
Google quietly discontinues NFC Smart Unlock without explanation - sparklemarkle
https://betanews.com/2017/09/28/google-kills-nfc-smart-unlock-android/
======
floatingatoll
NFC tags can cloned trivially and permanently. Wearing an NFC ring that can
unlock your phone broadcasts a working phone PIN, without your awareness or
consent, to any transmitter or receiver that cares to ask. It is safe to
assume that malls and government security agencies worldwide are tracking you
in part through your NFC tags.

Anything that uses a challenge-response protocol would be safe, but that’s not
NFC tags at all. Google is removing a feature that can be used to break into
your phone as easily as if you’d printed the PIN on a ring in Courier. Phew.

~~~
jquast
Is yubikey integration for mobile considered unsafe?
[https://www.yubico.com/products/yubikey-hardware/yubikey-
neo...](https://www.yubico.com/products/yubikey-hardware/yubikey-neo/)

~~~
floatingatoll
The NFC protocols implements by Yubico are dynamic, not static, derived from a
secret key held in hardware on the device. Those dynamic methods are not
vulnerable to the NFC Tag issues described above.

An attacker could use NFC to sniff the exchange between your phone and your
Yubikey, so you're still vulnerable to eavesdropping. But the point of the
challenge-response protocols is to make eavesdropping irrelevant.

The practical vulnerability would be if an attacker eavesdropped on a one-time
password going over NFC, blocked your phone's outbound signals so that it
can't send it, and then somehow used the one-time password for their own
nefarious purposes.

You'll have to make your own judgement call on whether that's a level of
compromise you can accept for your use case.

