"Dumb" NFC chip login, for convenience more than for security
So, I got a Mifare Classic 1k chip implanted in my left hand, that I wanted to use to log into our Linux servers and desktop machines, as well as a few Windows 10 machines we have lying around at the office. I tried several stacks / applications, and eventually cobbled together a couple of scripts to achieve that, because there are surprisingly few solutions for what is essentially a convenience function that actually degrades security.
I figured I'd share what I have going on Linux and on Windows, to save other people the time it took me to get what I wanted.
The trouble is, the Mifare Classic is essentially a small memory tag without any meaningful crypto that could be used for true secure authentication. Worse, I only want to use its UID to authenticate me on our machines, for the sake of simplicity and portability.
But bear in mind, my need is not a sensitive application: our servers are in a secure warehouse, and we only need to log in and out to prevent other technicians from walking in and typing stupid commands as root. As for our Linux and Windows desktop machines, we only need to lock the screen - or log out - to prevent other workers from playing pranks on our machines when we leave our desks. For those two purposes, typing long passwords get tiring fast, and a simple, weak authentication method to replace it is good enough.
So what's out there to log in and out, and lock the screen, with a dumb NFC tag?
- On Linux
Nothing, essentially. So I came up with my own solutions.
I made a small PAM module that can handle basic authentication with a NFC UID (so you can login at the console, or do su / sudo without typing a password), and a graphical screen locker for the Gnome or Cinnamon environment. They're pretty simple Python scripts that use the PCSCLite library and the pcscd daemon exclusively - so they work on a real machine as well as in a VirtualBox instance, unlike libnfc programs.
You can find them here: https://github.com/Giraut/nfcutils. The instructions to install them is in the comments in the scripts themselves. You'll need pcscd obviously, and the pyscard Python module. Chances are "apt-get install pcscd" and "pip3 install pyscard" will get them installed on your machine. If not, you'll have to figure out how to get them installed on your particular distro.
- On Windows
I tried a few applications. Only two work well in my opinion:
Rohos Logon Key. It's not free, and it's a bit annoying because it forces you to enter a PIN code even if you don't want to (but you can leave it blank and hit ENTER). But it works flawlessly, including for domain logons.
ISLOG Logon NFC Community: it's totally free, and it works well for local Windows accounts. but it doesn't work for domain logons. Unfortunately, ISLOG Logon NFC seems to be abandonware, as it's impossible to trial or order the non-free version, which may or may not have handled domain logons. And I couldn't find a copy of the non-free version anywhere on the internet to evaluate it, even after extensive searching.
So, if you're in an enterprise setting, I recommend Rohos Logon Key, which is well worth the money. If only need to log into your home PC, I'd say go for ISLOG Logon NFC Community.