You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following was not developed for WebAuthn but may be usable anyway. Similar systems using QR code or phone numbers instead of NFC are in fairly big use in Europe including millions of frequent users in Sweden only. Payments is another major application, particularly in China.
Using Web NFC adds several qualities over the existing schemes:
No need explicitly starting an "App"
Anti-phishing support
Potentially providing automatic Bluetooth pairing
Assumption: The Service, PC, and Phone are free from malware interfering with the devised scheme.
The security of this scheme is based on multiple factors:
Public key cryptography exposes no static secrets to attackers
One-time challenges limit attacks to the specfic session
Session cookies, only known by the Service and the user's PC (Browser), render intercepted NFC or authentication objects useless outside of the user's PC
Intercepting and rewriting RF data on-the-fly appears to be quite difficult
The Web Security context provided by the NFC solution in conjunction with signing thwarts basic "phishing" attacks
The user must perform an action in order to authorize a login
Although not evident by reading this issue is that the idea is also using a slightly modified scheme to enable local NFC based payments using high-level Web based protocols rather than card emulation while still using the same "App". In such uses, Bluetooth pairing would be a nice feature since Wi-Fi or mobile network may not always be available.
For high-level payment schemes, WebSocket may be a better solution for step 10 and 11.
"Web NFC" in this description is a special purpose write only scheme.
The text was updated successfully, but these errors were encountered:
Apparently this use case is already dead since the PC vendors do not intend to include NFC support since there is [currently] no use case for NFC which BTW was one of the motives behind this design.
Defensive Publication
The following was not developed for WebAuthn but may be usable anyway. Similar systems using QR code or phone numbers instead of NFC are in fairly big use in Europe including millions of frequent users in Sweden only. Payments is another major application, particularly in China.
Using Web NFC adds several qualities over the existing schemes:
Assumption: The Service, PC, and Phone are free from malware interfering with the devised scheme.
The security of this scheme is based on multiple factors:
The original (and possibly updated) document is available at: https://cyberphone.github.io/doc/research/nfc-based-qr-replacement.pdf
Although not evident by reading this issue is that the idea is also using a slightly modified scheme to enable local NFC based payments using high-level Web based protocols rather than card emulation while still using the same "App". In such uses, Bluetooth pairing would be a nice feature since Wi-Fi or mobile network may not always be available.
For high-level payment schemes, WebSocket may be a better solution for step 10 and 11.
"Web NFC" in this description is a special purpose write only scheme.
The text was updated successfully, but these errors were encountered: