Nitrokey 3 available features via NFC

2ke · May 2, 2022, 1:47pm

Since I couldn’t find any comprehensive list of planned features including their dependencies, I am asking here.

Which of the planned features of the Nitrokey 3 rely on the secure element and will therefore not be available via NFC?

In general, it would help to have a list / table of all features and the way they can be accessed for the different versions of the Nitrokey 3. Which ones are only available via USB, which ones via NFC, which ones implement standard interfaces, which ones require an app / nitropy, which are touch activated, etc.

nku · May 2, 2022, 7:05pm

I can only let my imagination play but I think NFC use cases are rather limited as the transmitted power is minimal and thus does not allow long and complex calculations:

Main use would most likely be the possibility to do small challenge and response handshakes (FIDO2/HMAC) where short messages are being exchanged.

It could also be possible that a HOTP token gets yielded on every scan and a counter gets increased.

Don’t think that TOTP is possible as the other party first would need to transmit the current timestamp and I doubt that this would be secure.

Also information like a static string holding a certificate or password would be possible.

2ke · May 3, 2022, 10:16am

Thank you, but I was asking for facts and not your imagination.

nku · May 3, 2022, 4:15pm

Then lets see whether there will be an official document / roadmap how and which apps will integrate NFC besides FIDO2.

Anything that uses the secure element won’t work via NFC as this has already be stated by Nitrokey.

.

2ke · May 6, 2022, 1:20pm

No official word on this? How is anyone supposed to preorder a product when they don’t even know its capabilities once finished?

nku · May 6, 2022, 2:37pm

Most security keys cannot be updated and most have no Open Source hardware. I bought a Nitrokey 3 because of the promising hardware (e.g. the secure element) and their future capabilities.

I repeated some NFC tests:

Right now FIDO2 works via USB-c on PC and iPhone (lightning adapter) and I can use the key via NFC on PC and iPhone when I keep it really long on the NFC reader in the exact position. It then asks for my PIN and a tap and I can login.

2ke · May 6, 2022, 3:27pm

I’m sorry, but could you please stop posting if you don’t know the answer?
This is not helping.

I don’t need convincing. I would be ordering 5 keys at this moment, if their planned capabilities were documented more openly, but as it is now, I cannot make an informed decision.

2ke · May 9, 2022, 10:07am

At this point I have to assume that not even the creators know, which is alarming.

daringer · May 9, 2022, 3:30pm

Hey @2ke,

I would like to respectfully disagree here. The planned functionality for NFC is as promoted FIDO2, I do not know of any source, which states that any other functionality is available via NFC.

To answer directly to the initial post & tl;dr: Only FIDO2 will work with NFC.

Please understand that it is neither useful nor common to state what a certain product is not capable of. So I would kindly ask you to not assume the worst, if you do not get an immediate answer.

In detail the main issue here is that NFC does not provide enough power to bring up the SE050 secure element, which reduces the possible (secure element) functionalities. Furthermore as of my knowledge there are no (established) standards for things like password- or otp-transfer via NFC, which means that this is something we would have to develop and roll-out. Only the latter brings up a vast amount of questions and acceptance issues. At the end this is still possible and maybe something we might look into at some point, but there are no plans yet.

best