Guys, these fobs are OTP (One-Time-Pad) devices. No encryption. AES is irrelevant. It’s a bunch of pre-shared keys. A secure server generates a few thousand (or more) 6-digit PINs, keeps a copy of the list for itself, and puts a copy on the key fob.
When the user authenticates, they put in their password (one factor), and a PIN from their fob (second factor). Each time the button on the fob is pressed, the next PIN is sequence is displayed. The server has been keeping track of the last successfully used PIN, so will only accept the next, next+1, and next+2 PINs in the sequence (if a valid but out of sequence PIN is received [meaning it’s probably an attacker’s guess], the attempt is rejected). (This also means you don’t sit there pressing buttons on your fob because you will get out of sync with the server and get locked out of your account. Usually, a secure method of re-syncing the fob’s current PIN with the server is allowed for inadvertent button presses.) One you’ve used up all your PINs, the fob is useless until reprogrammed with new PINs.
At attacker obtaining the physical fob (one factor) is little danger unless he also beats the password out of you with a rubber hose (both factors).
OTP is reasonably secure, even a DIY implementation*, as long as your other factor (password) authentication is also secure. I.e., don’t allow short/dictionary passwords. Also be sure to lock the account after 3 unsuccessful password or OTP attempts to reduce brute-force attacks.
- In an Arduino scenario, you’d be storing the PIN sequence in PROGMEM flash, storing a pointer to the current PIN in EEPROM, and burning the fuse bits to prevent readout of flash and EEPROM. Secure the PC used to generate the PINs and flash the Arduino as it is a weak link in the chain. This is where commercial companies make their money – their solution is end-to-end secured, audited, and tested. Yours has holes, but they are small holes.
As for hardware, you just need to find a tiny enough LCD+driver and go to sleep, waking on interrupt when the button is pressed.
EDIT: for a display, consider the HP QDSP-6064 bubble LED as sold by Sparkfun. The display only has to be lit occasionally, so battery life should be acceptable. It’s only 4 digits, but that may be enough for your purposes. Or stack two displays for up to 8 digits.