],"latest_commit_sha":null,"homepage":"https://veerless.josephkirwin.com","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/joekir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-09-23T22:22:49.000Z","updated_at":"2024-03-18T00:22:07.938Z","dependencies_parsed_at":"2022-08-15T14:00:31.172Z","dependency_job_id":null,"html_url":"https://github.com/joekir/veerless","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/joekir/veerless","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joekir%2Fveerless","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joekir%2Fveerless/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joekir%2Fveerless/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joekir%2Fveerless/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/joekir","download_url":"https://codeload.github.com/joekir/veerless/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/joekir%2Fveerless/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28914895,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T12:13:43.263Z","status":"ssl_error","status_checked_at":"2026-01-30T12:13:22.389Z","response_time":66,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["chrome-extension","hotp","totp","two-factor","twofactorauth"],"created_at":"2026-01-30T14:59:08.753Z","updated_at":"2026-01-30T14:59:08.820Z","avatar_url":"https://github.com/joekir.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Veerless\n\n![Bounty](/public/images/Bounty.jpg \"'Bounty', painting of a replica of the Bounty entering the harbour of Ostend, Belgium; by Yasmina (1949- ), a Belgian painter specialized in marines and depictions of tall ships - Creative Commons Attribution 3.0\")\n\n##### A proof of concept for bi-directional two factor authentication.\n*The intent of this design is to mitigate the real time phishing of two-factor authentication tokens, but more generally provide assurance that you are talking to the server you spoke to on registration.*\n\nIt's called **Veerless**, as it doesn't let you veer off course from the genuine server.\n\n### How to try it out\n\n1. Download the code from [https://github.com/joekir/veerless](https://github.com/joekir/veerless) follow the setup steps below.\n2. Review the code in the chrome-extension, and if you agree its non-harmful then install that. ([help on how to do that](https://developer.chrome.com/extensions/getstarted#unpacked))\n3. Navigate to [https://veerless.josephkirwin.com/register](https://veerless.josephkirwin.com/register). This endpoint will give you the `t0` and `server_secret` to add to your chrome extension, via the \"options\" page in the extension's settings.\n4. Now you can login at [https://veerless.josephkirwin.com/login](https://veerless.josephkirwin.com/login) with the user that you chose. The extension will be looking for:\n  - X-Veerless-Init header from the server to begin the login transaction\n  - X-Veerless-Response header from the server containing its TOTP variant, that it will verify.    \n\n  If it can successfully verify the header, you shouldn't see any difference to a common 2FA login experience, except that you client TOTP will be provided in a notification. If it cannot successfully verify the header, it will cancel the request, and notify you of this.\n\n### More Fiddling\nYou could then try and setup your own local site, attempting to spoof the live demo ; )\n\n- Using the code you downloaded in step 1. With the setup steps below\n- Create a line in /etc/hosts like this (which kindof simulates a dns hijack for you)    \n  `127.0.0.1      veerless.josephkirwin.com      veerless`          \n- Now try authenticate in the same way as step 4. Notice the extension should now detect that this is a spoofed site.\n\n### Site Layout\n\n* [/](https://veerless.josephkirwin.com) - this README page.\n* [/login](https://veerless.josephkirwin.com/login) - used to complete the login flow with veerless chrome-extension assisting.\n* [/register](https://veerless.josephkirwin.com/register) - retrieves the initial time seed (`t0`) for TOTP and the server secret for a given user.\n\n### Design details\n\n- [https://www.josephkirwin.com/2016/10/25/veerless-design-changes/](https://www.josephkirwin.com/2016/10/25/veerless-design-changes/)\n- [https://www.josephkirwin.com/2016/08/05/serverside-otp-part2/](https://www.josephkirwin.com/2016/08/05/serverside-otp-part2/)       \n- [https://www.josephkirwin.com/2016/08/02/serverside-otp-part1/](https://www.josephkirwin.com/2016/08/02/serverside-otp-part1/)\n\n###### Extra\n*This is actually an alternate design to Veerless that doesn't require the client to provide confidentiality of the server secret, only integrity.*\n- [https://www.josephkirwin.com/2016/09/12/server-authentication-with-lamports-scheme/](https://www.josephkirwin.com/2016/09/12/server-authentication-with-lamports-scheme/)      \n\n### Setup\n\nUpdate the config.js file's `hostname` variable to your host.\n\n`npm update`    \n`npm start`    \n\n*The database is self provisioning.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoekir%2Fveerless","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjoekir%2Fveerless","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjoekir%2Fveerless/lists"}