Could Espruino be used to validate an app?

Hello!

We're trying to create a digital ID to replace UK Passport/driving licences for entry into licensed premises, but need to ensure it cannot be faked (or failing that, the barrier to a successful forgery needs to be very high).

Here are the constraints we need to deal with:

1. We need to implement a solution across Android and iOS
   
2. Door supervisors don't like to use technology on their side, so mobile to mobile communication solutions are not possible, and anything that requires more than a minor effort on their side is likely not an option either
   
3. To show the ID, users will scan a static QR code (which is worn around the neck of the door supervisor) and this will then display the ID on the users phone until dismissed
   
   

Traditional IDs use a hologram to prevent forgery, and despite this being relatively easy to fake in many cases, it's considered a sufficient level of security for many physical ID cards. We could use the phone's gyroscope and accelerometer data to create something that looks and moves like a hologram, but our fear is this could be faked, either in a web app in the browser or on an app on a rooted iPhone/sideloaded onto android.

One solution to this is that the doorstaff would have a button (such as espruino) and if they press the button while the ID is shown on screen, Espruino would be programmed to communicate with our app and show something on screen (such as large text saying "VALID" for example).

Is this possible and relatively easy to do with Espruino?

Can it be done without pairing to each individual phone?

If your app has access to Bluetooth LE (and the phone's Bluetooth is on) then yes - you can listen for advertising data from Puck.js without having to pair with it at all.

There have been some other posts on the Puck.js section of the forum showing how you can broadcast a number that increments each time the button is pressed - then your app just listens, and if the number is sees changes it knows the button has been pressed.

Having said that, it's a one-way communication (from Puck.js to the phone), so there wouldn't be validation as such. To get two-way communication you'd need pairing.

A suggestion:
Using two way communication.
A sends a 16 byte random number to B
B receives random number and uses secret key and the AES block encryption to encrypt the random number. B sends the encrypted results to A.
A uses original random number and secret key to calculate the encrypted value to compare with the message from B.

Thanks both. I apologise for referring to Espruino in my post when I meant Puck.js - this is the device that we're interested in. Does the Puck.js product have any hole in it to attach it to a lanyard?

ClearMemory - I like your solution but given the two-way communication between A and B it would require pairing, right? If so it's not really an option for us as we need a solution which can work across many different devices in quick succession. If you have further ideas please do let me know though.

Does the Puck.js product have any hole in it to attach it to a lanyard?

Yes, it does! I think you may even be the first person to ask. You can just see it here: http://www.espruino.com/press/puckjs/sta­cked_pucks.jpg