Windows Logon, your input welcome!



  • When I enumerate the credentials that are added by this provider, I have the option of setting the default one (this is the one that gets zoomed in) and I can also set "auto logon" which means it will immediately call SetSerialization on the zoomed one.

    To me, the ideal case would be that no credential option is zoomed in to start with, then you select "NFC Ring" or your password. as soon as you select "NFC Ring", it should start checking for valid NFC tokens and as soon as it finds one, submits that and logs in.

    That would mean there is 1-click to login with NFC. Sound okay?



  • @maz_net_au said:

    @jasok2
    I'm not sure how I'd do that when adding an extra authentication option to an existing user. The reason my user is selected by default in my demo is because I'm logged on as that user already and just locked the pc.
    I'll work on it a bit today and see if i can streamline the process a bit.

    so it appears on the start screen as another user, however when i login with NFC it just logs on my usual account. When i get home from work i will send a screen shot

    Cheers.



  • @jasok2 said:

    so it appears on the start screen as another user, however when i login with NFC it just logs on my usual account. When i get home from work i will send a screen shot

    Cheers.

    Yeah. That is what I'm aiming for. I've just learned that if I block the main thread, the windows credential UI says "just a moment" and never completes. I'll push this off into a new thread and see if I can use the CredentialsChanged event to login. Then I'll do a new video.



  • This is going to take a bit longer than I thought. I need to refactor my Provider -> Credential relationship so that I have another class "NFCReader". The Credential needs to tell the NFCReader to start checking for the ring when it is selected (and stop when de-selected), and when the NFCReader class gets a valid Credential it needs to call the Provider::_credentialProviderEvents->CredentialsChanged() which will re-enumerate the Credentials and if these have AutoLogon set, will call SetSerialization() immediately and automatically complete the process.

    All of this is new to me so I didn't lay out my classes as well as I should have originally. At least now I am confident that it is possible to make the windows portion of this work how we want and then its a matter of making it secure.

    RE: the kickstarter project. TBH I'd say its still worth running and you can use the money raised to improve the UI of the registration app and security testing of the credential provider. I'm going to push everything to github once I have it working as a generic solution and probably stop working on it so much.



  • @maz_net_au said:

    . That is what I'm aiming for. I've just learned that if I block the main thread, the windows credential UI says "just a moment" and never

    you know you can actually download and install the ASUS software for free, obviously it wont work without the right hardware, however you can see what it does to your user account and lock screen and maybe do a bit of reverse engineering.

    you could put it in a virtual machine so as not to mess up your production desktop. Also the NFC express worked on my lenovo laptop so its not just ASUS boards but other boards would be hit and miss.

    edit - here is the link
    https://www.asus.com/Motherboard-Accessories/NFC_EXPRESS/HelpDesk_Download/



  • @maz_net_au OK so even better, you don't even need to go to the lock screen, you just turn on the computer and tap the ring with the reader. I usually went to the lock screen first, but I just got home and tried it out and realised I didn't even need to do that.

    regardless I have taken a pic of the screen for you at the lock screen. A video is not really required as all you will see is me touching the reader and the screen unlocks.

    Cheers.

    https://dl.dropboxusercontent.com/u/39091739/Capture3.JPG



  • @jasok2 Some NFC writers (I use the TagWriter app for Android) let you set a 4-character password on a tag to protect it from unauthorized writing.

    I was wondering if they could be protected from reading as well. I've only skimmed through the N216 datasheets, but IIRC these have some encryption support built-in to do things like that.

    I guess what I'm looking for is something like the Desfire EV1 public transport card we have here, AFAIK the data is cyphered and these cards cannot be copied.



  • @Nephiel

    Thanks for that info. I just tried it out with NFC Tools Pro. It worked I had to remove the password before I could write to the tag.



  • @Nephiel
    @jasok2
    As far as I know, nothing will stop people copying your ring data. If that is the case there isn't much we can do to make this really secure.
    Someone is going to have to test out what we can and can't do on the NFC side of things.



  • I checked the NTAG21x datasheet, these have no built-in encryption like the DESFire. But it is indeed possible to use the password feature to protect the NTAG216 from reading. Also, see http://stackoverflow.com/questions/32607005/how-to-manage-password-protection-on-ntag216-using-the-mifare-lite-sdk

    That feature would prevent the tag from being cloned by any reader without the password.

    On top of that, on the software side of things, you can use the UniqueID of a tag as a hash to encrypt the data on it, so that data can only be decrypted with the same ID.



  • So... It is all refactored and makes a lot more sense now which is nice.

    I did a new video and you see me testing it with an invalid NFC tag (the top of my ring) and it doesn't login, then when I scan the bottom it instantly lets me in (the ACR122U reader has a great range). You don't need to click anything at all just like the ASUS one.

    I had an idea for how to store the credentials on the machine so I'll do that first and then I can look into password protecting credentials that are stored on the ring.
    Maz



  • @maz_net_au
    Only using 6 indeed.


  • Community Helper

    @maz_net_au Dude, you're on fire. That's awesome.
    FYI with the enterprise login I've been using, it has the three login types listed bottom left of the login window, NFC is selected by default but you can also select standard user login or the NFC alternative/question login.
    This works basically the same as your latest video, tap to login.



  • @Lokki said:

    @maz_net_au Dude, you're on fire. That's awesome.
    FYI with the enterprise login I've been using, it has the three login types listed bottom left of the login window, NFC is selected by default but you can also select standard user login or the NFC alternative/question login.
    This works basically the same as your latest video, tap to login.

    I assume you're on windows 10? thats what it would look like if you installed my provider too. You'd have "User", "NFC Ring" and "Smart Card" now with the NFC one selected by default.
    I'm just working on saving the user's credentials on the filesystem somewhere and I'll publish the code.


  • Community Helper

    Aah, yes that would be it. I've forgotten what old login screens even looked like at this point.



  • I was going to link in crypto++ to make sure nothing was ever stored in plaintext but it appears their wiki webserver has exploded. I'll look into it in the morning maybe otherwise I'll just be using the symmetric password protect api in windows for the proof of concept.



  • Argh! 2:40am

    It's working. Also, don't hate me but I've used the registry for storing auth data (more to see if I could read the registry from C++ than anything else).

    But now that my actual data isn't stored in the code I'll be able to push to github or something like that in the morning.



  • Apparently I am not as recovered from surgery as I might have hoped.
    Here is my initial check-in and hopefully I can get back to it again soon.

    https://github.com/maz-net-au/NCFRingCredentialProvider



  • @maz_net_au said:

    Apparently I am not as recovered from surgery as I might have hoped.

    Get well soon :)



  • So resting is dull and I wrote a C++ wrapper around CredProtect which means i can store an encrypted password which (in theory) only windows itself can decrypt again. Then I wrote a C# forms app that can call my C++ wrapper and write the data to the registry (this is the precursor to having a registration app). I'm not sure how long I can store the CredProtect result because I'm wary of what Microsoft might mean by "current security context" in their documentation... "The CredProtect function encrypts the specified credentials so that only the current security context can decrypt them." so further testing is needed.

    I'm learning a lot, even if I'm not getting all that much done. As of Monday, I have to go back to my real job so won't be able to spend as much time on this. Ideally by then I'll have some kind of binary package that other people can play around with (without needing to compile it yourselves).