Secure acess control with the apex

Is there a way to use the Vivokey apex’s cryptographic abilities to make a more secure acess control system, using an arduino or something simmilar. Just using the ID number for authentication is insecure, and is suseptible to cloning attacks.

1 Like

I assume you are referring to physical access security. For digital-only authentication, I recommend FIDO2 or the Vivokey auth API.

I wrote an demo implementation of HMAC-SHA1 on an Arduino at GitHub - StarGate01/ykhmac-uchost: Yubikey HMAC-SHA1 challenge-response auth on Arduino (see also NFC Hacking: Part 1 – Authentication Systems Security – CHRZ Engineering)

Another option is to use FIDO2, but I have not seen any door locks using that (yet), and it might be hard to fit all the logic for FIDO2 inside an Arduino.

Vivokey also offers the authenticity API ( which you can use via the NDEF or Spark applet on the Apex, that could be used to build something around as well if your chip has an internet connection.

1 Like

For stand-alone offline systems I would suggest trying HMAC-SHA1 like @StarGate01 mentioned. You set keys 1 and 2 and then you can present challenges to it. If you present the same challenge over and get back the same thing every time. Present different challenges and get back different responses. It’s a simple data conversion machine based on secret keys.

This is how it can be useful;


  • put lock in “register mode”
  • present Apex
  • lock sends random challenge to Apex
  • Apex responds
  • lock stores challenge and response
  • Apex is registered


  • Apex presented to lock
  • lock sends stored challenge
  • Apex responds
  • lock checks response (match)
  • lock sends new random challenge
  • Apex responds
  • lock stores new challenge and response (rolling code)

This way, the lock never needs to know the secret key stored in the Apex, it simply needs to know that the Apex will respond with the same response it expects to receive. Once it does so, the lock can roll the challenge so risk of replay attack is extremely limited.


Thank you for your input.