US-based startup uQontrol has pre-launched what it claims is the world's first 'three-factor' authentication token consumers can use to secure online shopping transactions and personal data from sophisticated man-in-the-middle attacks, keyloggers and phishing trickery.
Outwardly the Qkey is a metal USB stick in a key shape but a closer look reveals an embedded EMV chip of the sort Europeans have been using for a decade on credit and debit cards but which are only now being offered to US consumers.
Users first add their credit card data, shipping information and preferred websites to the Qkey through a dedicated browser interface which is then stored on its 4GB of storage in an encrypted state.
Using the Qkey to buy something from a website requires first inserting the device into any Windows PC (Mac support is promised), firing up the secure browser after entering a strong master password (factor one). Users next choose a card from the digital wallet interface after which a one-time PIN is sent to them via mobile device (factor 2). After entering the PIN, the key must be physically tapped to confirm payment (factor three).
The three-factor layering is important. If a thief gets hold of the physical key, to proceed they would need both the master password to access the wallet and the user's mobile device to receive the PIN. Any two of those won't work - guessing the password incorrectly more than three times renders the key unusable. Each Qkey is unique to each user so having a random Qkey makes no difference.
As for mobile, the Qkey will work today with Windows OS devices with support for Android and iOS promised for the near future. The Qkey will connect to these using built-in NFC, an upgrade that will be enabled later in 2015, the firm said.
Although probably not hard to use, the firm still has a job on its hands explaining some of the possible complications.
What happens if the Qkey is lost or the user forgets the master password? Forgetting this data will require a reset by uQontrol, a process one assumes to be extended because of the obvious need to authenticate every caller. As for the data stored on the device, one encrypted backup is allowed on a designated 'home' PC.
"Just like chip and PIN cards are being introduced this year to secure retail transactions, we created a chip and PIN key with the same micro-chip technology to make online purchases more secure," said uQontrol founder and CEO, Christopher Maus.
"Then we went one step further and designed an ideal online shopping experience that's not only more secure but also easier, faster and more engaging."
Sign up for CIO Asia eNewsletters.