Password Management: Ring keys in passwords
New to the forum, so maybe I've missed mention of this... But, I would like to build an app that allows the Ring to authenticate the "release" of the appropriate (app/website specific) password. I don't know how data is stored and encrypted on the ring, but if possible, passwords could be stored on the ring and transferred into the app/sites active password field via some method of key press emulation (taking over the active, on-screen keyboard).
I think the magic here, would be activating key presses somehow, so that the active app essentially receives the password as if the user had pressed each key in succession.
This would solve one of the main problems with password use on mobile devices: 1) Hard to type longer/secure passcodes on teeny-tiny keyboards (and generally, it just sucks trying to remember 50 different passwords). It would also create an essentially universal & fairly frictionless password manager. Right now, every mobile password manager requires a complex master passcode. Well, that's just as annoying as typing my other longer passwords. And even the password managers that step in with their own keyboards, trying to fill-in the password for you (with copy-paste) still require use of the master code and additional taps to initiate the "fill"... just more friction for the user... who simply wants to get signed in quickly and securely.
Frictionless: Banking app sign-in screen, tap password field, tap ring -- signed in.
Hi @passtouch, the NTAG203 doesn't utilise encryption.
You could though, if you treat the ring as an activation device and have it prompt external software to send the correct password, stored safely and encrypted of course.
Direct storage of a password would be rather messy at the moment though.
I get what you're saying with mobile though, and it could be used similarly to the fingerprint scanners as an authorisation device.
With such a system and the facility to remove or disable it remotely in case of theft or loss then you'd have an idea worth looking into.
Hey @Lokki, thanks for the reply and explanation!
Yeah, that makes sense... encrypt the passwords within the application (held locally/securely on the device).
Exactly my thoughts... instead of scanning a fingerprint, the Ring is "scanned". Disabling this remotely (shutting down the ring, so to speak) would be a great security feature. I've been wanting to develop this for a few years now, but never had a good way to wrap an NFC tag around my finger (until discovering this!)
In my opinion, a wearable authenticator is a much better idea than a fingerprint (something you have vs. something you "are"). And a non-powered ring is the perfect implementation (also, biased). With my knowledge of existing fingerprint scanners, they are limited to very specific authentication points... i.e. iPhone: access on the lock-screen. But what about the numerous websites and other native apps that require passwords? Sure, a native app can integrate the fingerprint scan, but how seamless is that? There will still be other points of access for that native app that will rely on a password.
This idea bridges the divide between accessible password alternative -and- passwords themselves. I had hoped to eradicate the world of passwords when I developed Passtouch, but yeah, not going to happen. I've since swallowed the pill of "stuck with passwords", but there is still a way to use them, without using them.
Hoping to find some support for the idea here... and maybe someone that would like to help prototype develop the app. I'm certainly ready to stop typing and start tapping.
@passtouch yeah no worries, happy to help out.
The thing I prefer about using the ring rather than a fingerprint is that you can always change your ring but you can't change your fingerprint. I'm in complete agreement on this, something you wear versus something you are.
From a corporate/business perspective the idea could be useful as it allows remotely altering access privileges as is currently possible with a swipe card combined with better anti theft security - you're always looking at your hands and you'll notice a missing ring faster than you would a missing wallet or lanyard, and it's far harder to distance read a ring.
User is issued a ring, UID is logged and an identifier string is written to the ring. Approved access to whatever you want is then given to UID+STRING, at a level appropriate to that person as specified in the program or system. Loss of ring is countered by removal from the database.
Easy-peasy eh? ;-)
I'd offer to help but I'm already trying to ditch a few projects that I shouldn't have put my hand up for, but I'm happy to answer questions or bounce ideas around here.
@Lokki Indeed... easy-peasy, lol :-)
Totally understand... Appreciate your feedback, and look forward to more idea sharing.
I've added something similar to this in a fork of passwdsafe for android by Jeff Harris. The master password is encrypted and stored on the Nfc tag. Then, when the password entry prompt is displayed, the tag can be used to unlock the safe instead of typing in the password.
To keep the master password safe:
- I have a dialog ask for the password safe password and a new encryption password.
- The password safe password is encrypted using the encryption password and the resulting string stored on the NFC Tag
- The encryption password is itself encrypted using the encrypted string (that's on the tag) and this second encrypted string is stored on the device in the application prefs area.
This way, both pieces of data are safe on their own but when brought together can be used to unlock the password safe.
The code is here: https://github.com/tombriden/passwdsafe but it's pretty rough at the minute as I've not had much time to do it properly (eg it's own 'create key' button and a nice a progress dialog for the tag writing rather than monitoring adb logcat :) )
Or you could use a password and generate a keyfile from text stored on the ring.
Ideally, the ring would have to be at least Ultralight C or Mifare plus as they have encryption. (Perhaps a future upgrade)
Another method may be to access an encryption key online via a password and that is used to decrypt sector stored information on the ring.
A simple and immediate boost to security might be to use information contained on your ring now as password padding.