前言: 这是我个人提交于2025年的ASDAN essay, 题目为“A smart lock structure based on Time-based One Time Password algorithm”
Abstract
This project delivers a smart lock prototype artefact that integrates TOTP (Time-based One-Time Password) to solve the problem existing in traditional static password and biometric-based smart lock systems. By generating dynamic and secure passwords every cycle (usually 30 seconds). The prototype integrates an Arduino UNO R4 Wi-Fi, a membrane keypad for input, a servo motor for lock control, and a passive
infrared sensor for presence detection, all programmed in C++.Key features
include automatic lock feature, password clearing and sleep mode. While the prototype successfully demonstrates TOTP verification and time synchronization, there’re still some challenges such as high-power consumption and reliance on external time sources that need to be improved. Future recommendations include adopting low-power chips, developing applications or integrating the function into existing apps to communicate with the lock to solve the time synchronization problem and importing backup unlock methods. This project bridges theoretical security concepts with practical IoT (Internet of Things) implementation, offering a solid foundation for enhancing physical security in smart environments.
Introduction
Personal Motivation
I chose the artifact-based Project because I’m passionate about hands-on
technology projects and want to apply theoretical knowledge in a practical,
tangible way. Furthermore, I want to explore and gain more experience in fields
such as embedded systems and the Internet of Things.
Aim & Objectives
This project aims to develop a physical smart lock prototype based on the TOTP
(Time-based one-time password) algorithm to implement a
dynamic password verification function. The algorithm aims to solve the problem
of static passwords being easily stolen/cracked and improve the physical
security level of home/office scenarios. Finally, this project can also explore
the localized application of TOTP in IoT (Internet of Things)
hardware.
Literature review
Overview of TOTP
TOTP (i.e. time-based one-time password) is a modern security algorithm that is
widely used for verification of identity. The two main features of TOTP are
time-based dynamic generation and pre-shared secrets with cryptographic
security. This project combines the TOTP algorithm with a smart lock structure
to enhance its security.
How TOTP works
When you set up TOTP, you and the lock will share a secret K that only you and the lock know. Then the algorithm will use the current time to combine the secret key with the current interval number C, which is the current seconds passed from January 1st,1979 divided by the interval of a cycle (which is usually 30 seconds) and encrypt them through a mathematical function called hash function by using C as the content that needs to be encrypted and K as the key to encrypt C, this generates a unique 10-digit integer for the current cycle. The lock and your devices such as your smartphone or computer will both do the calculation and then verify whether you
have entered a valid password.
The flow chart below shows how TOTP
works more intuitively.
Difference from a current solution of smart lock
Traditional smart lock uses a static password or biometric feature to unlock, however, TOTP password uses a dynamic password generated by an algorithm to unlock, which prevents the risk of the password or biometric feature being stolen. Furthermore, some manufacturers will store your password on online servers, but TOTP stores your secret locally which decreases the risk of server leaks and other kinds of cybercrime. Finally, you don’t have to remember or manually update the password to maintain its security level, the TOTP algorithm generates a new password every cycle.
Methodology & Design Decisions
Hardware Selection & Software development
I use Arduino UNO R4 Wi-Fi as a development board alongside a liquid crystal display to display characters, a membrane pad for input, and a passive infrared sensor for
detecting people nearby, also, a servo motor is used to control the lock.
This whole project is developed in C++ programming language, it is fast and flexible and most importantly satisfies my use case. C++ language is famous for its swift execution speed and advanced features, but the most important reason is that the infrastructure of C++ in this platform is complete, meaning that no extra setup is required.
Design Decisions
On the prototype, I decided to implement some features that make users more
convenient and have a more fluent experience in this prototype, furthermore,
these features can be added to more products in the future as well. First, we have the device self-locking features, this means that After 5 error tries in the prototype, the device automatically locks itselaf for 512 seconds, and the lock time will grow exponentially. This feature can prevent the lock from cracking due to the small possibility of the combination of passwords. We can also introduce a password clering feature, which means that if you entered a wrong password, pressing the ‘#’ button on the membrane pad will clear the line so that you can enter the correct password. Furthermore, to reduce the power consumption, we can have a sleep mode which means that if the sensor detects that no one is nearby, the prototype will close the display to save power.
Project Development Process
Concept & Initial Design
The initial idea is to build it like a traditional smart lock, however, during the
process of development I abstract it for better concentration with my feature,
which is the ability to generate passwords and prevent cracking.
Prototype Development
The circuit diagram of the prototype is shown below.
The Membrane Pad is used to input passwords, the servo motor is used to control the lock to open/close the door or something else, the Passive infrared sensor is used to detect people nearby, and lastly, the liquid crystal display is used to display characters and display necessary information on the display monitor.
