USB tokens are the perfect vectors for two-factor authentication, where two
types of identification are required to give a user access to a Web site.
But they need help to work. They need readers, drivers and
sundry middleware that enable the token to connect to a Web server to enable
users’ access to Web sites.
Gemalto North America is trying to change that, unveiling at the RSA
Conference 2007 today a USB token device that comes loaded with its own
software to safely connect users to the Internet.
Billed as an “infrastructure-less” device, the Network Identity Manager
(NIM) card is designed to help consumers tap into and conduct transactions
with bank Web sites, online community portals and other Web sites where
security is crucial.
NIM plugs into a USB port, works with a standard browser, runs on any PC and
does not require any software installations or downloads, said Francois
Lasnier, vice president and general manager of security for Gemalto.
 |
NIM without the infrastructure. Source: Gemalto |
NIM houses a processor-based network computer and TCP/IP-based Internet
software, so the onus of security is not on the PC it is plugged into,
but the token itself.
The token, designed to work in offices, hotels and office centers that
block downloads and software installations for their own protection,
verifies Web site authenticity and establishes an encrypted browser session
directly between the NIM and the online business.
Once NIM is plugged into a USB port and a browser is called up, owners
enter their PINs on a keypad on the browser to unlock the NIM, which
presents a list of Web site links.
Users select their Web destinations as they normally would by
clicking a link in the browser window. The NIM then uses its onboard
computer and Internet software to bypass the PC and any Internet address
look-up servers to directly access the desired site and use a certificate to
make sure it is authentic.
NIM then sets up a secure tunnel directly between the NIM and the site using
standard Internet security to protect the user.
Such self-contained security protects owners’ online identity by eliminating
exposure to Trojans, phishing and “man-in-the-middle attacks,” where an
attacker reads and modifies messages between two parties without either
party knowing that the link between them has been compromised.
The PIN also blocks anyone other than its owner from using the NIM,
preventing lost or stolen devices from misuse, and locks itself after a few
wrong PIN entries.
Gemalto expects NIM to be a salve to the current headaches of strong
authentication smart cards and USB tokens, which require software to be
downloaded on a computer in order to allow the device to work with it.
The company hopes the token will give it a leg up against smart-card and
token vendors such as RSA Security, Germany’s Giesecke & Devrient and
France-based Oberthur Card Systems.
Lasnier said NIM has already garnered strong industry support.
The token supports the VeriSign Identity Protection (VIP) Network, which
means consumers can use a VIP-enabled Gemalto NIM to communicate with others
in the network, including PayPal, eBay and Yahoo.
While NIM is initially being targeted for the consumer space, Lasnier
acknowledged that Gemalto believes enterprises will eventually come around
to using the token once it proves its value in the consumer market.
