Auth NFC

Security starts with transparency

Your secrets are important and you should trust the app that manages them.

Your secrets are important and you should trust the app that manages them.

Security Features

• No online account required.
• Your account information is stored only on your device.
• Your account store and secrets never leave your device unless you manually export to a backup file and move it yourself.
• Account secrets are encrypted while on the device and the account store file is only accessible by the app.
• You must enter a password, biometric, or scan a NFC tag to unlock the app.
• Your password is never stored anywhere, not even on your device.
• Enable two-factor authentication requiring your password + NFC tag for added security.

Industry Standard Encryption

• AES-GCM - Advanced Encryption Standard (AES) with Galois/Counter Mode. This encryption algorithm is used to protect your account secrets.
• P-256 ECDH - Elliptic Curve Diffie Hellman Key Exchange using P-256 curve. Used for NFC tag authentication.
• HKDF - HMAC-based key derivation function used to generate a symmetric key from the P-256 shared secret. Used for NFC tag authentication.
• PBKDF2 - Password Based Key Derivation Function 2 - This function is used to create a strong key based on your password.
• SHA 256 - Hashing algorithm applied to the password key to create a one-way, irreversible value for storage.

How it Works

The first time you launch Auth NFC you will be asked to set up a new account store and create a password (4 character minimum). You will be asked to enter this password each time you launch the app. Alternatively, you may set up Face ID or Touch ID or use an NFC tag to unlock the app without the password. You may also enable Two-Factor Authentication which will require both a password and NFC tag.

Here's what happens when a new account store is created.

• The account store is a standard JSON file stored securely in the app directory on your device and only available to the app.
• The app creates a random, 12-byte identifier used as a nonce for encryption.
• The app creates a random, 16-byte salt for hashing.
• The app takes your password and runs it through the key derivation function (PBKDF2) 100,000 times using SHA-256 to create a strong, 256-bit password key. Your password is then discarded and never stored anywhere.
• The app creates a random, 32-byte value used as a key to encrypt your account secrets. This master encryption key is itself encrypted with the derived password key and stored in the account store file on your device.
• The derived password key is hashed and stored in your account store file.
• The app then encrypts a small piece of text using the encryption key and keeps this in your store file. This is used to help the app verify your password anytime you unlock the app.

Using NFC Tags

There are two ways to use NFC Tags within the app:

App Unlock and Two-Factor Authentication

You can set up to two NFC tags to be used to unlock the app. Either tag can be used to unlock the app. These tags can also be used for two-factor authentication. When two-factor authentication is enabled you will be required to enter your password and scan one of your NFC tags to unlock the app.

Account Key Store

For each of your accounts you can change the Key Store to use an NFC tag. This will move the account secret off your device and onto the tag. You can optionally encrypt the secret on the tag. You will be required to scan the tag anytime you need to get the TOTP passcode for the account.

Unlocking the App

Anytime you unlock the app to access your accounts, here's what happens:

Using a Password

• You enter your password.
• Auth NFC re-derives the password key using PBKDF2 and validates the password key hash to the stored version.
• Using the password key, Auth NFC decrypts the master encryption key.
• The master encryption key encrypts a known value and compares against the token stored intially. If the tokens match, the app has the correct master encryption key.
• Using the master encryption key, your accounts secrets are decrypted and passcodes can be generated.

Using a NFC Tag

• You scan your NFC tag.
• Auth NFC compares the tag identifier with the stored version.
• The app reads the private key from the tag and, using the stored public key, derives the shared symmetric key.
• The app decrypts the master encryption key using the symmetric key.
• The master encryption key encrypts a known value and compares it against the stored value. If the values match, the app has the correct master encryption key.
• Using the master encryption key, your accounts secrets are decrypted and passcodes can be generated.

Using Two-Factor Authentication

• You enter your password.
• Auth NFC re-derives the password key using PBKDF2 and validates the password key hash to the stored version.
• You scan your NFC tag.
• Auth NFC compares the tag identifier with the stored version.
• The app reads the private key from the tag and, using the stored public key, derives the shared symmetric key.
• The app decrypts the master encryption key using both the password key and the symmetric key.
• The master encryption key encrypts a known value and compares it against the stored value. If the values match, the app has the correct master encryption key.
• Using the master encryption key, your accounts secrets are decrypted and passcodes can be generated.

Reminders

• Don't forget your password! There is no way to recover your secrets without it.
• Backup your accounts periodically and store the backup in a safe place.
• If you choose to use the NFC features of the app, don't lose your NFC tags! Once a secret is moved to a tag it no longer exists on your device.
• Be aware that exported backup files WILL NOT CONTAIN secrets for any account in which the secret is stored on a NFC tag.
• Generally use the encrypted export features when saving backup files. Only export to plaintext when necessary.
• Always store your backup files in a secure location.