search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.02k stars 1.45k forks source link

HMAC-SHA1 challenge response via NFC #4090

Closed PaddeK closed 3 years ago

PaddeK commented 4 years ago

Summary

This feature would open up HMAC-SHA1 challenge response 2FA to NFC smartcard devices like Rings, Fobs, Cards etc. and it would free up a precious USB slot. Also it would ease the transition to the all USB-C future.

Desired Behavior

Instead of or in addition to just scan for supported HMAC-SHA1 challenge response devices plugged in to a USB slot, scan for NFC readers. If a supported NFC smartcard device is found the user can choose which slot to use just like it would be plugged in to USB.

Context

I own multiple devices with different USB types and using adapters is tedious. Additionally smartcards which can run the yupikey applet for HMAC-SHA1 challenge response are way cheaper and possibly more attractive to users.

droidmonkey commented 4 years ago

Does any desktop or laptop computer have an NFC reader?

Tien1602 commented 4 years ago

Hi droidmonkey,

I use a Yubikey 5 NFC and a NFC USB Reader. With the Yubico Authenticator it is possible to use this combination. With KeePassXC unfotunately not. So, it would be very nice if KeePassXC would support NFC Readers too. In Yubico Authenticator I have to set up the "Interface - Configure how to communicate with the YubiKey" from "CCID" to "CCID with custom reader" and then I can select the "ACS ACR122 0" reader device. Thanks for your tool!

droidmonkey commented 4 years ago

The problem is that we are not a single authentication scheme. Everytime you save your database your key needs to be re challenged. This would require you to swipe your key on every change. The fastest way to even start supporting this is to petition yubikey to release a ykcore library that polls nfc.

PolyMMA commented 4 years ago

Hi!

I am running Yubikey 5 NFC with HMAC-SHA1 challenge-response with KeePassXC on computers over USB, and with keepass2Android via NFC (using the open-source app ykDroid).

Does any desktop or laptop computer have an NFC reader?

Form my own experience: Dell Latitude 7490, Dell Latitude E6430. They are quite common professional laptops and they read and follow through on NDEF programming.

Additionally, I would gladly buy a separate NFC reader and use it with the computer instead of physical interaction of USB.

The problem is that we are not a single authentication scheme. Everytime you save your database your key needs to be re challenged. This would require you to swipe your key on every change. The fastest way to even start supporting this is to petition yubikey to release a ykcore library that polls nfc.

I love the fact that you require re-challenge for every save, beside the unlocking! I would welcome the swiping every time. At the moment I need to interact with the key every time anyway (touch). I believe this is good!

All'n all, thank you for a great and versatile software that performs its tasks excellent! :100:

mashedkeyboard commented 3 years ago

This would be a really handy feature for everyone who keeps a YubiKey with the press-button requirement for challenge-response. It's useful beyond that because I keep my YubiKey on a retractable keychain that stays clipped to me, to prevent it from being lost; it's a right pain to have to take the key out, plug it in, hit refresh, select the device, press the button and then be into the manager. Being able to just tap the key against an NFC pad would be so much easier, as I can on my phone!

@Tien1602 mentioned above that Yubico Authenticator does support this - I dug out the diff where that support was added, and it's here: https://github.com/Yubico/yubioath-desktop/pull/431/commits/ecb7dbc53a88bc6236cf78548f6451b252492795#diff-0f41c25e8de3b80e79d508ffd8c3c2b2d833934a82f6fa12f954b29f3f7fc32a

I'll freely admit I don't know enough about either KeePassXC's internals or Yubico Authenticator's in order to do a great deal with this information, but I'd be very happy to make a contribution to help offset the development time of this, or to help test it. This is the main thing blocking me using my YubiKey to secure my vault at the moment, so it would be super useful!

StarGate01 commented 3 years ago

I found a project where a HMAC-SHA1 Challenge-Response PAM module for the Yubikey Neo via NFC is implemented: http://www.average.org/chal-resp-auth/ . The communication is implemented via PC/SC, which the the various Yubikeys already implement over USB as well as over NFC (requiring a compatible reader), and this protocol is well supported on all major OSes. This approach also eliminates the need to implement NFC handling.