the fingerprint sensor
Your security matters. TapKey is the first of its kind to bring 3-factor authentication right to your fingertips. TapKey is similar in functionality to a Yubikey, with the added security of biometric (fingerprint) authentication.
What it does
Usually with services like Google, Facebook, and other OAuth2 login services, we have to enter a password. This particularly problematic as it's a hassle to enter your username and password in every single time. With TapKey, we address two objectives - we eliminate the hassle of entering in a password and have better security by using a fingerprint sensor.
How we built it
We're using a Raspberry Pi 3, a fingerprint sensor with on-board flash for storing fingerprint scans (over serial), and an LCD for prompting users (over i2c). The device polls a central authentication server (Azure) for commands (in particular, authentication or enrollment), and proceeds to receive and validate input from the user. The results of these commands are pushed back to the authentication server and stored in a PostgreSQL database, which is queried for login operations. A Tornado webservice is used for handling the receiving end of device authentication packets, as well as servicing operations like login and enrollment.
User-sensitive data (fingerprints) never leave the device, and all communication with the central server is over strict SSL. We also protect against packet replay attacks by implementing time-sensitive tokens in all communications based on a shared secret between devices and the authentication server.
We have an external website running on a Flask backend as the main configuration site.
We've also built out a Chrome extension which can auto-fill username and password data on sites you use, locked behind our 3-factor authentication. It's similar to e.g. LastPass, but with some added security for unlocking -- but it's also more convenient to tap than to enter a password.
Challenges we ran into
Accomplishments that we're proud of
We are extremely proud of finishing a working product. We are also from different schools and are proud of our accomplishment to come together from different backgrounds!
What we learned
As enthusiasts of technology, we wanted to go outside of our comfort zone by hacking a project that covered as many aspects of tech as we could. We explored everything from hardware hacking, to security and cryptography, and full stack web development.
What's next for TapKey!
It would be nice to have this functionality not require the presence of an authentication server. In practice, this could be implemented by having TapKey communicate over the U2FHID protocol (used by e.g. Yubikeys), for which support exists in all major browsers. However, the spec is long and complicated, so in the interest of time we decided to opt against it.