[Q&A] 2fa Support

[Truffle2143]

In #11, 2fa support was investigated using the example of Revadike's epicgames-freebies-claimer. This was eventually decided to be unusable because the device authorization authentication method does not prevent more 2fa challenges from being created when a game is claimed. The authors of this project then made a statement explaining that they identified a possible solution that used multiple browser context threads working together, but the solution would be computationally expensive as well as having undesirable behavior. For those reasons the issue was closed.

I am proposing a possible solution that would allow support for 2fa to be added that does not require any human interaction, does not have a high performance requirement, and does not rely on device authorization at all. Additionally, this solution does not use any reverse engineering and will continue to work well into the future. This solution involves the pyotp library. By providing the TOTP secret given to you by epic when enabling 2fa, it allows the program to generate unlimited time-based 2fa codes that are identical to what would be shown in a 2fa application. Once the code that is valid for that time is generated, the only thing necessary is to enter the code into the 2fa prompt on the website. I think this should be fairly easy to implement.

The disadvantage of this solution is that it only allows 2fa to be done by a third party authentication app. Email and SMS 2fa will not work. I feel this is an acceptable tradeoff because authentication apps are much more secure than the other two options.

To obtain the TOTP secret that is needed, go to https://www.epicgames.com/account/password and enable app-based 2fa. The string displayed in the manual entry key section is your TOTP secret. It is important to note that not continuing with the activation process will result in a new TOTP secret being generated - the old one will not work. Once you have copied that string, set up a 2fa app as you would normally.

You can then compare the output of this python code to the TOTP codes generated by your authentication app. They should be identical (and they are identical for me).

2fa TOTP code generation example using pyotp:

import pyotp

def print_totp(seed):
    totp = pyotp.TOTP(seed)
    print(totp.now())

if __name__ == '__main__':
    print_totp("YOUR_EPIC_GAMES_SECRET")

The section where the TOTP secret is found:

Thank you for your consideration.

我很抱歉，我不懂中文。下面的文字是由电脑翻译的。

在 #11 中，使用Revadike的epicgames-freebies-claimer的例子研究了2fa支持。这最终被决定为无法使用，因为设备授权认证方法并不能阻止在游戏被要求时产生更多的2fa挑战。这个项目的作者随后发表声明，解释说他们确定了一个可能的解决方案，即使用多个浏览器上下文线程一起工作，但该解决方案在计算上是昂贵的，而且有不理想的行为。由于这些原因，这个问题被关闭了。

我提出了一个可能的解决方案，允许添加对2fa的支持，不需要任何人类互动，没有高性能要求，也完全不依赖设备授权方案。此外，这个解决方案不使用任何逆向工程，并将在未来继续工作。这个解决方案涉及pyotp软件库。通过提供epic在启用2fa时给你的TOTP秘密，它允许程序生成无限的基于时间的2fa代码，这些代码与2fa应用程序中显示的代码相同。一旦生成了对该时间有效的代码，唯一需要做的就是在网站上的2fa提示中输入该代码。我认为这应该是相当容易实现的。

这个解决方案的缺点是，它只允许2fa由第三方认证应用程序完成。电子邮件和短信2fa将无法工作。我觉得这是一个可以接受的权衡，因为认证应用程序比其他两个选项要安全得多。

要获得需要的TOTP秘密，请进入https://www.epicgames.com/account/password, 启用基于应用程序的2fa。显示在手动输入密钥部分的字符串是你的TOTP秘密。值得注意的是，不继续激活过程将导致产生一个新的TOTP秘密--旧的秘密将不起作用。一旦你复制了这个字符串，就像你平时一样设置一个2fa应用程序。

然后，你可以将这个python代码的输出与你的认证应用所产生的TOTP代码进行比较。它们应该是相同的（对我来说，它们是相同的）。

谢谢你的考虑。