Linux sysadmin, I want to use RFID for 2FA on my laptop/phone

Everything that @Devilclarke said +

The easiest way to do Pseudo-2FA would be the KBR.
It basically just types out the ID of a xNT (or NExT) as if you were typing it.
So you’d just append that to every password you have.
Then you have a password composed of something you know (your passwords) and something you are. (2 factors).
It’s the fastest way ond works everywhere (from PC/laptop). I just got it and love it.

If you have a rooted android phone you can do the same with NFC Tools and NFC Tasks (make a task that simulates keyboard input when scanning your implant).

Also, you should look at the Spark 2 if you’re looking for auth stuff. Also check this out. Here’s the partner map that was mentioned above.


Interesting project, I’m a very bad coder myself, more of a sysadmin, I’ve also noticed vevokey has a github repo and there’s some stuff.
What’s the deal with those masterkeys, the actual chip can’t be reprogrammed and one can’t regenerate the keys, did I get that correctly?
that means I’d have to use their backend for 0auth and that sort of stuff and I wouldn’t be able to just hook it up to a library and do a challenge/response with in-implant cryptography, I’d have to use their servers.
If I understand that correctly it is kind of a deal breaker to me actually.

frankly I wouldn’t consider that a proper auth solution, as you said it is pseudo-2FA, I’m actually pretty interested in doing proper cryptography in the chip itself, that is actually something as far as I’m concerned, just making a FOB and using a UUID to do authentication is not acceptable to me.

In more general terms I see this as something on the brink of the “what you have” and “who you are” factors, and that’s what makes it interesting to me from a security point of view.
You can’t possibly loose this and it can’t be stolen without you realizing it, I mean there are weird scenarios where that could be the case but stealing (or loosing) a hardware token of some sort it’s pretty easy, and from a design point of view that hinders the actual security of it as an auth factor, a chip implant cannot be easily taken from you but it’s still just something “that you have”, it almost works as something on the lines of “who you are” but it isn’t proper biometrics.

thank you very much, I am reading through the forum and online about the tech a bit more in details, as i was replying above I am interested in this as a proper authentication factor for IT systems, vivokey seems to be on the right track for that (need to do crypto on the chip to do it properly) but it seems I wouldn’t get access to all the proper crypto functionalities in the chip itself, which is a deal breaker for me.

Crypto on chip, have a look at the desfire chips lots of functions!

So of the top of my head you have a few options if you are

Currently the only thing available is the DF and DF2 products. But no one has done much in the way of working with there secure capabilities on this forum at least. I know @NixieGeek has been interested in this space and I am also one day going to look into this.

You also could do something with a NTAG 413 if you can get hold of a unprovisioned spark2? I know @anon3825968 managed to get one, maybe if there is enough interest then @amal might make them more available.

Finally you could hold out for the Apex line. It’s an upcoming line of VK products that utilizes a contactless Java smart card that you can load applications onto for things like signing and token generation.

1 Like

If that’s the case, like mentioned above, you should wait for the apex line.
Signing my own challenges from within the implant is one of the main reasons to get an apex.

Yes. When you buy a Vivokey chip, you buy a Vivokey / Fidesmo-locked chip - i.e. what you really buy is secure access to that particular ecosystem and nothing else. They provision the chips with their own key and there’s nothing you can do about it.

It’s fine if you do want them to authenticate you for anything and everything. But if it don’t sit well with you and you want to roll your own, as I do too, you’re SOL - unless you manage to get your hands on an unprovisioned chip, which isn’t normally offered by VK or DT.

That’s why, unlike most forum dwellers here, I’m not excited at all by the upcoming Apex chip: it looks like a great chip, but I don’t want to implant something under my skin that I don’t have complete control over. But apparently I’m in a minority.

I think Amal was talking about making a reset option available for the Apex. Meaning, if you ask Fidesmo politely, they’ll wipe their key off your chip and then it’s yours to do whatever you please with - and you lose access to the Vivokey / Fidesmo services of course. If that option is offered, it makes the deal more appealing to me.

I feel like the minority in that I want to be an end user. To me, I would rather pay someone to manage all that stuff. At this point Vivokey hasn’t gave me a reason to not trust them. I will gladly pay for that service. I would even pay if it has to be a prepaid account.

To be clear the apex will let you have your own keys and apps on it, it is just the keys for loading new apps and that sort of stuff Fidesmo controls AFAIK. So like you can still do your own cryptography on it.
This obviously docent negate @Roscos thoughts regarding being locked into there ecosystem though, just wanted to clarify for others that unlike the NTAG413 (Spark2) you can sign your own stuff.

That’s why you need 2 Apex’.
1 to do payments (and other fidemso stuff), the other to opt out of fidesmo and deploy your own applets.
(Other fidemso stuff could/will include PGP tho’, so no real need for 2 implants if you just want good crypto.)

It’s just a matter of principle to me: my skin, my chip, my master key. There would have to be very compelling reasons for me to implant something tied to someone else’s infrastructure.

For instance, I tried to get my local transport authorities to program an implantable version of their DESfire-based pass card not too long ago. That’s an incentive: I could’ve taken the bus or the train and pay for fares with my hand. I would have sprung for that.

Sadly, the Vivokey / Fidesmo offering isn’t nearly close to being appealing to me yet. As far as I can tell, the only thing VK crypto chips are good for at the moment is logging into the VK forum - unless there are other applications that no-one on this here board cares to talk about. Frankly, that’s kind of bleh…

I recognize VK has a chicken and egg problem: they need to build an appealing infrastructure, and they need early adopter participants to build it. But me, I’ll sit this one out. Just not interested at the moment.

Yep, that is an option I’m considering.

By the way, shouldn’t it be “Apices” in plural? :slight_smile:


Are two Roscos Rosci? Then yeah.

Rosco isn’t latin :slight_smile:

1 Like

Also, it’s a name. I don’t think you do that for names.
But I’m not a native english speaker and bearly passed my latin classes.

these seem interesting, I had just reached them, need to understand more about the actual capabilities.

I absolutely agree, and If I may there’s also “business” reasons, I mean, ssh keys and secure access to servers, biometrics hasn’t really taken off, but the YUBIKEY has, I see it, last time I checked this space, I mean under the skin implants, there was absolutely no way to do proper auth on these, now the hardware is there and it just seems to be a matter of business strategy, don’t get me wrong I understand completely what they are offering to end-users, cool have you bitwarden throught their 0auth service, I have my own auth systems tho and I can manage the crypto, even write the code if required, but most importantly I need to plug these things in RHEL systems, or proper enterprise linux systems, and this means I need to plug them directly into opensource standard system libraries, YUBIKEY is just a crypto device that exposes the crypto functionalities via a device driver, give me something like that and this is ready for proper enterprise adotpion and as I said in another post in this thread I see this sort of a 2,5FA, it’s not a proper “who you are” factor, but proper biometrics comes with it’s own hurdles, an implant is an actual “what you have” factor, like the YUBIKEY, but it’s a lot more secure, and I mean legally speaking, you can’t tell me you lost your key and somebody stole it alongside your password, if this gets stolen somebody had to cut open your skin, it’s a different legal scenario, and this makes a world of difference to me (and a lot of businesses I’d guess)

Java Cards makes kitten cries, but yeah, they seem like an alternative, do you think they will be able to do something better than AES-256?

By the way, I forgot to mention: you did ask if you could use RFID for 2FA on Linux with PAM integration. You didn’t say anything about crypto. SiRFIDaL will do 2FA (or 3FA or whatever) with UUIDs (check out this file for details). So technically, my answer was correct :slight_smile: