TOTP in Smalltalk – a little experiment

Being a Smalltalk developer gives you lots of joy; Smalltalk is such a nice programming environment, The degree of interactiveness of the toolset and the expressiveness of Smalltalk code are legendary.

But being a Smalltalk developer also put some burden onto you.

The community is quite small, the dialects of Smalltalk still have no common sense of what an exchange format for source code between IDEs should look like and differences between dialects are big enough to make code exchange much harde than it should be.

This. combined, leads to some interesting problem: chances are that the selection of ready-made code for your problem is small.

Example: There is no Smalltalk dialect that can parse Mime-mails correctly. Seems nobody ever needed this. There are implementations that can get you quite far, but they still fail in edge cases. In langiages like Python or Javasvcript, there is a ton of modules and frameworks for all kinds of problems. Not all of them are perfect or even close, but there is a wide selection of alternatives to try.

In Smalltalk you often end up reading RFCs and feeling like the first to implement stuff that is just a PIP away in Python. Or an npm install. There are lots of problems coming with that as well, so the grass is not always greener on the Python side. You still have to do research and find the right module for you. But they are there, you can try them. In Smalltalk, there might be a module, but often you are out of luck or need to port one from another dialect.

One of these problems that are unsolved in Smalltalk – believe it or not – is a publicly available implementation of TOTP (Time-based One Time Passwords). There’s a little bit of encryption and bit pushing involved and there is nothing really hard going on. But you still have to pick up the pieces and combine them to a working solution.

Marten, Thomas and I had a little chat about this specific issue and decided to do a little online session and take the time to implement something.

The plan was to quickly go through the spec and nail together a first prototype. The interesting thing here is: each of us works primarily on another Smalltalk dialect 😉

After an evening hacking together and playing with it, we quickly got to the point where we could register a secret in freeOTP and verify its passcode in Smalltalk (we used Gemstone, because Marten just typed as we talked).

After a good two hours we ended the discussion with a what’s missing and how we’d solve the problem of generating the QR-Code for registering a secret with freeOTP, Authy or Google Authenticator.

Marten was the first to finish the code up and publish an article about his solution on his blog – including source code. So you can now implement your own solution in your Smalltalk dialect using his code snippets. We didn’t go into detail about all the bells and whistles an application would need to make a 2FA login process workable, like for example

  • How would a user register for 2FA or disable it
  • What would a mechanism for cases like “I lost my phone and forgot to create a new secret”, “I don’t have my phone available at the moment, but I need to login anyways” look like
  • We haven’t given too much thought on Timezones, so there may be more to 2FA than we currently implemented

I need to adapt the code to my VAST Platform project and am planning to publish it on github. I just need to find the time to do so. Maybe someone will find use for it and probably suggest improvements (like the Timezone problem).

One issue will remain for this as well as most other Smalltalk projects, though: how can we make this one codebase in which bugfixes and imrovements can be implemented in one place and make them available on all target dialects? Still one of the biggest hurdles for wider acceptance of Smalltalk as an ecosystem spanning multiple of all dialects.