First, what is a yubikey?
The YubiKey is a hardware authentication device manufactured by Yubico used to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance.
It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Both Google and Facebook use YubiKey devices to secure employee accounts as well as end user accounts.
Yubico also manufactures the Security Key, a similar lower cost device with only FIDO/U2F support.
The YubiKey implements the HMAC-based One-time Password Algorithm (HOTP) and the Time-based One-time Password Algorithm (TOTP), and identifies itself as a keyboard that delivers the one-time password over the USB HID protocol.
A YubiKey can also present itself as an OpenPGP card using 1024, 2048, 3072 and 4096-bit RSA (for key sizes over 2048 bits, GnuPG version 2.0 or higher is required) and elliptic curve cryptography (ECC) p256 and p384, allowing users to sign, encrypt and decrypt messages without exposing the private keys to the outside world.
Also supported is the PKCS#11 standard to emulate a PIV smart card. This feature allows for code signing of Docker images as well as certificate based authentication for Microsoft Active Directory and SSH.
It also supports PAM, WebAuthn,PGP, OpenPGP,OTP,OATH,FIDO2 and PIV.
It has a USB male connector and some models even has in addition NFC ( Near-field communication ).
As openHAB runs Linux, PGP/openPGP Fido2 and perhaps more standards is already supported, my question is:
Has anyone tried to implement a yubikey and a keypad to unlock a ZigBee door lock?
Example of how it could possibly work:
The yubikey is plugged in to a outdoor USB receptacle ( IP 65 ), OpenHab registers this and reads the pgp or Fido2 keys stored on the device. If these are recognised, the keypad is enabled ( maybe the keys lights up to notice that it is “ready for input”, the user punches in #four digits# and if this is correct the door lock unlocks.
The users time of entry is also logged to a CVS document.
Does anyone have any opinions on this?