I wrote in this space last week about "Pass2Go," a piece of software that resides on a key-sized USB Flash drive. The device stores all of the username/password combinations that log you into the various Web sites and secure servers you use. When you remove the drive from the USB port, your passwords are no longer available to anyone else who may use that computer.
This is better than storing your passwords within Microsoft's Internet Explorer browser (whose password encryption was cracked long ago) or the Mozilla Foundation's Firefox (which stores passwords in an ordinary file unless you set up a "master password").
But Pass2Go -- or any device that relies on passwords -- is insufficient to allow you to safely log on to your accounts when you're away from your desk. The answer to the problem is here, today. But will people use it?
The Problem With Passwords
To be sure, storing your passwords in a removable device using Pass2Go is preferable to writing them on sticky notes and gluing them to your monitor. The problem isn't how you remember your passwords, but the fact that you have to use them at all.
• Using A Nonsecure PC On A Nonsecure Network. If you use a PC at an Internet café, a library, a college, or any other public location, you have no easy way to guarantee that that machine isn't infected with a Trojan-horse program. Such a program could be watching for passwords and sending the information to a hacker at a remote location or a dishonest employee of the shared-PC service.
• Opening The Veil. The username/password combinations that are stored by Pass2Go are, it's true, unreadable when you insert your Flash drive into a USB slot. But as soon as you type your "master password," any Trojan horse on the Internet café's machine can copy the information by monitoring the keyboard. The Trojan can also capture the screen to learn what information may be displayed.
• The Savvier They Come, The Harder They Fall. A variety of companies have invented USB Flash drives that can be configured to require a registered user's fingerprint before releasing any username/password combinations to a browser login form. One such product is the Lexar JumpDrive TouchGuard, a $70, 256 MB drive. Your fingerprint makes a very good "master password." But a Trojan horse on an Internet café PC can still monitor your keystrokes and capture the screen as soon as your finger has opened the passwords on your Flash drive.
Carrying your passwords around in a Flash drive isn't a secure way for you to use public-access PCs to log in to your accounts. Passwords themselves are the problem. The solution is at hand, and it may free us from having to remember passwords at all.
Two-Factor and Challenge/Response Authentication
What's better than strong passwords? The answer lies in two-factor authentication and challenge/response authentication. These are big words for some simple concepts:
• Two-Factor Authentication relies upon "something you have" and "something you know." The most successful example is bank cards and PINs (personal identification numbers). A thief might steal your bank card, but it's unlikely that he'd guess your PIN before the card was swallowed up by a cash machine after three incorrect tries.
• Challenge/Response Authentication. Bank cards are merely a piece of plastic with a magnetized strip that contains your account information. But USB Flash drives (and similar technologies, including "smart cards") can do much more than just store bytes. They're also capable of carrying and using digital certificates. A secure server can issue a digital "challenge" that only a smart device can correctly respond to.
I've been calling devices such as these "USB keys," because they make it as easy for you to log in to a secure server as it is to start your car with a car key.
U.S. Bancorp Signs Up For USB Keys
Verisign Inc. is one of several companies that are beginning to sell USB keys, technically known as secure authentication tokens, to banks and other enterprises.
Verisign recently announced that U.S. Bancorp, the sixth-largest U.S. financial services holding company, would start giving secure USB tokens to its commercial banking customers. In my opinion, this is the first step toward all financial institutions requiring two-factor authentication for any online customer communication.
The company's Unified Authentication USB Token, shown at the bottom of the photo to the left, can hold up to seven digital certificates, according to Mark Griffiths, vice president of security services for Verisign.
The Multipurpose Next-Generation Token, shown at the top of the photo, also displays a 6-digit number when the user pushes a button. The number is one of a series that a secure server will accept as a valid password, in combination with a user's 4-digit PIN.
One-Time Passwords And Multiple-Use USB Keys
For many business applications, such as remote access to e-mail, a one-time password is sufficient security to let an end user log in from an Internet café. Even if a Trojan horse is monitoring all of a PC's keystrokes and capturing everything on the screen, a hacker wouldn't be able to use the discovered password, since it would work only once.
For more sensitive applications -- such as online banking -- the challenge/response capabilities of USB keys provide much better security. No Trojan-horse program could understand the long digital strings that make up a secure challenge, much less formulate the exact arrangement of bytes that would make up the calculated answer.
A hacked public terminal might still be able to capture the text of your e-mails, your bank balance, or whatever else you display on the screen. But it would be impossible for the hacker to log in to your e-mail account and send e-mails under your name -- or log in to your bank account and send all of your money to Russia.
Verisign's Griffiths says a rollout of secure tokens -- including the use of Verisign's 24/7 back-end server that can lock out lost and stolen Flash drives -- will cost a company only $25 to $35 per year per user for 5,000 users. That sounds to me like a bargain, if it eliminates the use of passwords and any eavesdropping on them by hackers.
Unfortunately, there's no program at the current time that allows an individual consumer to purchase a USB Key and then demand that his or her bank start supporting it as a form of identification.
Until that day comes, I recommend against using a public terminal to log in to your e-mail account without one-time passwords -- and against logging in to your online bank account without full challenge/response authentication.
Wait, you might say. If this catches on, what will keep consumers and corporate travelers from having to carry around a fistful of different USB keys to log in to different servers?
A standard is on the way that will allow a single key to work on all servers. That'll be the subject of my next column on Jan. 11, 2005, after the holiday break.