USB tokens are the perfect vectors for two-factor authentication, where two types of identification are required to give a user access to a Web site.

But they need help to work. They need readers, drivers and sundry middleware that enable the token to connect to a Web server to enable users' access to Web sites.

Gemalto North America is trying to change that, unveiling at the RSA Conference 2007 today a USB token device that comes loaded with its own software to safely connect users to the Internet.

Billed as an "infrastructure-less" device, the Network Identity Manager (NIM) card is designed to help consumers tap into and conduct transactions with bank Web sites, online community portals and other Web sites where security is crucial.

NIM plugs into a USB port, works with a standard browser, runs on any PC and does not require any software installations or downloads, said Francois Lasnier, vice president and general manager of security for Gemalto.

NIM without the infrastructure. Source: Gemalto

NIM houses a processor-based network computer and TCP/IP-based Internet software, so the onus of security is not on the PC it is plugged into, but the token itself.

The token, designed to work in offices, hotels and office centers that block downloads and software installations for their own protection, verifies Web site authenticity and establishes an encrypted browser session directly between the NIM and the online business.

Once NIM is plugged into a USB port and a browser is called up, owners enter their PINs on a keypad on the browser to unlock the NIM, which presents a list of Web site links.

Users select their Web destinations as they normally would by clicking a link in the browser window. The NIM then uses its onboard computer and Internet software to bypass the PC and any Internet address look-up servers to directly access the desired site and use a certificate to make sure it is authentic.

NIM then sets up a secure tunnel directly between the NIM and the site using standard Internet security to protect the user.

Such self-contained security protects owners' online identity by eliminating exposure to Trojans, phishing and "man-in-the-middle attacks," where an attacker reads and modifies messages between two parties without either party knowing that the link between them has been compromised.

The PIN also blocks anyone other than its owner from using the NIM, preventing lost or stolen devices from misuse, and locks itself after a few wrong PIN entries.

Gemalto expects NIM to be a salve to the current headaches of strong authentication smart cards and USB tokens, which require software to be downloaded on a computer in order to allow the device to work with it.

The company hopes the token will give it a leg up against smart-card and token vendors such as RSA Security, Germany's Giesecke & Devrient and France-based Oberthur Card Systems.

Lasnier said NIM has already garnered strong industry support.

The token supports the VeriSign Identity Protection (VIP) Network, which means consumers can use a VIP-enabled Gemalto NIM to communicate with others in the network, including PayPal, eBay and Yahoo.

While NIM is initially being targeted for the consumer space, Lasnier acknowledged that Gemalto believes enterprises will eventually come around to using the token once it proves its value in the consumer market.