Lead customers to your web site and log them in without even the need to touch their keyboards

Simplicity is power. Without registration and login, with superb convenience and safety, UmiKey builds an intimate tie between your web site and each customer. Customers plug in UmiKey to log in to your site, no software installation, no URL and username typing. It works on any computer and any OS without any prior setup.


UmiKey Validation Appliance
UmiKey Issuer Services
Password Management & Single Sign-On
For Engineers

Frequently Asked Questions

1. Is UmiKey a memory stick?

UmiKey is not a memory stick. It is a crypto key to log in to applications or services. It is essentially a USB keyboard device with our crypto firmware inside doing auto-navigation and one-time password generation. It is your secure login key to web sites or applications that accept UmiKey login.

2. What is one-time password (OTP)? Why it can be used only once? Why UmiKey generates that? How to validate a one-time password?

Traditionally, a static password remains the same each time you use it. The chance of being stolen or being cracked is high. For a human memorable password, a standard PC usually needs a few seconds to crack it. Even worse, if it is stolen by a keystroke-logging malware, bad guys can use it to log in to your account on behalf of you.

An OTP is different each time. So password thieves cannot reuse the stolen password. An OTP is derived by a counter or has a counter encryped in it. The counter keeps increasing on the UmiKey side and the server side. If an OTP is reused, the server will know and UmiKey validation will fail so a password thief cannot use it to log in to your account.

An OTP is validated by the secret crypto seed on the validation server side by using the same OTP algorithm.

3. How is UmiKey different from other USB crypto keys and one-time password tokens?

Comparing with other USB crypt keys and one-time password tokens:
  • No need to install software or device driver to use it. UmiKey is truly portable on all kinds of computers with any OS. Plug in to use it without any prior setup.

  • No battery inside. UmiKey is long-lived and economic
    Comparing with RSA SecurID, etc.

  • Software-based tokens are not portable across different computers, and subject to frequent maintenance whenever the OS patches, upgrades, or re-installs. And software-based approaches are more vulnerable because they don't have hardware-based security built inside. The secrets are stored in files on the disk so they can be analyzed and cracked by hackers.

4. Software and application support

We offer complete server suite, tools and development kit so your web site or application can integrate with UmiKey quickly.

Any programming language can be integrated with UmiKey. There is no limit on the development environment.

5. What if I lose my UmiKey?

Just like when you lose your ATM card, the thief does not know your PIN, guessed wrong a few times, then the card is revoked.

Whoever issues your UmiKey to you. Report to your UmiKey issuer and get a replacement.

6. Can I customize my UmiKey?

Yes. You can choose your logo, LED colog, body color and what you like to silk print on the back.

7. Why UmiKey is not using the traditional HMAC, MD5, ... to generate OTP?

The traditional OTP algorithms, are just algorithms, got popular before Internet become popular.

UmiKey's algorithm is enhanced and designed for the Internet age:

  • The OTP includes the universally unique UmiKey ID, which binds to a user. So the user doesn't have to enter the username. Many failed login attempts and password recovery requests are due to forgotten usernames.

  • UmiKey uses AES as its primary crypto algorithm, which can be achieved by lower-end processors at a much lower cost. HMAC/SHA1 requires much more powerful processor which is very costly!

    Also in 2008, MD5 was denounced by government, banks and enterprises due to its weakness.

    So UmiKey is not only highly secure, but also very affordable, suitable for every user on Internet.

  • Because UmiKey's OTP inputs itself automatically, it can be much longer and still doesn't burden the user. Longer passwords also increase its security.

  • UmiKey's algorithm encrypts not only the UmiKey ID and the counter, but also number of button presses, times of insertion and removal from the USB port, and the crystal ticks. Because of the wealth of information included in the OTP, the validation server knows well the working status of the UmiKey, thus it can make accurate judgement when validating the OTP validation request.

    In the traditional OTP, it requires human keying in so it cannot be long. In the short 6 digits, it cannot the validation server much about its status.

8. Can I use one UmiKey to access multiple web sites?

Yes. As long as these web sites use UmiKey's public validation server to validate UmiKeys. Or, multiple UmiKey validation servers deployed outside UmiKey Inc. can sync their counters with UmiKey's public validation server through a trusted link with a digital signature on each request/response so one UmiKey can be used across multiple validation servers.

But you can always choose to deploy UmiKey's OTP validation server in your intranet.

 
Home | About UmiKey
Tel: +1-408-832-4168 (west & central)
 +1-862-210-9709 (east)
Fax: +1-877-685-5044
Email: umi_sales@umikey.com
 440 N Wolfe Rd. Sunnyvale
California, USA