|
Overview
UmiKey is essentially a USB keyboard. When there is a triggering event such as
pressing on the UmiKey button or inserting it into a USB port, it simulate user
keystrokes and outputs its universally unique UmiKey ID followed by a one-time
password (OTP).
Based on the UmiKey ID, we know which user or product it corresponds to.
Based on the UmiKey OTP, we can verify it is a legitimate UmiKey.
Because UmiKey identifies itself to the PC as a USB keyboard, it requires no
device driver, no software installation. Any PC that can connect an external USB
keyboard can use UmiKey outright.
|
UmiKey generates OTP that is different each time, and can be used only once.
So it is immune from the password-stealing. Only the UmiKey validation server
in the backend can validate the legitimacy of the OTP generated by an UmiKey.
 Demo
|
 |
When UmiKey is used together with a static password of the user to log in to a web
site, it is the highly secured 2-factor authentication.
So even the UmiKey is stolen, the thief does not know your PIN. Guess it wrong a few
times, then the UmiKey is revoked by the web site backend or the validation server.
It acts just like your ATM card, the thief does not know your ATM card PIN.
Analyze the UmiKey OTP
Ver.
UmiKey ID
OTP
- eced
hlgcfkllvnln
kgddtculvvhjjthurfffkhbhgjftdeed
- eced
hlgcfkllvnln
hurdrtnhhhdjeilrujcrdnhfeldbgchk
- eced
hlgcfkllvnln
tunfdfgrciejjnbvdeudrvlcrntgeidk
- .....
- Character 1 - 4 (eced):UmiKey version
(eced: UmiKey 2.0; ecee: UmiKey 3.0)
- Character 5 -16 (hlgcfkllvnln):UmiKey ID
(Each UmiKey ID is universally unique and fixed, unchanged on a UmiKey)
- Character 17 -48:One-time password
(different each time, can be used only once)
*
Because of customer demand, an UmiKey can be configured to generate a fixed password
by the UmiKey writer.
How to Validate the UmiKey OTP?
Your web site or application makes a HTTP GET call to send the generated OTP to
the UmiKey validation server. The server uses the same symmetric crypto
algorithm to decrypt the incoming OTP and examine/validate each component inside.
UmiKey Security
- The crypto algorithm is AES128:
Brute-force attack on AES128 takes 2^128 tries. Every time the chance to break it is
1/340,282,366,920,938,463,463,374,607,431,768,221,456.
Even with calculations of 1 billion x 1 billion per second,
it takes 10000000000000 years to break it!
- UmiKey Validation Server:
All UmiKey secrets are encrypted and the encryption key is inside a hardware crypto device.
All validation servers require 2-factor authentication to log in.
And we audit of daily usage records to spot suspicious behaviors quickly.
- Hardware Security:
UmiKey hardware and its tools encrypt the secrets when in storage and during communication.
The secure IC we use will zeroize all the data when the package is cracked open.
About UmiKey Mobile
When USB ports are unavailable, UmiKey Mobile uses the same UmiKey crypto
secret seed with the HMAC algorithm to generate a shorter OTP and delivers the OTP
to the screen of a smart phone or as a short message to any mobile phone.
|
