Newer Android phones (since Android 5, “Lollipop”) have the Smart Lock functionality that allows one to unlock the phone, among other ways, with a trusted device (Bluetooth or NFC) instead of entering the usual PIN, pattern or password.
I’m asking about NFC in particular. How secure is Smart Lock when configured to unlock the phone when a specific NFC tag is activated? I’m worried that someone could simply create an NFC tag with the same ID as mine (since NFC activates just by touching something, it’s very difficult to protect an NFC tag from being read at all times). Note that I’m not asking about the case where my NFC tag is stolen – obviously, my phone would no longer be safe in that case. What I’d like to know is how secure the technical implementation is, i. e. how can Smart Lock be sure that it’s really my NFC tag and prevent being fooled by something pretending to be my NFC tag.
In my case, the “NFC tag” is my YubiKey NEO. Their FAQ page makes some worrying statements:
Can the YubiKey NEO be used as a Smart Lock device for Android Lollipop?
Yes, the YubiKey NEO can be used as an NFC tag registered for Smart Lock on Android Lollipop devices. For more information, see the Android support page.
Note: Android’s SmartLock features uses a static 7 byte ID, which does not conform to Yubico’s security threshold standards. We recommend users consider this feature a convenience and not a strong authentication replacement.
