Windows Logon, your input welcome!
-
Just in case anyone wanted to see I made a terrible video.
This is just a proof of concept!I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.
-
Well done
-
@maz_net_au said:
I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.
Well I'm using Asus NFC Express and I think it's pretty easy to use with the NFC Ring. With this the Asus NFC login is selected by default and I'm logged in as soon as my ring is read (no need to click anything) The hard part is getting the Asus NFC Express to read the ring, it seems to have a sweet spot that I'd guess has a diameter of <1cm. (And lets not forget that it apparently only works on Asus Motherboards(?))
I'd really like to see an open source program of equivalent ease of use if only to get compatibility with a better reader because this Asus NFC Express that I've got is really "weak". Oh and it'd be nice with the ability to use the ID of the tag rather than writing and reading from the tag, that way I can write other stuff to the ring.
Edit: Can someone explain to me why using NDEF Records provides greater security than using the ID? Couldn't you copy the NDEF Records too?
-
+1 @SanyaIV that's exactly how I feel.. The ASUS NFC Express has a pretty decent UI but it's hardware is not perfect. We can definitely do things better. For example the ACR122 unit has great matching w/ small tags so using that is a joy!
RE NDEF Records, I feel I know the answer but I'm more interested to hear other peoples view points on it..
-
-
@maz_net_au said:
Just in case anyone wanted to see I made a terrible video.
This is just a proof of concept!I think I'm the only person in the world who can easily log on to my home desktop PC with an nfc ring right now.
wow such screens.. I also use the ASUS NFC express and the usability is much better than this video demonstrates. I think (As others have already mentioned here) that we need the software to work just as well as the ASUS software but with more reader flexibility.
-
The tags on the newer 2016 rings have password protection built in, right? Couldn't we use that to ensure the tag cannot be read (and therefore cannot be copied) by any reader who doesn't have that password?
-
@Nephiel said:
The tags on the newer 2016 rings have password protection built in, right?
I didn't know that, how does it work ??
-
@SanyaIV
Could you do me a favour and record you using the ASUS software? I had some thoughts on how to make it work automatically as I scanned rather than having to click which i'll try out today.
And yeah, I haven't had a chance to research the NDEF record side of things and I'll keep thinking of a way to add some security to this. -
@Lafunamor
Thanks. I used to work for a telco here that went bankrupt and I was in a position to buy a lot of the hardware they were using there for liquidator prices. e.g I got 16x 24" screens for $17 each about.. 3 or 4 years ago. I'm only using 6 on my desktop though (I had to design and build a desk to hold them how I wanted) -
@jasok2
You could also do a recording to show me what the ASUS experience is like. I'm happy to try and make something that is as usable.
Once I make a registration program (so that my details aren't hardcoded) I'll open source my project and other people could also jump in and make it more usable. -
I wont be able to do that for a while however I can get you a screen shot of the lock screen sooner.
There isn't much to show you. The NFC logon user is always the default one that comes up on the windows login screen so there no clicking or anything to do.
literally this is the steps.
1- Turn on your computer
2- tap your ring on the reader.there are no other steps, nothing else to see or do.
-
@jasok2
I'm not sure how I'd do that when adding an extra authentication option to an existing user. The reason my user is selected by default in my demo is because I'm logged on as that user already and just locked the pc.
I'll work on it a bit today and see if i can streamline the process a bit. -
When I enumerate the credentials that are added by this provider, I have the option of setting the default one (this is the one that gets zoomed in) and I can also set "auto logon" which means it will immediately call SetSerialization on the zoomed one.
To me, the ideal case would be that no credential option is zoomed in to start with, then you select "NFC Ring" or your password. as soon as you select "NFC Ring", it should start checking for valid NFC tokens and as soon as it finds one, submits that and logs in.
That would mean there is 1-click to login with NFC. Sound okay?
-
@maz_net_au said:
@jasok2
I'm not sure how I'd do that when adding an extra authentication option to an existing user. The reason my user is selected by default in my demo is because I'm logged on as that user already and just locked the pc.
I'll work on it a bit today and see if i can streamline the process a bit.so it appears on the start screen as another user, however when i login with NFC it just logs on my usual account. When i get home from work i will send a screen shot
Cheers.
-
@jasok2 said:
so it appears on the start screen as another user, however when i login with NFC it just logs on my usual account. When i get home from work i will send a screen shot
Cheers.
Yeah. That is what I'm aiming for. I've just learned that if I block the main thread, the windows credential UI says "just a moment" and never completes. I'll push this off into a new thread and see if I can use the CredentialsChanged event to login. Then I'll do a new video.
-
This is going to take a bit longer than I thought. I need to refactor my Provider -> Credential relationship so that I have another class "NFCReader". The Credential needs to tell the NFCReader to start checking for the ring when it is selected (and stop when de-selected), and when the NFCReader class gets a valid Credential it needs to call the Provider::_credentialProviderEvents->CredentialsChanged() which will re-enumerate the Credentials and if these have AutoLogon set, will call SetSerialization() immediately and automatically complete the process.
All of this is new to me so I didn't lay out my classes as well as I should have originally. At least now I am confident that it is possible to make the windows portion of this work how we want and then its a matter of making it secure.
RE: the kickstarter project. TBH I'd say its still worth running and you can use the money raised to improve the UI of the registration app and security testing of the credential provider. I'm going to push everything to github once I have it working as a generic solution and probably stop working on it so much.
-
@maz_net_au said:
. That is what I'm aiming for. I've just learned that if I block the main thread, the windows credential UI says "just a moment" and never
you know you can actually download and install the ASUS software for free, obviously it wont work without the right hardware, however you can see what it does to your user account and lock screen and maybe do a bit of reverse engineering.
you could put it in a virtual machine so as not to mess up your production desktop. Also the NFC express worked on my lenovo laptop so its not just ASUS boards but other boards would be hit and miss.
edit - here is the link
https://www.asus.com/Motherboard-Accessories/NFC_EXPRESS/HelpDesk_Download/ -
@maz_net_au OK so even better, you don't even need to go to the lock screen, you just turn on the computer and tap the ring with the reader. I usually went to the lock screen first, but I just got home and tried it out and realised I didn't even need to do that.
regardless I have taken a pic of the screen for you at the lock screen. A video is not really required as all you will see is me touching the reader and the screen unlocks.
Cheers.
-
@jasok2 Some NFC writers (I use the TagWriter app for Android) let you set a 4-character password on a tag to protect it from unauthorized writing.
I was wondering if they could be protected from reading as well. I've only skimmed through the N216 datasheets, but IIRC these have some encryption support built-in to do things like that.
I guess what I'm looking for is something like the Desfire EV1 public transport card we have here, AFAIK the data is cyphered and these cards cannot be copied.