Hello,
I am currently developing a fork of SimpleX Chat + Crypto Wallet, which I plan to release next month.
In this fork, I added local database encryption using the PIV interface over NFC with a YubiKey. The goal is to let the user protect the local database with a hardware-backed key, without having to plug the key in over USB.
Before choosing PIV, I also considered using FIDO2/passkeys for this purpose. However, as far as I understand, FIDO2/WebAuthn/CTAP2 is mainly designed for authentication and does not expose a generic interface that would let an application derive or unwrap a stable encryption key over NFC, in the same kind of way one might use a hardware token for something like unlocking a LUKS volume.
Because of that, I switched to the PIV interface instead. In practice, this works very well with a YubiKey over NFC for my use case.
I was hoping to implement the same feature with Nitrokey 3, but I just realized that, according to the current Nitrokey 3 documentation, PIV appears to be available over USB only, while NFC support is currently listed for FIDO2/U2F.
For the mobile use case, I would strongly prefer to keep the whole flow NFC-based. Handling USB on Android and iOS sounds like it could become quite painful, both from an implementation and user-experience perspective. Also, from a security perspective, more and more GrapheneOS users disable or restrict the USB port, so relying on USB would make this feature less practical for the kind of users who are likely to care about hardware-backed local encryption.
Do you plan to support or expose the PIV interface over NFC on Nitrokey 3 in the future?
This would be very useful for mobile use cases, especially for applications such as SimpleX Chat where the local database could be unlocked or protected using a hardware key via NFC, without requiring a USB connection.
Thank you in advance.