Two factor authentication using a Yubikey or similar products and a numerical keypad to unlock a door

First, what is a yubikey?
The YubiKey is a hardware authentication device manufactured by Yubico used to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance.

It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Both Google and Facebook use YubiKey devices to secure employee accounts as well as end user accounts.

Some password managers support YubiKey.
One of those are: https://keepass.info/ or https://keepassxc.org/

Yubico also manufactures the Security Key, a similar lower cost device with only FIDO/U2F support.

The YubiKey implements the HMAC-based One-time Password Algorithm (HOTP) and the Time-based One-time Password Algorithm (TOTP), and identifies itself as a keyboard that delivers the one-time password over the USB HID protocol.

A YubiKey can also present itself as an OpenPGP card using 1024, 2048, 3072 and 4096-bit RSA (for key sizes over 2048 bits, GnuPG version 2.0 or higher is required) and elliptic curve cryptography (ECC) p256 and p384, allowing users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.

Also supported is the PKCS#11 standard to emulate a PIV smart card. This feature allows for code signing of Docker images as well as certificate based authentication for Microsoft Active Directory and SSH.

It also supports PAM, WebAuthn,PGP, OpenPGP,OTP,OATH,FIDO2 and PIV.

Relevant link:

It has a USB male connector and some models even has in addition NFC ( Near-field communication ).

As openHAB runs Linux, PGP/openPGP Fido2 and perhaps more standards is already supported, my question is:

Has anyone tried to implement a yubikey and a keypad to unlock a ZigBee door lock?

Example of how it could possibly work:

The yubikey is plugged in to a outdoor USB receptacle ( IP 65 ), OpenHab registers this and reads the pgp or Fido2 keys stored on the device. If these are recognised, the keypad is enabled ( maybe the keys lights up to notice that it is “ready for input”, the user punches in #four digits# and if this is correct the door lock unlocks.
The users time of entry is also logged to a CVS document.

Does anyone have any opinions on this?

Is this for home or a data center.

A makerspace.

I don’t think the type of door lock would matter, so long as openHAB can control it. But I might be missing something in your description.

I’m all for two-factor security, but it doesn’t work when there are relatively easy ways around it. Your door still needs to have a regular key in case the system breaks down or there’s a power outage, and you need to carry that key to ensure you can get in. If a burglar wants to get into your house, they’ll steal that physical key or just break a window.

That’s why the second factor in a building is usually an alarm system. You unlock the door with a key, and then have to punch in a code to disarm the system. The second factor likely fails in a power outage, but you can still get into your house. And if someone steals your key, they’ll hopefully leave quickly when the alarm sounds. You can’t prevent entry with two factors, but you can prevent people from sticking around.

I’ve actually gone the other way and tried to increase my convenience for getting in the front door. I have a Schlage Connect keypad, so I just need my code to get in. But I can also unlock it from my phone, my smartwatch, or using Google Assistant (with a passcode). I haven’t actually used my physical key since I installed the lock six years ago…but I still won’t leave the house without it.

Hackerspace I was involved in did accesscontrol - services - infrastructure [HSBNE Wiki]

https://github.com/HSBNE/AccessControl

Its just a RFID reader with infrastructure.

If you are already settled on technologies then yeah you can defiantly cobble something together.

@rpwong https://www.youtube.com/watch?v=nwPtcqcqz00

Not to my knowledge. There are a few who have endeavored to implement stuff like this using RFID, fingerprint readers, and the like.

In general there is a reason why most commercial and government secure spaces use cards instead of keys, though. It’s pretty awkward to carry around a dongle compared to a card you can put in a badge holder or your wallet.

If you used NFC though it doesn’t really matter whether it’s a USB dongle or a smart card. But I don’t know if Yubi sells cards so the form factor would still be a problem.

There are plenty of ways to deal with that though. One or two copies of the key can be kept securely off site in a secure way by trusted agents. One only needs the key in rare circumstances so the delay in time to have someone go get the physical key if the power is down isn’t that big of a deal overall.

Systems like this tend to revolve around a balance of convenience and security. It’s a heck of a lot less work (i.e. convenient) to issue cards or electronic keys that can be individually revoked than it is to issue physical copies of keys which, when someone leaves the organization have to all be replaced with new physical keys. The goal isn’t to make something more secure than a plain old lock and key, it’s to make something as secure as a lock and key but which has more flexibility to handle lots of users.

But to enable that you need some sort of secure way to ensure that the user possesses the “key” to the door which is where Yubi comes in.

Of course the calculations change when you are talking about 3-5 people who live in a home together compared to a Makerspace where there might be dozens of people who need access to the door.

Ultimately, as with anything openHAB, you need to identify an API and build your solution around that. In this case it seems like if what ever is processing the Yubi keys can issue a command to openHAB to unlock the door would be ideal. But it’s all going to depend on the specifics of the software and hardware involved.

One final note, this would not be two-factor auth unless the user also must enter a key on the keypad for entry. Yubi keys are usually used as a second factor with username/password but used by themselves they would just be a single factor.

I must have posted just as @Supermagnum replied last night, as I didn’t see that this is for a makerspace. I feel differently if this is more about access control for a large number of users, as opposed to burglar-prevention in a house.

Now that I’m caught up, my suggestion would be to put two deadbolts on the door. One lock would have a keypad (e.g. a Schlage Connect), and the other would require that the person connect to the openHAB server to open it, which would then log their entry. If a person is no longer allowed in the space, you just have to remove their API authentication.

You could also put an NFC tag on the door that users could tap with an Android phone to trigger the unlocking process (I’m not sure if NFC works in the iOS app).

I thought about having just the keypad lock and requiring users to authenticate with openHAB to get the current code, but that defeats the two-factor security until the code is changed. Hence the second deadbolt that always requires an API token.

I’ve had a Yubikey for years (got it from an Ars Technica subscription), but I don’t use it. The services that had it weren’t using it as a second factor…you just had to plug it into your computer. That didn’t make sense to me, so I tossed it in a drawer. Now that they’ve added PIN codes (and also have a fingerprint version), I should dig it out.