🏷️ NFC Identity & Authentication Systems
Physical-First Zero-Trust Authentication
A suite of open-source tools that replace password-based authentication with physical NFC tokens + encrypted vaults. Multi-platform coverage across GitHub, AWS, and Google Cloud with zero cloud dependency and air-gap compatibility.
⚠️ The Problem: Identity Is the #1 Attack Vector
80% of breaches involve compromised credentials. Passwords are phished, keylogged, and brute-forced. Cloud-based 2FA adds convenience but introduces new attack surfaces: SIM swaps, TOTP interception, and session hijacking. The authentication layer itself has become the weakest link in the security chain.
✅ Our Solution: Physical Tokens + Encrypted Vaults
Each system uses a physical NFC tag as the root of trust. The tag's value is never displayed on screen, never transmitted over a network, and never stored in plaintext. Combined with device-bound encrypted vaults and optional Unicode nightmare alphabet encoding, credentials become physically unreproducible without possessing the hardware.
🔒 Zero-Visibility Authentication
NFC values are captured via hardware reader — never typed, never shown on screen. Double-scan verification ensures accuracy without exposure. Immune to keyloggers and screen capture.
🛡️ Multi-Factor Physical Auth
Something you have (NFC tag) + something else you have (USB drive with alphabet) + something you know (optional PIN). Requires physical possession of multiple devices simultaneously.
⚡ Authentication Architecture
Physical token to platform access in 5 steps. No passwords, no cloud, no exposure.
NFC Authentication Flow
Physical NFC tag read via hardware reader (hidden input)
Passphrase transformed via nightmare alphabet on USB
Encrypted credentials decrypted locally on device
SSH key / STS token / service account activated
Session auto-expires, keys rotate after 30 days
Nightmare Alphabet Encoding
1381825540▿↠▆∫̋┘⇞╮⮱⒔▿↠▆95+ Unicode symbols from a unique alphabet stored on USB drive. The mapping is deterministic but unreproducible without the physical USB.
Triple-lock architecture: NFC tag + USB device ID + ambient chaos entropy
🔑 Key Features
Shared capabilities across all NFC identity systems.
Zero-Visibility Input
NFC values never appear on screen. Hardware reader captures data invisibly. Immune to shoulder surfing and screen capture.
AES-256-GCM Vaults
Credentials encrypted at rest with PBKDF2-SHA256 (100K iterations). Device-specific salts prevent cross-machine attacks.
100% Offline
No cloud APIs, no external requests, no telemetry. Works in air-gapped and classified environments.
30-Day Key Rotation
SSH keys and credentials auto-expire. Compromised keys have a limited blast radius. Rotation requires physical NFC re-scan.
Device Fingerprinting
Vaults are bound to specific hardware. Stolen vault files are useless on different machines.
Multi-Platform
GitHub SSH, AWS STS, Google Cloud IAM. One physical token, consistent security model across all platforms.
📊 How NFC Auth Compares
Physical NFC authentication vs. traditional methods.
| Method | Phishing Resistant | Offline Capable | No Cloud Dependency | Key Rotation |
|---|---|---|---|---|
| Passwords + TOTP | ✗ | ✓ | ✗ | ✗ |
| Cloud 2FA (Duo, Okta Verify) | Partial | ✗ | ✗ | ✓ |
| FIDO2 / YubiKey | ✓ | Partial | Partial | ✗ |
| SSH Key (unprotected) | ✓ | ✓ | ✓ | ✗ |
| NFC + Vault (This System) | ✓ | ✓ | ✓ | ✓ |
📦 Open-Source Projects
5 public repositories covering authentication, encryption, and research.
One physical token, three cloud platforms
Ultra-secure SSH authentication using physical NFC tags. Interactive HTML guide with automated installer. Zero-visibility double-scan verification ensures passphrase accuracy without screen exposure.
Multi-factor physical auth combining NFC tag + USB drive with a 95+ character Unicode cipher. Mathematically unbreakable without both physical devices. GUI app with 30-day auto key rotation.
Hardware-based auth for AWS using physical NFC tokens with Chaos Engine integration. AES-256-GCM encrypted vaults, device fingerprinting, rate limiting, and configurable STS session durations.
NFC-based auth for Google Cloud with invisible scanning method. Credential vault encryption, NFC-GCP bridge, security diagnostics, and test suites for stolen credential scenarios.
Research into NFC-based polyglot file delivery. PoC testing across NTAG213/215/216 chips with size constraint analysis. Open-source detection tools for the security community.
🛡️ Attack Resistance
Validated protection against the most common identity attack vectors.
✅ Security Principles
Built on zero-trust architecture with defense-in-depth at every layer.
🎯 Use Cases
Built for teams and individuals who need physical-first authentication.
💻 Developer SSH Access
Replace password-based SSH with NFC + encrypted vault authentication. Tap to deploy, tap to commit. No passwords to remember or rotate manually.
☁️ Cloud Infrastructure
Secure AWS and GCP access with physical tokens. STS session tokens auto-expire. Credential vaults are device-bound and encrypted at rest.
🏛️ Classified Environments
Air-gapped authentication for government and military systems. Zero network dependencies, zero telemetry, zero cloud calls.
🔬 Security Research
NFC polyglot research tools for red teams and security researchers. Understand NFC attack surfaces before adversaries exploit them.
❓ Frequently Asked Questions
Common questions about NFC-based authentication.
Why NFC instead of YubiKey / FIDO2?
YubiKeys are excellent but opaque—you trust the vendor's firmware. Our NFC system is fully open-source, auditable, and combines the NFC tag with additional factors (USB alphabet, device binding) that FIDO2 doesn't support. You can also use cheap $1 NFC tags instead of $50+ hardware keys.
What NFC readers are supported?
Any USB NFC reader that presents as a keyboard input device (HID mode). The ACR122U is the most tested. The system also works with phone-based NFC readers on Android. Reader cost: $15–$30.
What happens if I lose my NFC tag?
Without the physical tag, authentication is impossible—that's the point. We recommend registering two tags (primary + backup) and storing the backup in a secure location. Re-enrollment requires physical access to the machine.
Can someone clone my NFC tag?
Standard NTAG chips can be read at close range (~4cm). However, the tag value alone is insufficient—you also need the USB nightmare alphabet, the device-bound vault, and the machine's hardware fingerprint. Cloning the tag gives an attacker one factor out of three or four.
Does this work on Windows?
The GitHub and cloud auth systems are tested on Linux and macOS. Windows support is experimental. The Chaos Lock NFC integration runs on all platforms via Python/Qt.
How does this relate to Okta / enterprise IAM?
This is complementary to enterprise IAM. Okta manages identity federation and SSO at the org level. Our NFC systems secure the last mile—the physical authentication moment where credentials are most vulnerable to interception.
🚀 Explore the Code
All NFC identity systems are open-source. Browse the repositories, read the docs, or start with the GitHub 2FA installer.
All repositories licensed under open-source licenses. See individual repos for details.
