Adding RFID isn’t the same thing as the two-factor principle, but it can improve a dongle.

Two factor authentication is encapsulated in the descriptor “something you have and something you know.”

Leading auto makers now improve the security feature of the car-key, by including an RFID chip in the handle. (An RFID signal is a passive device, and does not require a battery.)

This might improve a dongle as much as it improves a car-key.

Selected software providers and hardware manufacturers already write software and build computing devices that will not boot without a dongle. As such, the RFID tag could be the “something you have” part, complementing the password as the traditional “something you know” part of the two-factor protocol.

In the same way that people hot-wire cars, an attacker can cripple software that checks for the dongle/key. But it represents an additional barrier to entry for attackers of your system.

Initially, I supposed that this introduced two-factor certitude to the authentication. However, after contemplation, I was relieved that I had not published prematurely.

The function of a dongle is different from encryption. Encrypted thumb drives that require a password are already “something you have.” Adding an RFID tag supplements this, in an abstract sense, in the same way that it makes a key with a particular groove unique even from keys that duplicate it, but it is still only one factor of the two-factor protocol; something you HAVE.

If the thumb drive stored a digital key, it might lead to false confidence that the digital key was more secure, when in fact it was no less subject to duplication. However, the maintainable nature of a password key can make the identity of the RFID chip, maintainably unique in combination. 

Incorporating the RFID tag into the decryption key, is conceptually analogous to including the serial number of the device in a similar way. Even stealing a serial number, and stealing an RFID signal identifier are similar.

However, one must suppose the mechanism by which it improves a car-key remains a practical improvement.

For example, it might make the theft of a stolen device more egregious to a criminal prosecutor. The idea of accidentally using a stolen thumb drive to try a password or two out of mischief, cannot be suggested as a defense for duplicating a software encryption key, and either duplicating an RFID tag, or employing some car theft device to broadcast an equivalent signal.

It is possible to devise a proprietary scheme whereby the RFID tag influences the generation of one’s password deterministically, such that only particular passwords are valid. However, the security of such a scheme should be evaluated in light of Kerckhoff’s Principle.

It’s an innovative improvement, without representing a theoretical advance. Clever implementations make the most of such improvements.


About James Johnson

I am an amateur mathematician & political theorist who enjoys (occasionally cerebral) humor.
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s