TiToken is an authentication token that is immune to key loggers and other types of sniffers. It achieves this immunity by holding several passowrds each as an answer to a specific challenge by the web site. When connecting to the site that supports TiToken, the user will be asked by the browser to choose a BLE device. Once selected, the site will wait till the user will approve authentication by clicking on the TiToken button. Then the site will read the user name, send the appropriate challenge and read the password. If the user name, challenge and password are correct it will accept the user. The user name, challenge and passwords are stored as part of the program and cannot be changed.

My first attempt was to create chrome extensions that will communicate with the board over BLE. But BLE API is experimental and only works on Chrome OS after enabling developer mode. Standard Bluetooth is also experimental but it's working on all operation systems. Later I have found Javascript API to communicate with BLE devices. This is new API and the only browser that currently support it is Chrome and only when running on Chrome OS and android operation systems (windows is not supported).

Once I have understood building extension that will communicate over BLE was not feasble I have tried to write a web site that will communicate with a BLE device. This javascript API is also expiremental and works only on chrome that runs on android OS (or Chrome OS). It's also must run under secure sites (HTTPS).

The site is coded in HTML/Javascript. It contains a simple login button that once clicked will open BLE connection dialog and allow the user to choose a device to connect to. Once connected the site will register to notifications and wait for the device to send the userName. The site will then send the challange (currently just passowrd ID) and wait for the device to send the password. If all three match the log in process will finish successfully. Since the BLE API is asynchronous in nature it uses promises to report the results.

The CC2650 launchpad is programmed as a BLE (Bluetooth low energy) server with one custom service that is called Password Service. There are three characteristics for this service: UserName, PasswordID and Password. PasswordID is writeable and the other two are notifiable (and readble). When client wants to authenticate it needs to register to user name notifications. Once the user clicks on the button the user name is sent to the client which can then formulate the challenge. The challenge should be written to PasswordID characteristic. Once written the corresponding password will be written to Password characteristic (and the client will be notified).

The sekelaton of this project was generated using Bluetooth Developer Studio with texas instruments BLE plugin. This tool generates skeleton code that handles BLE communication. In ProjectZero_init we register to button click and initiates the state to NotApproved. The application has three states: NotApproved, PendingAproval and Approved. Once a client connects it changes the state to PendingApproval, this is done in function user_processGapStateChangeEvt. It also resets all characteristics so that new client won't be able to read them. Once the user clicks on a button the state is changed to Approved. And the user name is written to the UserName characteristic. Once PasswordID is written by the client, user_TipasswordService_ValueChangeHandler will be raised by the generated code. I use it to change the password to the correct password. When a button is clicked it starts a SWI which in trun enqueue a message (user_enqueueCharDataMsg) that the application message loop (ProjectZero_taskFxn) will read and act upon. In our case it's changes the value of the UserName characteristic.