Hacker News new | past | comments | ask | show | jobs | submit login

RFIDs are rarely certified as possession factors, you need an EMV card for that. TPM chips may protect readers. Depends on reader/card ratio, if it's feasible.

Clones/double use/double spend must be caught on reader/server anyway. One can pass a card to another person, and you do not want two people to enter building with the same card.

I implemented double spend protection by introducing a simple operation counter. If the sequence of operation IDs is not continuous, card is blocked. Clones were added to block list within minutes. It was good enough for the use case. Again, MiFARE is very cheap, so tradeoffs are expected.




MIFARE Cards are not RFID cards, and similar systems can absolutely be used as possession factors.

There are also many other authentication-capable cards other than EMV (which is optimized for payments, not really general-purpose authentication) such as various building access cards, national ID cards, ICAO biometric passports etc.

> I implemented double spend protection by introducing a simple operation counter. If the sequence of operation IDs is not continuous, card is blocked. Clones were added to block list within minutes. It was good enough for the use case.

Using that scheme, you could just as well use regular old barcodes, no? Makes for much cheaper readers and even wider compatibility.

> Again, MiFARE is very cheap, so tradeoffs are expected.

There are equally-cheap but secure options that actually prevent cloning or even implement the "electronic purse" use case in a fully offline way.

Usually, MIFARE Classic is only used because there's a huge installed base of readers and/or cards (and/or attached backend software).




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: