Secure storage and hardware token with NFC Reader?

I could not really find what I was looking for online, but here’s my concept and I hope someone can point me in the right direction:
There exist a multitude of multi-function USB-Security-Devices, some do pretty much everything, from securely storing data to OTP and FIDO, like the Nitrokey series. Now I’m really looking at how cool those sticks are, but I have two concerns. Firstly I really really don’t wanna lose that one in any way, I’d have to change my 2fa in a lot of places. Secondly, and more importantly, it would render my cool new (and expensive) Apex Flex totally useless!
So I was thinking what about a more secure system, one that has those all-encompasing security features on a dongle, but has to be decrypted/activated with a code from my NFC-Chip. Thus losing it is no longer as big of a concern as it is only one part of a pair. I really can’t find such a thing anywhere and have absolutely no idea where to begin potentially making this myself, as I haven’t really done anything of the sort yet.
Thank you for reading and I would appreciate a push in the right direction from the more experienced people here.

I probably should’ve included that I do in fact have the Apex Flex. But I’m looking at specifically the features it can’t do, like encrypted data storage (in the GB range), as well as including the password manager, like the Nitrokey can.
I really wanna have one penultimate solution for everything, which only a hybrid system can achieve.

Mass storage requires power… there are ideas of doing a kind of pegleg style implant with a Qi power client but nothing in production

1 Like

Yeah, I realise a lot of the more intensive processes aren’t possible as an unpowered implant, and having a usb-port coming out of your skin isn’t ideal either.
The core idea is to have a singular security system for all purposes, that does not require any memorisation and is also unaffected by hardwareloss. That idea gets hampered by the fact that NFC implants just can’t do everything and what they can do is often met with minimal or sub-optimal support.
While the solution for that idea is leveraging the physical security of an implant (can’t be stolen or lost) with the full bredth of security applications that a full USB-device has access to, by making a system that requires both.

I admit that I have no idea how to actually do this in practice, but I think that this is a good idea for full security.

Looks like Veracrypt can be setup to unlock with a Yubikey keyfile, might want to play around with that and the Apex Flex. Get a USB stick, encrypted volume on it. Load password manager inside there.

Or just a crazy long password and store that on the Apex Flex.

3 Likes

Is that different from the likes of KeePass?

I have Keepass across multiple devices and an HMAC SHA1 key on my APEX Flex for access.

It works just like an NFC Yubikey

2 Likes

Also, if you weren’t aware, you can also set a password on the Authenticator


Tap the padlock.

2 Likes

Thanks for pointing that software out, it’s incredibly cool. I really like the decoy volumes thing it can do, you could hide an entire OS in the hidden volume and no one would be the wiser. Sadly it seems to not be able to handle hardware tokens during boot, but that’s a whole nother beast entirely.

Well, the only tangible difference it that the software would be hosted on the firmware of the USB-key, which does make it like maybe 2% more secure in comparison to a local keepass instance with the database file on the stick, as the host system wouldn’t really have access to the database file itself. So yeah, a microscopic extra bit of security that then only matters if you do not trust the host computer.

To get the functionality, having the host system handle all the decryption, key retrievals, etc. works just fine, but I’m not exactly super happy with trusting the host system in every scenario. It also requires the host system to have all the software for decryption, which makes it about as non-portable as it goes. Encrypting with LUKS would mean just about any linux device can decryptit, given the key, but that again excludes your standard windows or macOS device. There might be no perfect solution without some custom-made hardware.
Thanks a lot for the pointers so far.

2 Likes

In theory, if you have an RFID implant, then the device is capable of sending data to a phone, so it would be possible to have an app that uses data send from the implanted chip as seed data for a TOTP generator.

How this would work is you would run the app in exactly the same way that google authenticator works, but unlike google authenticator, the seed would be obtained from the implanted device. The purpose of this would be to have an authentication app that generates TOTP codes for the user, but woudl only work when held by the user.

This type of solution could be used as an alternative to any authentication server that support uploaded seed files (it would replace hardware tokens rather than authentication apps).

Actually the VivoKey Apex runs OTP app entirely on chip. This way the seed is never exposed or exported, maximizing security. The app interface passes the current time and relevant passcode if set, and the applet generates and returns the codes for display.

5 Likes