So the main issue we have with desktop clients at the moment is the push notifications, i.e. firebase for Android, which doesn’t have an official client or anything. I think you’d mentioned something about polling? I think the big question is, how important would a desktop application be for VivoKey chip scan validations really be? Are there common scenarios where you wouldn’t have your phone handy for such situations?
I could see it being used in headless linux projects. Given the huge DIY electronics overlap, many people have needs/wants that could be solved with microcomputers.
Yeah, I was thinking the same thing, it would be great to have an api so say my door lock can actually validate my identity over the internet if I wanted to implement that.
As for desktop client, I am thinking about if I use vivokey as my login mechanism for my personal “cloud” services I would require login every time, having a desk reader is much more convenient for those use cases. Also if the phone breaks I am without access despite having 3 devices capable of reading it.
If I was building the app I would use the scan to trigger the check for a verification. So website says login. I scan hand on my ARC and the client goes cool, lets see if VivoKey servers need this.
So my motivations would be:
- Backup (In case of destruction, or in my case forgetfulness)
- Convenient (No need to pull phone out of pocket at work/home, unlock it, click notification then scan. Just scan)
- Cool possibilities if I could validate a scan from my own application that I have not even thought of yet
I like the idea of building a reader that has no intelligence ( it scans my apex, sends the request off and gets a id back) it would be awsome to be able to do this with something like an esp8266 (arduino with wifi)
I love these things…
Exactly. Given that almost all smart devices and hardware can or are running linux, it definitely opens the door, if you will.
If it was a web API that we could interact with, could be any platform with a way to talk to the internet.
Ohh I also have a linux phone on order…
Yeah, but I think there’s a benefit to unconnected use. I don’t know if it’s possible, but setting up different temporary crypto codes locally could help with that. Again, no idea if that is possible.
The offline use case would require the device to have the key to verify the scan. Currently VivoKey has all the key’s I think (although I think @amal mentioned that there is a unused key that might be able to be given to the implant owner someday) it would be cool but for now we are limited to connected devices (Not particularly limiting in this day and age)
Thought so. I wasnt sure if more keys could be generated later.
The NTAG413 (Spark2) has 3 AES 128-bit application keys and you need key 0 to change akaik. I assume the apex will open up offline use however depending on your app choice.
And then you sleep on the porch when the internet goes down.
IoT man… Why people want to make stuff like that happen, I’ll never know… But whatever floats your boat.
Key word “IF” I have adopted the term “LOT” for my home as almost everything except the TV and Alexa is running on my Lan. so Lan of things.
Or if you
are even a semi decent engineer have an ounce of common sense you have a fail safe. As this concept seems to have eluded you in the case of a lock, I would have a set of keys in my bag. Now to get in 99.9% of the time I can use my implant and if something fails I can get my key. Joking aside, despite my lock not relying on the internet I have a backup in case something goes wrong, it’s not as convenient as my main access method but it works. In fact having a redundant system (be it internet enabled or not) is likely better than just a old fashioned lock. You have been looking at electronic door locks recently what happens if there is a fault (the internet is not the only thing in existence that can fail) no different from the internet going out with a spark based door lock…
So I can do things like let my house sitter in after I have left when we do not have time to do a key exchange as an example.
Why yes, I do have a pretty good failsafe: don’t put the authentication part of your smartlock half the world away from your smartlock. Then you don’t need a failsafe because the failure mode just doesn’t exist.
That’s the concept that seems to elude you: what advantage can you possibly have letting a third party across the internet handle authentication - and more importantly, let them open the lock to your house remotely - other than not having to set things up yourself? I mean, I don’t know, when you start your car in the morning, do you fish the key out of your pocket and do it yourself or do you call someone on the phone to do it for you?
IoT is plain stupid, Rube Goldbergish, and a terrible security risk. I’m amazed what people are willing to accept out of sheer laziness or technical incompetence. Since I know you don’t fit the latter profile, I must assume you fit the former
You can do that with your own server - if you really insist on having the internet in the loop - or simply by presetting OTPs in your lock and giving them away one at a time when you need to let someone in. Or, in the case of your nanny - whom I suppose is a trusted person - give them a permanent access, with time restrictions. That’s something many non-IoT locks do already. I don’t see a problem with that.
Please, tell me exactly at what point a company controlling your lock remotely is needed for this application. Or indeed, for any smart device functionality - again provided you’re willing to spend the time setting things up in your own house yourself if you care about your own security and dependability even a little bit.
That is simply untrue. You are completely disregarding all the other ways a system can fail. The internet is not particularly special. The power source can fail. A capacitor can blow, water could get in, the list is endless.
That some people are not in the same boat as you and me and cannot run there own system… and if they want those benefits they outsource them, hopeful to a trustworthy entity. A key example, your work hires a security company to patrol your workplace for you… we trust 3rd parties for all sorts of things it is how society functions.
Aww thanks . I think you missed the bit where I mentioned that I run all my “IoT” things on my LAN. My servers are in my house in fact they have they all run on an isolated VLAN that can not reach the internet. The exception tho this is my Alexa stuff that again lives on a isolated VLAN and only has access to the internet and it then talks to my servers to control things through a custom skill and if it fails I can still have control over everything from my phone, tablet or laptop.
In my case I have no keypad. It was a once off and I did as I explained above connect to my home automation control plane (hosted at home) to do so.
I guess that is where our viewpoints differ (I am admittedly biased I work on Alexa) I run my own stuff because I can and I enjoy it. I don’t fix my car because I do not have that skill set.
This is where IoT devices come in. For pepole who want smart functionality without the ability to set it up securely. I will give it to you IoT has massive flaws in many implementations but the idea of handing some functionality to a trusted third party is not inherently bad… and is used all throughout society. I presume you use email? Do you run your own email server? I used to for various reasons.
I guess my overall point is that IoT is simply a everyday device that can leverage or be leveraged by an external service that concept is fine. As with anything you must use secure products and be careful who you trust. But I do not think that someone should not have the benefits of being able to turn there air-con off if they forgot to disable the schedule when they go on vacation just because they are not technically capable.
One final note, having a central trusted authentication source is critical for some systems. Certificate Authorities for example. Networks of trust are a key part of information security. Not a fundamental flaw.
Yes, I disregard them on purpose: if you choose to run smart devices, you accept the premise that electrical bits can fail. But the internet is an extra that just shouldn’t be a primary failure mode.
I didn’t mean roll-your-own. There are ready-made standalone smart systems that you yourself control and no-one else. Those are not IoT systems, and they don’t need the internet (they can use it but they don’t need it to function properly).
What I meant by lazy people is people who can’t be bothered to do their research properly, select a self-contained system that does what they want, then spend a week-end installing it all nice and clean. People who do that end up with a safe system that doesn’t turn into a brick when SuperDuper IoT Inc. (or gee Amazon, or Google) go tits up, decides to stop support, or becomes unreachable because the water company cut the internet trunk up the road with their digger. Not to mention, they’re not open to abuse by the aforementioned companies.
Sadly, most people’s approach IoT is going to Home Depot, going oh-shiny, impulse-purchasing, driving back home, plugging in, and hoping it’ll work within their goldfish-like attention span. For that to happen, you need remote companies to do the brunt of the work for them. That’s the only reason IoT is done the way it is: people’s short attention span and laziness. It’s maddening.
Hmm yes, I probably missed that. My bad, sorry
Well, keypads aren’t mandatory. BT is a widely used option - i.e. people you want to let in whip out their phones to get in. Only, again, most devices that offer that option ship the request to the IoT company at the other end of the internet, that then issues the unlock command, which is incredibly stupid and unnecessarily prone to failure and abuse.
All I’m saying is, cut the middle man and do the authentication and the unlocking locally, be it with a keyboard, a cellphone or whatever else, is all. If that’s what you do, then more power to you.
Not to get into your house.
I think we are essentially on the same page. I run all my own stuff for a reason after all
I can picture cases where it would be good to validate people, say contractors accessing my house validating identity would be useful but admittedly I don’t like people coming in my home when I am not here regardless of my cameras. Basically the way the property management company lets people in for inspecting the fire alarms, they are the “trusted” 3rd party. OTP codes work for that too as you suggested just not as streamlined.
Desktop clients will need some changes to the APIs we use, basically needing an oauth token for your client to associate it with your account in a secure way. You’d request the token and have to scan your chip on an associated phone to be granted the access token… the. You’d use that to work with the chip scan API.
As for the access control issue, yes the Apex will let you make your own autonomous solutions. When VivoKey gets to the point we are making smart locks, we will likely leverage a SIM card secure element that has VivoKey keys on board and use those to securely transit and store VivoKey Spark keys from our server so they can be validated offline with minimal risk. Furthermore that key will likely be key 1 and not the same key used for online validation.
That would work fine for my use cases
Just curious what is fundamentally different about the phone clients? Like you obviously don’t need the phone app to setup the phone app.