Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.
If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.
Ping
Pong
From what I understand, the One time password is validated by a central server (or a server you hosted yourself). The server software will detect replay attack. So if the OTP is capture and the man in the middle turn around and asked me another and use the 2nd OTP to log me into the site, the 1st OTP is invalidated. If the man-in-the-middle catpured my 1st OTP and just pretend to have dropped it, as long as I re-authenticated with my Yubikey the second time, the 1st OTP is still invalidated.
I have been using the Yubikey now for a while and find it very useful. It’s form factor is more user friendly than a smart card format 1-time token device, it is as easy to use as a fingerprint scanning device, it has been 100% reliable and I can use it on any of my computers. With regards to the man-in-the-middle-attack, it provides the same level of security like all those OTP devices. The only difference is, that I don’t need to type the OTP manually.
You should try the swekey.
With the swekey you don't even have to press a button to get the OTP.
We sites can also detect when the swekey is unplugged to automatically logout users…
Fell free to ask for a free swekey for evaluation.
I feel sorry for you Jen.
I'm part of Musbe, Inc, we designed the swekey authentication key.
We don't have open position to offer yet, but if you want I can send you a free swekey if you want to have a look on the product.