Why NFC Keyboard emulators / readers are a bad idea

For a while I was using an NFC Keyboard reader to automatically type my password into linux until one event really changed my perspective on this..

Obviously from a security perspective storing your password in plain text on an NFC tag is suicide, but let’s assume for a second only your computer has the key to read the NDEF record on your NFC Ring so even if someone else was able to read the NFC Ring they wouldn’t be able to figure out your password..

It doesn’t seem like such a bad idea now to emulate a keyboard and type in your password? Wrong.. You see what happens is that your computer can read that data at any point, so let’s say you are on IRC chatting away to your buddies and by accident you scan your NFC Ring. Boom, your password is pasted into the chat window, this is what happened to me and it sucked. To be fair to recover I only had to type passwd and provide my old and new password but still, it could have been way more painful..

Obviously a work around is to only enable keyboard emulation on the login screen but it’s still an interior and inadequete solution for logging into your desktop.

Basically Keyboard emulation for Auth sucks, don’t do it, or if you be fully aware of the pitfalls!

2 thoughts on “Why NFC Keyboard emulators / readers are a bad idea

  1. It’s a shame there is a lack of support for the ways of NFC on desktops even Linux last time I checked. I’ve seen supposed ways of using NFC readers as smart card authenticators on windows but it’s hard to find supported readers I believe.

  2. For the case of smartphones I think it will still serve a purpose for long encryption keys.

    Swipe NFC for your FDE smartphone and type a memory “salt” at the end 🙂

    It makes slow typing better. But you still have to store the NFC safely and have a decent length salt at the end.

Leave a Reply

Your email address will not be published.