Windows Logon, your input welcome!

Lokki

The software I'm testing at the moment is an enterprise product that hooks into the existing windows login.
It's a little clunky, difficult to set up and is definitely not aimed at the casual consumer. I'm also having a few other issues that I might talk about later.

maz_net_au

I just got home and found my arc122 waiting for me. i'm basically bedridden for a week so it'll give me a chance to start tinkering away with it. got any advice or suggestions where to get started with it? Might just save me a bit of time. Otherwise i'll see how i get on with making it lock / unlock windows.
Maz

maz_net_au

Okay. So I've just spent some time to create a custom credential provider for windows 7, 8, 10 etc and I have code that talks to my ARC122U reader (all in C++).
Security... If i do it based on the ID, copying the NFC ring would allow someone else to access the machine.
If i store a certificate on the ring (I should be able to fit one), then I'd need to create a C# UI that streamlines the registration / certificate creation process (if possible, i havent actually tried this yet).
My question is, how secure is this expected to be?

my vm's lockscreen...
Lockscreen.jpg

johnyma22

@maz_net_au oh wow that is amazing!!

If you peep the campaign preview we kinda talk about security. Basically storing anything on the NDEF record should be an optional step that if people want to do, they can.. Source: https://www.kickstarter.com/projects/mclear/526261309?token=201aa2e8

It sounds like you are developing this thing for real.. Did you want to do this, like, for real? We had a dev lined up but if you are up for it we'd be happy to chat with you if you are doing this as an itch to scratch anyway :)

Can't hurt to be paid to make what you want right?

maz_net_au

@johnyma22
I was hoping to get a proof of concept going today but given that its 11pm i might not finish it tonight.
If I can get it working then I'm happy to turn over all the code for free with whatever license you like. I have a good job with Fove Inc already and don't need any extra pressure right now. I'm actually at home sick this week (recovering from some minor surgery) but it's so dull I thought I'd do a bit of code (even though the painkillers add an extra challenge).
I'll keep updating with my progress here and you can decide if you'd like your dev to start from scratch or if they can use my code to help a bit.

So far I have the credential provider showing, and when the user selects the NFC Ring option it connects to the first card reader and pulls the UID off the card there. Now I'm trying to find a good way to compare that with a registered ring's value and then pass a credential across to windows. The C++ documentation around ICredentialProvider is pretty frustrating. AFAIK there isn't a good way for .Net to access these API's without wrapping a C++ dll.
Maz

Engarde

On the upside the older gina api is even more frustrating...

maz_net_au

@Engarde
Haha. Yeah. I'm not even going near that. If you're still using XP then too bad :P

Engarde

For my sins I've had to work with different generations of a number of their APIs, and the one thing they appear to never learn is to improve the docs.
I blame the summer interns that get tasked to write them...

maz_net_au

@Engarde
I just found a useful set of examples for vista. If I merge that with the code I've already got I should be able to actually get this working tonight.
https://www.microsoft.com/en-us/download/details.aspx?id=4057#Overview

Engarde

A ten year old example might confuse you more than aid you, but good luck.

maz_net_au

BAM!
Hard-coded proof of concept working...

So,
I can potentially store the CredProtectW protected credentials on the NFC ring itself so that way I dont have to store the users details on the filesystem of the machine they're logging into. Or do we want both options?

I'm learning all about NFC as I go so forgive me if I don't know what I'm doing on that side of things.

maz_net_au

Just in case anyone wanted to see I made a terrible video.
This is just a proof of concept!

I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.

Engarde

Well done

SanyaIV

@maz_net_au said:

I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.

Well I'm using Asus NFC Express and I think it's pretty easy to use with the NFC Ring. With this the Asus NFC login is selected by default and I'm logged in as soon as my ring is read (no need to click anything) The hard part is getting the Asus NFC Express to read the ring, it seems to have a sweet spot that I'd guess has a diameter of <1cm. (And lets not forget that it apparently only works on Asus Motherboards(?))

I'd really like to see an open source program of equivalent ease of use if only to get compatibility with a better reader because this Asus NFC Express that I've got is really "weak". Oh and it'd be nice with the ability to use the ID of the tag rather than writing and reading from the tag, that way I can write other stuff to the ring.

Edit: Can someone explain to me why using NDEF Records provides greater security than using the ID? Couldn't you copy the NDEF Records too?

johnyma22

+1 @SanyaIV that's exactly how I feel.. The ASUS NFC Express has a pretty decent UI but it's hardware is not perfect. We can definitely do things better. For example the ACR122 unit has great matching w/ small tags so using that is a joy!

RE NDEF Records, I feel I know the answer but I'm more interested to hear other peoples view points on it..

Lafunamor

@maz_net_au said:

Those screeeeeeeeens..... <3

jasok2

@maz_net_au said:

Just in case anyone wanted to see I made a terrible video.
This is just a proof of concept!

I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.

wow such screens.. I also use the ASUS NFC express and the usability is much better than this video demonstrates. I think (As others have already mentioned here) that we need the software to work just as well as the ASUS software but with more reader flexibility.

Nephiel

The tags on the newer 2016 rings have password protection built in, right? Couldn't we use that to ensure the tag cannot be read (and therefore cannot be copied) by any reader who doesn't have that password?

jasok2

@Nephiel said:

The tags on the newer 2016 rings have password protection built in, right?

I didn't know that, how does it work ??

maz_net_au

@SanyaIV
Could you do me a favour and record you using the ASUS software? I had some thoughts on how to make it work automatically as I scanned rather than having to click which i'll try out today.
And yeah, I haven't had a chance to research the NDEF record side of things and I'll keep thinking of a way to add some security to this.