Originally, our idea was to be able to login to public UMass computers using our UCards to bypass entering credentials each time. However, we soon learned that although the RFID tags in UCards have the same frequency as generic RFID cards, UCard RFID tags can only be read using the manufacturer's reader. This limitation brought us back to the drawing board, and using the generic RFID card and RFID reader that we had, we came up with the idea to use data stored on an RFID tag as a second authentication factor for logging into websites that are data-sensitive. (i.e. employee logins).
What it does
The main purpose of DualAuth RFID is to add an extra layer of security in addition to just a regular password, using data read from an RFID tag as another login credential.
How we built it
We used an Adafruit PN532 RFID/NFC shield for Arduino Uno to read in 16 bytes (one block) of data from a 13.56 MHz RFID card. To read in the data, a button is pressed on the Adafruit shield, which triggers the RFID reader to scan (for 3 seconds) for data from the RFID tag. If data is found, our Python driver strips and retrieves the first 8 bytes (out of 16), represented as an 8-digit Unique Identifier (UID) returned from the arduino program through the reader. The driver passes this data to a Java program, which (in our implementation) enters the retrieved UID into the UID field of our website login (presented to the user after they have entered the correct username and password), at which point it is compared to the UID on file for the specific user. If the UID retrieved from the RFID card is a match, the user is automatically logged in. We used a Raspberry Pi 3 to simulate the host machine running the website, which was made using a combination of HTML5, CSS3, MeteorJS, bootstrap, SASS, and JQuery, and hosted on galaxy.
Challenges we ran into
Our first major challenge was discovering that the RFID readers provided were unable to process UCard data, which rendered our initial idea useless. Additionally, we initially had issues in trying to pass the data from Arduino-->Raspberry PI-->Python-->Java-->Web server, which took some time to smooth out. The Arduino Uno also lacks Keyboard.write() capabilities, which is why it was necessary for us to fill in the UID using Java instead, and took some tinkering.
Accomplishments that we're proud of
We were able to successfully implement our project in a working scenario using a live website from the Raspberry Pi. We also designed and 3D-printed our own case to hold the Arduino/RFID Shield, leaving our final result aesthetically pleasing as well as functional.
What we learned
Each of us learned something previously unknown going into Hack UMass, whether it be writing Python scripts for the first time learning how to design a 3D-printed model. None of us had any experience using RFID readers prior to this, which was interesting to learn along the way.
What's next for DualAuth RFID
Our main goal, which we sadly ran out of time to implement, is to increase the security of our project. Ideally, we would like to eventually hash/encrypt the UID values read from the RFID tags in order to make the transfer and storage of the sensitive data more secure. Security aspects in general and fine-tuning the mechanics of our RFID reading method would be the next steps taken.