HMAC-SHA1 challenge response via NFC #4090
Comments
|
Does any desktop or laptop computer have an NFC reader? |
|
Hi droidmonkey, I use a Yubikey 5 NFC and a NFC USB Reader. With the Yubico Authenticator it is possible to use this combination. With KeePassXC unfotunately not. So, it would be very nice if KeePassXC would support NFC Readers too. |
|
The problem is that we are not a single authentication scheme. Everytime you save your database your key needs to be re challenged. This would require you to swipe your key on every change. The fastest way to even start supporting this is to petition yubikey to release a ykcore library that polls nfc. |
|
Hi! I am running Yubikey 5 NFC with HMAC-SHA1 challenge-response with KeePassXC on computers over USB, and with keepass2Android via NFC (using the open-source app ykDroid).
Form my own experience: Dell Latitude 7490, Dell Latitude E6430. They are quite common professional laptops and they read and follow through on NDEF programming. Additionally, I would gladly buy a separate NFC reader and use it with the computer instead of physical interaction of USB.
I love the fact that you require re-challenge for every save, beside the unlocking! I would welcome the swiping every time. At the moment I need to interact with the key every time anyway (touch). I believe this is good! All'n all, thank you for a great and versatile software that performs its tasks excellent! 💯 |
|
This would be a really handy feature for everyone who keeps a YubiKey with the press-button requirement for challenge-response. It's useful beyond that because I keep my YubiKey on a retractable keychain that stays clipped to me, to prevent it from being lost; it's a right pain to have to take the key out, plug it in, hit refresh, select the device, press the button and then be into the manager. Being able to just tap the key against an NFC pad would be so much easier, as I can on my phone! @Tien1602 mentioned above that Yubico Authenticator does support this - I dug out the diff where that support was added, and it's here: Yubico/yubioath-flutter@ecb7dbc#diff-0f41c25e8de3b80e79d508ffd8c3c2b2d833934a82f6fa12f954b29f3f7fc32a I'll freely admit I don't know enough about either KeePassXC's internals or Yubico Authenticator's in order to do a great deal with this information, but I'd be very happy to make a contribution to help offset the development time of this, or to help test it. This is the main thing blocking me using my YubiKey to secure my vault at the moment, so it would be super useful! |
|
I found a project where a HMAC-SHA1 Challenge-Response PAM module for the Yubikey Neo via NFC is implemented: http://www.average.org/chal-resp-auth/ . The communication is implemented via PC/SC, which the the various Yubikeys already implement over USB as well as over NFC (requiring a compatible reader), and this protocol is well supported on all major OSes. This approach also eliminates the need to implement NFC handling. |
Summary
This feature would open up HMAC-SHA1 challenge response 2FA to NFC smartcard
devices like Rings, Fobs, Cards etc. and it would free up a precious USB slot. Also it would
ease the transition to the all USB-C future.
Desired Behavior
Instead of or in addition to just scan for supported HMAC-SHA1 challenge response devices plugged in to a USB slot, scan for NFC readers. If a supported NFC smartcard device is found
the user can choose which slot to use just like it would be plugged in to USB.
Context
I own multiple devices with different USB types and using adapters is tedious. Additionally smartcards which can run the yupikey applet for HMAC-SHA1 challenge response are way cheaper
and possibly more attractive to users.
The text was updated successfully, but these errors were encountered: