This is correct actually… the Spark has AES keys which are symmetric. That means the keys on the chip are put there by us during manufacturing, and we keep a copy of those keys on our hsm. To use the cryptographic features of the chip, we issue a challenge to the chip from our server to your phone and over NFC to the chip. The chip encrypts a nonce and the challenge with the key we select (there are 3 keys on each Spark). That response is sent back to us for verification. The WordPress plugin works with the OpenID Connect protocol and our IdP API… like this;
-
you clicking “log in with VivoKey”
-
you are directed to the VivoKey API
-
we send a push notification to your phone
-
you scan your chip
-
we validate the chip scan
-
your browser is redirected back to WordPress with an authorization code
-
WordPress uses the authorization code to get an access and identity token from out API
-
you are logged in.
As you can see, there is a large amount of integration with our backed servers to both validate the cryptographic challenge and also handle communications between services and chip scanning on the phone.