NFC/RFID Authentication Flow

[ISAslot]

Our facility just got upgraded with new door readers that can use NFC through cards or phones to grant access. I'd like to also use cards or phones to provide authentication to our instrument use system. Could anyone direct me to information on how I would securely set this up? We were provided some NFC readers to test with. They are USB. When you plug them in and scan they emulate a keyboard and type a number. I could associate this number with users but this doesn't seem very secure. Shouldn't there be some key exchange during this process?

 

[sdifox]

The code is supposed to be checked by the keycard access control system. I don't quite get what you are asking.

 

[ISAslot]

The code is identical each time. How would this 'check' take place? What's stopping someone from obtaining the code and programming an identical NFC card?

 

[sdifox]

It's very old tech, like 1980s. Just because you use your phone instead of a card doesn't change that fact. All the reader does is read the code. The control system check the code against access table of that particular lock. If it is within allowed time. It unlocks.

It doesn't care who holds the card, why do you think it will care if it is the same code every time?

 

[ISAslot]

After more research and asking around the flow is as follows:
User taps > reader and card/phone handshake > reader uses preprogrammed private key to generate unique code > returns code to host device
See: https://en.wikipedia.org/wiki/ISO/IEC_14443
Example card type: https://www.hidglobal.com/products/single-tech