How can "USB stick" online identification possibly work?

Question

My bank recently revamped its website, and it changed for the better as far as I’m concerned. Especially, security seems to have been dramatically enhanced.

Most importantly, they introduced a rather unusual (I’ve never seen this before) identification method, which they call the ‘electronic certificate’. Basically, you have to go to the bank in person and the guy gives you a tiny, cheap USB stick with a very low capacity. From this point, you’ll be required to plug the stick into your computer every time you want to log in. The stick alone is not enough, you also have to type your password — basically, 2-factor-authentification with a USB device being the second factor.

How can this possibly work? Of course, I believe the USB stick to contain certificates/encryption keys of some kind, that are used in the login process, but they don’t require the user to install any software on the machine. I find it rather creepy that a website accessed from a sandboxed web browser, with no plug-in/module/app/toolbar installed whatsoever, can see the USB stick you just plugged in. And not only see this stick, but read it and use its content deeply enough to log you to the most sensitive level of your online banking app.

I am not a big fan of plugging unknown devices into my computer to begin with, and my warning light flashed when this was explained to me, so I went for another identification method (you can choose). I’m just curious.

PS: the measure obviously does not apply to their mobile apps, since smartphones don’t have USB ports, but that’s not a big deal because you cannot do much with their phone app (it's mainly a consultation app, not something you can actually make big payments/transfers with).

Edit: no open file dialog is used, which would make the explanation quite clear.

Answer 1

What your bank gave you is an USB security token with a digital certificate (like these). These are standardized hardware devices which almost every operating system supports plug&play out of the box. They are very common for implementing multi-factor-authentication to high-security systems in enterprise IT.

Your web browser uses HTTPS with client-based certificates to access your bank's website. It uses your operating systems certificate store to find an installed certificate which matches the identity the webserver requests. When you have a standard USB security token installed, the operating system will also look for any certificates on the token.

The operating system can not do the verification process with the webserver by itself, because the token doesn't allow to read the private key of the certificates stored on it directly. The token includes the hardware to do the verification. So the private key never leaves the USB stick. That means even if your PC is compromised by malware, the private key of the certificate isn't in danger of being stolen (but keep in mind that this method doesn't provide any protection after the authentication was successful. Malware can still screw with your web browser).

By the way: Which bank is that? If my bank would also support this authentication method, I might even start doing online banking.

Answer 2

One way it could work is that Chrome supports FIDO U2F without plugin. Given that now Chrome is now the most popular browser and that Chrome runs on Windows, Mac, and Linux, it's not totally incorrect to claim that "it works in any device that has a USB port, Windows, Mac, Linux and more, and to work out of the box".

Did they claim that it works in any browsers or just any OS?

Answer 3

....they don’t require the user to install any software on the machine.... I thought that the ability for a webpage to browse the file system freely without user action is too commonly restricted by default

Yes, that should definitely not be possible without smartcard drivers. This is a fundamental security mechanism of any browser. What gives the clou that the certificate is read without clicking an "open file" dialog, a Java dialog or pre-installing drivers? You said you chose another verification option.

This sounds like the USB key used, for example, by the Bank Of China. Such technology is described here.

was said to be compatible with "any device that has a USB port"

Having a PKCS#11 cert, or a #12 to combine with a passphrase will work on all OSses. This is the same way password managers like keepass work, combining something you know with something you have to get 2 factors of authentication.

Answer 4

It's probably just a USB smartcard reader, with inserted SIM sized smartcard.

Manual installation of drivers is not needed since at least generic drivers for both reader and card are already installed in most modern OSs.

See the image below for example of such device:

There is certificate with private key stored on that SIM smartcard inside reader. When you plug it in the computer, that certificate from smartcard gets loaded into OS certificate store. From there on it basically behaves just like any other certificate which is saved on computer and can be used for accessing secured resources, signing documents/mail, encrypting stuff, etc.

This one in particular is issued by Cert Authority which is trusted by my bank (web banking) and State (mostly used by me for IRS related stuff and requesting real documents).

Answer 5

It's most likely a device that pretends to be a keyboard and is thus recognized by any OS without requiring special drivers. Internally, it would probably use HOTP (or TOTP, if it had an RTC chip and a battery) and just "type" the OTP each time the button is pressed, like a Yubikey or similar U2F device.

