So a huge issue with RFID authentication is that it can be swiped over the air. Basic RFID fobs that simply transmit the same code every time, or only has a basic nounce, can be swiped just by having a powerful enough reader in the general vicinity of it, even through a bag or an entire wall. With “smart” RFID tags that do cryptography, there are cases where people have slipped a receiver into a person’s bag or had someone stand next to them with a receiver, and the receiver relayed in real time the information in the real tag to the fake tag the attacker is using.
But, why aren’t there simply a button on high security RFID tags that you have to hold down before it will transmit? Instead of tapping your smart card or key fob, you tap it while holding down the button, otherwise it won’t do anything. It doesn’t have to make the fob require power either, since RFID tags are powered by the reader while being read, you can easily make the button close that circuit only when pressed so the chip can’t even be powered without pressing it, or simply have the button close the circuit on a pin of the chip, that it checks for before transmission. I think that this would effectively eliminate one of the biggest attack surfaces of RFID authentication, and with those smart cryptographic ones, the chances of someone trying to swipe your tag at the exact instant you’re pressing the button for fun is so slim that it’ll probably never happen, or at least only once in a blue moon.
What do you think? Is this a good or bad idea? Does it already exist?
It is probably just a question of price per unit. Adding a button would increase the cost drastically. If you want security, you just don’t go with a RFID tag. You go with a smartcard protected by a PIN. Security-minded people are not the market segment for RFID tags. And if people are forced to use a RFID tag in a security context, they can protect the tag with a shield.