"Dumb" NFC chip login, for convenience more than for security

So, I got a Mifare Classic 1k chip implanted in my left hand, that I wanted to use to log into our Linux servers and desktop machines, as well as a few Windows 10 machines we have lying around at the office. I tried several stacks / applications, and eventually cobbled together a couple of scripts to achieve that, because there are surprisingly few solutions for what is essentially a convenience function that actually degrades security.

I figured I'd share what I have going on Linux and on Windows, to save other people the time it took me to get what I wanted.

The trouble is, the Mifare Classic is essentially a small memory tag without any meaningful crypto that could be used for true secure authentication. Worse, I only want to use its UID to authenticate me on our machines, for the sake of simplicity and portability.

But bear in mind, my need is not a sensitive application: our servers are in a secure warehouse, and we only need to log in and out to prevent other technicians from walking in and typing stupid commands as root. As for our Linux and Windows desktop machines, we only need to lock the screen - or log out - to prevent other workers from playing pranks on our machines when we leave our desks. For those two purposes, typing long passwords get tiring fast, and a simple, weak authentication method to replace it is good enough.

So what's out there to log in and out, and lock the screen, with a dumb NFC tag?

  • On Linux

Nothing, essentially. So I came up with my own solutions.

I made a small PAM module that can handle basic authentication with a NFC UID (so you can login at the console, or do su / sudo without typing a password), and a graphical screen locker for the Gnome or Cinnamon environment. They're pretty simple Python scripts that use the PCSCLite library and the pcscd daemon exclusively - so they work on a real machine as well as in a VirtualBox instance, unlike libnfc programs.

You can find them here: https://github.com/Giraut/nfcutils. The instructions to install them is in the comments in the scripts themselves. You'll need pcscd obviously, and the pyscard Python module. Chances are "apt-get install pcscd" and "pip3 install pyscard" will get them installed on your machine. If not, you'll have to figure out how to get them installed on your particular distro.

  • On Windows

I tried a few applications. Only two work well in my opinion:

  1. Rohos Logon Key. It's not free, and it's a bit annoying because it forces you to enter a PIN code even if you don't want to (but you can leave it blank and hit ENTER). But it works flawlessly, including for domain logons.

  2. ISLOG Logon NFC Community: it's totally free, and it works well for local Windows accounts. but it doesn't work for domain logons. Unfortunately, ISLOG Logon NFC seems to be abandonware, as it's impossible to trial or order the non-free version, which may or may not have handled domain logons. And I couldn't find a copy of the non-free version anywhere on the internet to evaluate it, even after extensive searching.

So, if you're in an enterprise setting, I recommend Rohos Logon Key, which is well worth the money. If only need to log into your home PC, I'd say go for ISLOG Logon NFC Community.

Comments

  • You wrote code to allow use of low frequency RFID to login to Linux? You're awesome. Or am I misunderstanding?
  • edited December 2019

    I wrote code to allow generic Linux login with any contactless card or tag that supplies a UID - that is, pretty much all of them. That includes low frequency RFID tags, provided your RFID reader is PC/SC-compatible.

    For instance, my Elatec TWN4 Multitech reads RFID and NFC tags, and I use it to log into my Linux box with both.

    Or, another example, if you install the vsmartcard PC/SC driver (https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html), you can simulate the insertion of a card with the vicc command, and it'll log you in also.

    Like I said, it's not terribly secure but it's convenient - which is good enough for a local machine used for non-critical purposes, i.e. your personal computer.

  • edited December 2019

    An image being worth a thousand words, here's a video of me authenticating under Linux with my NFC implant (left hand) and my RFID implant (right hand):

    Linux PAM authentication with NFC and RFID implants

    And here's another trick you can do with my scripts: use a cellphone as an external NFC reader to authenticate under Linux:

    Linux PAM authentication with NFC implant and cellphone as a reader

    It's a bit of a Rube Goldberg setup, and it's not really that convenient because the whole thing stops working when Android goes into deep sleep and stops the NFC reader. But it's doable - just for the fun of it :)

Sign In or Register to comment.