The browser doesn't talk nor know the USB is there; it just instructs the user to press a physical button on the device (to tell the device to "type" the code, as the browser itself can't talk to it) and then interprets whatever keystrokes (up to the length of the code) it receives as coming from the device.

Answer 6

Sounds like a theoretical idea I had about a decade ago.

Pretty much every OS supports USB network devices. Your USB stick may pretend to be a network card, connected to a a local network, with a webserver on that network too. That webserver can have HTTPS certificates, too.

Your webbrowser can make HTTPS requests to that webserver, and discover that the USB stick and bank website trust eachother. This isn't considered a sandbox escape, because neither the browser nor the OS know that the webserver is actually on the USB stick.

IP warning: to the best of my knowledge, my former employer holds a patent on this idea in most jurisdictions. Contact a patent attorney before copying this idea.

Answer 7

As some of the other answers mentioned, this is most likely a USB security token. Think of it as a smart card reader + embedded smart card (and sometimes they are actually implemented this way). Think CAC card used by US defense organizations. Think PGP card. Some Yubikey models also support acting as a smart card.

This kind of devices is widely used by banks in China to protect their online banking website / desktop client software, and my answer is mostly based on my personal experience using these tokens in China.

How do you use it?

When you sign up for online banking and opt for a USB token, the bank gives you the token, creates a public/private key pair and your personal certificate, and load those into the token. You set a password on the token, which is separate from your online banking login password.

You install the driver provided by the bank on your personal computer, plug the token in, and navigate to the bank's website. Whenever you log in or perform a sensitive operation (transferring funds, changing contact information, authorizing online purchase, etc.), the browser / operating system prompts for your token password, the light on the token blinks for a few seconds, and the transaction goes through.

Wait, I have to install drivers?

Yes. The Windows operating system has a standard smart card interface, but each model of USB token still requires a driver. Very rarely, Windows Update will install the correct drivers for you, but in most cases you will have to download a package from the bank's website.

Often the only supported operating system is Windows, and the only supported browser is IE. (They like them some ActiveX.) It is certainly possible in general for smart cards / USB tokens to support other OS / browsers, see CAC card above; you have to check compatibility with your own bank.

So how does it authenticate you?

The browser asks the OS to ask the token to sign a small piece of data (perhaps your transaction details). The token signs it, using your private key and certificate. The browser sends the signature to the bank. The bank verifies the signature, and is satisfied that only the token they gave you have the private key to produce this signature.

The private key never leaves the token. If properly designed, the token should never divulge the private key.

Answer 8

First of all, let me state that I am quite skeptic of the claim by a non-technical employee that it works on "any device that has a USB port", regardless of browser or OS. I wouldn't be surprised if the supported OS turned out to be just a couple of Windows versions (and, maybe, MacOS). However, it is interesting to think how such a device could work.

Most solutions not requiring drivers, like the André Borie proposal of a usb keyboard, would require however some extra interface (like a hardware button).

Still, the post of user2720406 gave me an idea for a device that would indeed work [on certain places] for any [switched on] device that has a USB port:

The usb device would simply a contain a SIM card, using that to access the internet on its own through GPRS/3G. Then the device would simply send digitally signed messages of «Customer with token 12312121 is using online banking». The online session is not allowed unless one was received in the last 5 minutes (plus maybe other factors, like the IP of the customer having a similar geolocation to the IP of the device). Thus, the usb port would only be used for power, and the device be completely independent on what is installed on the computer.

Answer 9

This sounds like a Yubikey. They're well known and work great. https://www.yubico.com/products/yubikey-hardware/yubikey4/

• Regarding not needing drivers: The Yubikey identifies itself as a keyboard so any machine with a keyboard driver can read the text output from it.
• How it works: You push the button and the Yubikey issues a public key (from a secure private key embedded in the device). The bank can then authenticate you and confirm that you have the thing you know (your password) and the thing you have (your physically secured private key).

• Why it's secure: It's not possible for software on your computer to get access to your private key so malware cannot copy the key and pretend to be you. It would have to be physically stolen from you. (which is possible, but that's why you pair it with something you know)

• Who uses them and why: Google helped design the yubikey so they could solve the problem of malware on a computer grabbing local credentials while the user was not present. Every Google engineer has one. I've used them for years and deployed numerous 2fa solutions around them.