The EasyCard (悠遊卡) RFID ticket is a stored value ticket for multiple uses and is the latest addition to my collection of Mifare cards. Like the MTR and MRT tickets the green LED on my RFID reader happily flashed.
The latest upgrade to my DIY gadget that keep passwords and log in to Windows with a swipe of an RFID card is the support of Google authenticator.
In brief, the gadget is an Atmel based micro-controller connected to an RFID card reader, packaged in the form-factor of a name card holder. With a USB connection to any Windows based PC, all I need to do to log in is to wave my card.
Although supporting static passwords only, this gadget served me well along the years. In recent years I found myself relied more on dynamic authentication like one time passwords provided by Yubikey and Google Authenticator.
These are proven technologies for multi-factor authentication, and I trusted this with many of my Amazon AWS based linux hosts.
Even though the Google authenticator is already very user friendly via its Android app, to use it I have to pull the phone out of pocket and start the app, read the six digit code and then type it in as quickly as possible.
To make life easier, I recently upgraded this RFID gadget to support one time password for Google authenticator. The upgrade in term of programming is easy as the algorithm is open (RFC-6238) and there are handful of libraries available. The obvious hurdle for implementing TOTP on this gadget is the lack of a real time clock (RTC) for the micro-controller to compute the required authentication code. Although most RTC modules are compact these days, fitting one more PCB board to this already cramped gadget is not easy.
So for now I will settle with an alternative – since the micro-controller supported serial communication, providing the time source by the PC host itself can easily be achieved with a simple Powershell script below:
$utctime=[int][double]::Parse($(Get-Date -date (Get-Date).ToUniversalTime()-uformat %s)) $port= new-Object System.IO.Ports.SerialPort COM7,9600,None,8,1 $port.open() $port.WriteLine($utctime) $port.Close()
Just run this script to feed the timestamp, and then swipe the RFID card as usual at the SSH prompt asking for Google authenticator verification code. Happy with this upgrade.
Since the last discovery of a new breed of MTR RFID ticket that is Mifare, another one is found. This time it is the Singapore MRT ticket.
Just out of curiosity, a scan of the new MTR City Saver ticket revealed it is MIFARE just like the new generation single journey ticket that replaced its magnetic predecessor. Not surprising as the resemblance of the two look very much alike, including the bar code at the back. The colored gate arrangement is possibly a cost control measure as MTR is supporting both FeliCa and MIFARE contact-less tickets.
Yibico provided library for accessing the Yubikey API on linux platform, but unfortunately there is an issue with the signed char (OMAP is ARM) that will give an error message of “Server response signature was invalid (BAD_SERVER_SIGNATURE)”. A rebuild of the package from source is needed for this package to work, in this case, Ubuntu Precise Pangolin on Beagleboard XM.
A USB extension cord comes handy to connect the Yukikey. By the way, it looks like my RFID model is discontinued and being replaced by the NFC version at Yukikey.
This little password keeper unlocks Windows by an RFID card. It is small form factor with the size of a name card holder. In fact the case is from a plastic card holder and a small opening is cut at the side to make way for the USB connection to the Teensy.
A Teensy 2.0 with a 13.56 MHz RFID card reader from StrongLink are wired together in I2C. The coding is done in the Teensy IDE, and took the advantage of the Teensy emulating as a USB keyboard to emit password on sensing the right RFID card.
I usually keep Windows passwords at work and bring this little guy to office. It is really convenient at workplace where practice is in place to lock Windows before leaving desk. Most of the time it worked like a charm unlocking Windows, but there are occasionally hiccups I decided to fix.
1) Some workstations required CTRL-ALT-DEL before typing in password – prior to the fix I usually did a manual CTRL-ALT-DEL but that’s pretty much defeat the purpose of having this password keeper. No problem the Teensy provided facility in its keyboard API to do so. However, sometimes the PC is too busy at the background while the screen is locked, maybe scanning virus during the lunch hour. Simply emitting CTRL-ALT-DEL and the password upon the RFID card is swiped may not get me pass the login screen. Usually in these cases the CTRL-ALT-DEL did get through, and after 4 to 5 seconds the password input screen opened as if nothing happened. The password emitted is lost. Even adding a short delay does not guarantee it works all the time.
A solution is devised by making use of a signal pin provided by the SL018 independent of the I2C wires. This signal line simply ON/OFF when a card is in range. What I can do now is code the sensing loop such that it can tell when the card is still on the reader. With this hint from the user, the password keeper can emit the CTRL-ALT-DEL sequence, and not until the card is removed from the reader, the password will not be emitted. Obviously the user controls when to remove the card from the reader by observing the appearance of the password prompting screen.
2) Second problem is the reverse of the first one, CTRL-ALT-DEL is not required yet the same password can be used. Or for some password typing other than the Windows login screen. I could have separate card for the same password, one with CTRL-ALT-DEL and one without. But that is not good enough. Again, the solution is to look for behavioral hints at the sensing loop to detect a brief contact instead of a long one. No CTRL-ALT-DEL sequence is sent before the password if the contact is within one second.
In summary, the modified sensing loop works like
The last enhancement made is to sense a special sequence of card contact, similar to Morse code, to emit password of higher sensitivity. Theoretically this add another factor of security as something you know, in addition to something you have. Well at least in theory it does.
Video below showing the modified sensing loop that support user controlled CTRL-ALT-DEL and password release timing in action. Notice the green LED is on when the card is in range, and the timing of password release exactly at the moment the card leaving the sensing region.