Not the only way… but it is correct the xDF2 (or flexDF / flexDF2) are capable of encrypted challenges that are actually secure.
Actually this is not accurate… the DESFire EV1 and EV2 chips are capable of setting up a DF key exchange to establish a secure channel to communicate with the reader, then a symmetric key authentication is performed to unlock one or more AIDs on the DESFire chip. This process could not be sniffed or spoofed. It’s why DESFire EVx based keyfobs and cards cannot be cloned.
While true, regardless of the fact I say exactly this to people who are concerned about chip security within the “personal scope”, it has always bothered me that there were no actual secure options available. It is high time that a secure option be made available to both home and enterprise users.
Well time to come right out and say it… that is the plan… at least for VivoKey. There are many moving parts here but ultimately I think in the end we will have the “community” version which will leverage some pretty awesome options… and a “VivoKey version” which will have additional management options through the VivoKey platform. That connection with the VivoKey platform will require some hardware and firmware options to secure that connection, so those elements cannot be open source - hence a split between the community version and the VivoKey version. I can tell you that the community version can definitely leverage a secure option, particularly with the DESFire EVx chips… the issue however (as noted above) will be the management aspect. For us, we plan to put secure management into the VivoKey app itself, however the community edition would need some plan and mobile app developers for this… or maybe there could be some smart way of provisioning and new file (application in DF parlance) on new DF chips with factory keys via the lock itself… anyway… we can build that bridge when we get to that chasm. I know that’s now how you say that cliche, but it makes way more sense to me said that way