Swekey OTP token

(Updated: 10 Jan, 2010)

We would like to present you a new OTP token, which recently has come to us from France, it is Swekey. Production Company Musbe, Inc (France), promotes it as an easy to use and inexpensive OTP token (One Time Password) to access web resources. Swekey business model  – a premium subscription service for the Swekey OTP authentication through the Web site of Musbe.

Support for this token was added to Rohos Logon Key 2.7 (beta). Rohos supports both offline and online use case for this token (validate just Swekey ID or OTP validation on he Musbe web site).

Mac users already can use Swekey in Rohos Logon Key as a ‘usb flash drive’ device because Swekey contains onboard serial number.

The main features of Swekey:

  • Price is $15 (promised to be even cheaper)
  • Does not require drivers for Windows. To be more exact drivers are needed anyway, but they are on the device (when connected to a computer a CD-ROM device appears, which has the necessary drivers).
    The CD-ROM contains a driver and a small component that Uploads other software from the Muusb,Inc server: It maybe a Plugins for Internet Explorer, Mozilla and other browsers. Depending on the OS.
  • Supports Windows, Mac and even Linux (and browsers on these platforms).
  • Fulfilled a mutual challenge-response mechanism to establish the authenticity of the key.
  • You may use an additional password (two-factor authentication) to access Swekey-aware service.
  • Swekey already supports more than a dozen popular web services (OpenID, SquirelMai, Joomla, WordPress, Drupal, SSH, Mantis, OpenSSO, Magenta, MediaWiki, phpMyAdmin, phpBB …). By support we mean it has a plugins for these systems.
  • You can integrate Swekey login even into the usual password form of site login.
  • Upon unplugging Swekey from your computer- web site can immediately close the session. Because there is a Swekey-plugin for a Web-browser.
  • Possibility of restoring and  revoking of the lost Swekey.

When generating OTP password the token uses a random value provided by the server, as well as some information on your local computer. OTP password validation is carried out on the Musbe server.

According to Luc Andre, head of the company Musbe, the main advantages of this token are:

  • Low price of the token
  • Automatic installation of Swekey (Windows)
  • Supports all web browsers for Windows, Mac, Linux
  • Swekey web site – may recognize the moment of token being connected, and automatically logs in. As well as disconnecting when unplugging Swekey.
  • Immediate lock or replacement of a lost key
  • Swekey authorization supports the case when user has forgotten his Swekey at home

The Swekey sample was provided to us by Musbe Inc.

Security Evangelist Dr. Fredrik Bjorck in his blog shares security review of YubiKey OTP token.  The issues that were found can be compared with Swekey also.

  • Swekey is a read-ONLY device. Its internal configuration is burnt into hardware.
  • Swekey can create and send OTP-information over the Internet without user permission or knowledge. As soon as you visit a Swekey-aware web-site the installed Web-Browser Plugins try to connect Swekey and do the authentication.
  • Swekey-generated OTP-traffic cannot be used once again to authenticate it. It is based on a mutual challenge-response mechanism. But as well as it is closed-source code there is no warranties that there are no security-holes in it.
  • Swekey doesn’t have auto-navigation (auto-type some characters like a keyboard) and thus it cannot do a potentially bad things (like auto-type any URL or command like to download and execute malicious code on computers).
  • A Swekey lost doesn’t mean the access is revealed, since 1) it maybe protected by a PIN code. 2) any particular Swekey device can be revoked and replaced quickly via web.