RFID 2 Step Verification

edited February 2015 in RFID/NFC
So I've never really been interested in RFID implants. Nothing against them, I just didn't see the point in a couple kb of storage. I look forward to the day when the storage capabilities reach gb, because on that day I will cloud host a file-sharing website on my back and evade capture as the one man Pirate Bay. However, I thought up an interesting concept that I think could be cool and (semi) easily implemented. Anybody who uses Google Docs or an online health provider's website probably knows what 2-step verification is. Basically, when you try to log in to an account, you not only have to provide your password, but you have to prove your identity in a secondary way as well to gain access. Google Docs and most health providers use SMS verification, but Facebook has an interesting twist by making you identify pictures of your friends. If you're government or military affiliated, you may have seen at some point a DOD access card. Basically, it's a little sim card connected to an ID or lanyard that has a secondary password in it. You have to plug it into a little dongle that goes into a USB port and then type your password. Anyway, 2-step verification is cool and makes accounts pretty dang secure.

So what I was thinking of making is an RFID chip with a secondary password on it, implanted in the webbing of someone's fingers that works as secondary verification for logging into an RFID-capable device. This is by no means a unique concept, but I think it's interesting that it would always be on hand (PUNS) for you and nobody else.

How I was thinking of going about this is to create a program that reads the RFID input and puts it through a hash (permanent encryption) function, using the actual password as a salt. In this way, the password in itself is useless without the RFID input and vice versa.

Any thoughts?


  • I've been using a simplified version of this to log into my home/work computer for a while now...Using a USB RFID rerader, it outputs the numerical ID on the chip followed by a newline. So, setup your password and then add the ID string at the end - you type in your password, then swipe your hand to login. Because of the newline, it submits the password for you when you swipe. By just tacking the ID number at the end of your original password, you've effectively upgraded yourself to two-factor auth where you now need your password AND the RFID chip to log in - neither one is sufficient on its own, because each is only a portion of the actual password info.
  • @FrankMatheson 2FA works by doing cryptographic functions on the smart-card itself. None of the current implantable RFID chips have the kind of cryptographic co-processors needed for this kind of thing. So it's not as simple as just writing a program, but it would be possible to build such a chip. The main issue is that to make it small enough, you need to have the whole thing fabricated on a single die, to do this you need very expensive equipment, or to order enough of the chips that the RFID manufacturers are willing to do it for you.
  • Has anyone looked into the encryption stuff in the Avid "FriendChip" line of RFID implants?  I don't know anything about it, but I did catch sight of some stuff about it awhile back.  Let me see if I can find a link...  Yeah, here's one.  Honestly, I don't know squat about encryption so this may or may not be relevant.
  • @aviin there really isn't enough info in that link to understand how their chip works, but based on what it does say, I'm confident their claims about encryption are totally bogus, I'm willing to bet money that I can clone their chips. And given the new chips I've got... I may even be able to clone them to another implanted chip :)
  • edited February 2015
    Couple things...

    There must be something to their encryption or this lawsuit likely wouldn't have been filed.

    The other thing is the obvious one (and my apologies for the slight derailment of the thread)...  What new chips do you have? :)  And more importantly, what are the chances of being able to clone Mastercard Paypass data?  I'd LOVE to be able to clone my debit card to an implant.

    * EDIT * - Found this blurb on a Wikipedia page about Avid encryption:

    "Although no authentication encryption is involved, obfuscation requires
    secret information to convert transmitted chip data to its original
    label ID code."

    So it's actually just obfuscation.
  • @aviin yeah, the so called "encryption" is only in the Avid readers, not the chips themselves, meaning that it's simple to clone/spoof a chip. And as you noted, it's not really encryption at all, just some obfuscation, which I guarantee I could bypass, I do reverse engineering professorially.

    I'm putting together a video of the new chips, once that's done I'll create a thread about them. They do allow cloning of simple rfid protocols, such as HID and EM4xxx, but cloning credit cards is virtually impossible. Besides, if I could copy credit cards, why would I tell anyone else? :p
  • New chip sounds neat regardless.  I'll likely buy one once you've got them available to us.

    One last thing regarding credit card cloning.  Quoting @Amal's RFID FAQ,

    "The temporary and transient nature of these systems precludes me from
    ever wanting to implant one of their chips into my body. There may be
    another solution to this problem however, so keep an eye on our Facebook

    Care to comment, @Amal?

    And again, sorry for the thread derailment.  We now return to regularly scheduled programming.
  • I guess I didn't really think about the simple solution first. Doing the encryption on the computer itself is basically having a double length password made from password1password2. Hm. The hashing doesn't really help at all without some kind of disconnect between the user and the hash function. Sorry, I'm not a "operating system" login expert, I've only built login systems for websites, with have the inherent disconnect between the server and the client.
  • One of the reasons I like my stupid simple approach to this, is compatibility. We don't have to design a new password replacement, and we don't need special software to use our implants - anything that has a password-based login will work (so like...anything that runs on electricity). It may only be a very marginal increase in security (if any), but it's something you can use daily right now, with a huge array of products and services that are already established, and it's convenient as all get out. If you're super lazy, you could just make the RFID the entire password and stop typing your logins altogether - just swipe and go.
  • edited March 2015
    @aviin - no comment at this time :) I can say I am meeting with a major banking institution in the EU next month.

    Also, I would like to comment that our xEM tag is also capable of being used as a clone. It can be programed with another tag's ID, including HID ProxCard tags.
  • Somehow I missed your response here, @Amal.  Very interesting...  While I'd prefer something implantable that is compatible with the existing banking system, it sounds like you're looking to introduce something new to the banking industry.  Hmmm...
Sign In or Register to comment.