Results & Evaluation
Evaluation of Objectives
The prototype has completed all the aims mentioned above. It can let the user input the password, perform the TOTP algorithm, and verify whether the user has entered the correct password in the current cycle. If the user has entered the correct password, a servo motor will unlock the lock. Also, it can automatically synchronize the
time by specifying the home Wi-Fi name and password inside the code.
Additionally, it can automatically detect if somebody is nearby using a passive
infrared sensor, if there’s nobody nearby, it’ll automatically enter sleep
mode, in sleep mode, the display will be turned off to reduce power
consumption.
Discussion of Successes and Limitations
The advantages and
successes of this lock structure are:
No need to remember password: The password is
changed every cycle (usually 30 seconds) so there is no need to remember
anything.No private information leak: The password is
generated randomly so there’s no trace to the secret. Also, there are no
biometric features involved so no one can steal your biometric features.High-security Level : All the computation and storage
are done locally, no clouds and interaction with outside sources except time
synchronizing are needed, thus no need to worry about leaking databases or
other kinds of cybercrime.
However, although the prototype is well-behaved, there are still some issues if this product is going mass production, first is the question of low battery life, Arduino UNO R4 Wi-Fi’s power consumption is too big for a lock that is estimated to sustain a few years without battery replacement, a new kind of chip with low power consumption is required, also we need a precise time source from outside which is unreliable, one
solution for this is to write a specialized application on the user’s portable
device and sync the time with the portable device on startup. Finally, if the user’s portable device with the secret on it runs out of battery, then it is impossible to open the lock, an external way such as biometric feature unlock is required to deal with
this kind of situation.
Conclusion & Reflection
Reflection on the Project Process
Throughout the development of the project, I learned a lot about time management skills and necessities to explore an unknown field, furthermore, I learned about how
to combine theory to solve problems that exist in real life. I also learned a
lot about how to build up something from the ground up with no similar work
currently, I personally think that this is an important feature to have in
innovation. This project also enables me to learn more about hardware and explore further in the field of the Internet of Things, due to almost no experience in embedded systems and the Internet of Things field, I must do a lot of researching and studying to build a complete prototype for this project.
Future Work & Recommendations
There are a few more jobs that can be done to improve the lock structure so that it can become a more efficient, secure, and user-friendly device, better serving the needs of the home, hotels, and laboratory security applications. First, to have a long battery life, we need to seek a way to reduce power consumption. Currently, the Arduino UNO R4
Wi-Fi development board requires at least 82.86mA of current to start, which is
unattainable in a device that should sustain for a long time without battery
replacement. Also, we can write a specialized application to get a synchronized reliable time source, this can solve the time synchronization problem by using the phone to pass the time and other information to the door lock, however, it also might require the new chip to have Bluetooth or Wi-Fi, or other features that allow the lock to communicate with phone or other electronic devices. Furthermore, to introduce more unlock mechanisms such as biometric unlock method or Near-field communication unlock method is necessary to promote a more smooth and convenient user experience. Ultimately, the prototype requires a home Wi-Fi
name and password to do time synchronization through network time protocol (NTP), however, this is not tolerable in real-life cases.
References
Informative references
David M’Raihi , Johan Rydell , Mingliang Pei , Salah Machani, May 2011,“TOTP:
Time-Based One-Time Password Algorithm”, available at < https://datatracker.ietf.org/doc/html/rfc6238 >.
Krawczyk, H., Bellare, M., and R. Canetti, February 1997,“HMAC: Keyed-Hashing for Message Authentication”,
available at < https://datatracker.ietf.org/doc/html/rfc2104 >
Eastlake 3rd, D., Schiller, J., and S. Crocker, June 2005,“Randomness Recommendations for Security”, available at < https://datatracker.ietf.org/doc/html/bcp106 >and < https://datatracker.ietf.org/doc/html/rfc4086 >.
M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., and O. Ranen, “HOTP: An HMAC-Based One-Time Password Algorithm”, December 2005,available at < https://datatracker.ietf.org/doc/html/rfc4226 >.
Hoyer, P., Pei, M., and S. Machani, “Portable Symmetric Key Container (PSKC)”,October
2010, available at < https://datatracker.ietf.org/doc/html/rfc6030 >.
Housley, R. and M. Dworkin, “Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm”,
September 2009,available at < https://datatracker.ietf.org/doc/html/rfc5649 >.
Josefsson, S. “The Base16, Base32, and Base64 Data Encodings”, October 2006,
available at < https://datatracker.ietf.org/doc/html/rfc4648 >.
H. Al-Assam, H. Sellahewa and S. Jassim, “On security of multi-factor biometric authentication,”2010 International Conference for Internet Technology and Secured Transactions, London, UK, 2010, pp.1-6.
Other resources
The code of this project is available at https://github.com/Caviar-X/epq_totp_lock