Hardware authentication systems: Swekey vs Yubikey

A double authentication login system using a hardware key is the best security system for people who travel and/or use public computers at Internet caf├ęs and libraries, there is no absolute way to secure your personal data and privacy on a computer that isn’t yours, there are too many things that can wrong in a networked computer where you do not have administrator rights, outdated antivirus software, hardware keyloggers, network password sniffers, they are all dangers that could be there and you can not effectively protect against any of them.

Using a hardware token to login into websites, together with a password, even if someone steals the passcode it will be useless for them, most passwords are stolen remotely without the user knowing about it, with a hardware authentication token you are likely to notice the pass key is missing and can then revoke it.

Swekey double factor authentication system

The Swekey is an authentication hardware token in the form of a USB thumbdrive, in order to access a web application such as webmail, Internet forum or online banking you need to have Swekey plugged in first and then enter the correct password for the service, this means that if anyone manages to steal your password they will not be able to login because they will still need to have your Swekey.

The Swekey is not a regular USB key, it generates One Time Passwords, and it can’t be hacked because the private key that is used to generate the OTP scan not be read (physical protection).

Swekey is operating system and browser independent, compatible with Windows, MacOS and Linux whether you use the Internet Explorer, Firefox or Opera browsers. For other more obscure operating systems like Solaris and FreeBSD, Swekey should also work if libusb is present.

SweKey USB hardware token plugged in

SweKey USB hardware token plugged in

When you plug in the Swekey into the USB port your user name is automatically filled in and you are automatically logged out when you unplug your hardware token.

Swekey is integrated in most popular open source projects like Drupal and Joomla, well known Content Management Systems that power community websites. Internet forums powered by vBulletin, phpBB also support it, and so do open source webmail platforms like RoundCube and Squirrel.

There are specific plugins for Swekey but it can be used with any OpenID compliant web site, the main problem with hardware authentication tokens is that they need to be supported by the website you use, OpenID already has thousands of sites behind it.

http://www.swekey.com

Update 2015: Swekey is no longer in business, link erased.

YubiKey double factor authentication system

The YubiKey will calculate a new unique passcode each time it is used making it impossible to copy and illegitimately re-use a passcode.

To use this hardware token you just plug it into a USB port and it will act like a USB keyboard compatible with Windows, MacOS and Linux. YubiKey has one button on it, that when you press it will generate a one time 44 character password.

 

YubiKey hardware token plugged in

YubiKey hardware token plugged in

In order to log into a website you must have the physical Yubikey token plugged into your machine and press the button on it to generate a new One Time Password. The generated one time password and can’t be reused or copied and pasted, this prevents malicious hacking attacks if someone captures your login credential. This hardware authentication system can also be used at OpenID websites with YubiKey support enabled.

Why use hardware authentication security

All of these three hardware security tokens are low cost and highly secure USB authentication that I would consider buying if I had to use multiple shared computers, if you only use your home computer for Internet access, having your antivirus and firewall updated daily and configured correctly together with a good online password manager should suffice enough people.

The most paranoid can add double authentication for an extra layer of security, I can see its utility for home users too, if someone hacks your favourite website database and gets your username and password out of it they will not be able to do anything with the password without the physical hardware authentication token to login.

These hardware authentication devices all have a way to revoke the key in case you lose it, none of them uses a battery which makes them highly reliable and they all use a random One Time Password to login.

I could not see any major differences between these three hardware based authentication systems, prices and security are much the same, probably the most important deciding factor when picking one of them is to make sure that the websites you normally visit have support for the specific hardware authentication token of your liking.

One Response

  1. Babelgummer 23 December, 2010

Leave a Reply