Dig Sig Bill: A Dongle In Every Pocket?

Do you carry a dongle? Probably not, but people in the hardware security business are more optimistic than ever that all of us will soon own one, or will carry a similar palm-size device that will authenticate our identities online.

The passage of electronic signature legislation in Washington has given new hope to smart card makers and other manufacturers of security hardware - including dongles (which are now used primarily to prevent software piracy) and other security tokens and key fobs.

The idea is that after Oct. 1, when digital signatures will be recognized as legally binding (assuming President Clinton's signature on the bill comes soon), people will gain interest in owning smart identification devices, and will begin taking them for granted like the keys and cards that give access to their homes, cars, and bank accounts.

The new law means a lot of things to the banking industry. People will be able to open online accounts without snail-mailing signed paperwork. Electronic purchasing will grow just that much easier.

But it is truly a bonanza to the companies that have been laboring in vain to introduce smart cards to the jaundiced American public. Indifference and the seeming lack of need for this technology foiled efforts to introduce smart cards for micropayments in retail stores. Could there finally be a business case?

"As people start to do more activity as enabled by the new digital signature legislation, you're going to see more and more business justification for hardware tokens and biometrics," predicts Kawika M. DaGuio, head of the Financial Information Protection Association and founder of a software company called OS Crypto Inc. "Because when you do more interesting things with more money associated with it, you need more security."

As business-to-business transactions are completed with electronic signatures only, nobody is going to want to "buy $1 million of steel from USX from a machine protected by Windows 98 and a password," said Mr. DaGuio, a former executive at the American Bankers Association. "Passwords are not working, and they haven't worked for a long time. There are going to be more people carrying more hardware, and more authentication and identification technology."

These devices take several forms and come from a variety of companies - RSA Data Security, Litronic Inc., Datakey Inc., and Rainbow Technologies, to name a few. But the universal thread is that they store a person's private key and will not summon it without a personal identification number.

It is considered much riskier to store your private key - the key to your digital signature - on a personal computer, where someone who knows your password can use it. There is also more potential liability for the other party in the transaction.

A lot of people are worried that the digital signature law will lead to massive fraud and identity theft, because anyone who can gain access to your private key - or copy it - can masquerade as you. Advocates of hardware-based security devices say that nothing is foolproof, but that smart cards and their ilk can vastly improve the PC-based security systems out there now - especially if a biometric identification, like a finger image, is added.

A PIN on a card is much safer than a password on a computer, says Merzad Madavi, vice president of information security and e-commerce for Schlumberger, the chip card manufacturer. Though passwords can be cracked by brute-force "dictionary attack" programs or intercepted by "spoofing" programs, "you can't have a dictionary attack on a card," Mr. Madavi said.

"A card's PIN number is very secure. You can set it for three trials, and the card locks up - it basically blows its brains out."

With so many industries excited about the prospects of paperless signature - insurance companies needing claim forms, lawyers hoping to exchange documents online - smart cards are "the only way to provide the nonrepudiation aspect of this thing," Mr. Madavi said. "I think that is going to be a fantastic opportunity for smart cards."

Bill Bialick, director of technical marketing at Spyrus, a company that sells public key infrastructure systems, agreed that the digital signature law, combined with American Express Co.'s heavy advertising for its Blue chip card on prime time television, accomplished more than the marketing departments of his company and its competitors could ever hope to achieve. "If nothing else, American Express showed the world what a smart card is," he said.

"Now that digital signatures have been legitimized, put in the mainstream, how do people actually use them?" Mr. Bialick said. "People have been using them in browsers for quite a while now - some without even knowing it - but everyone who understands the issues has been advocating hardware as a way to protect those private keys."

At the suggestion that consumers were content with Secure Sockets Layer encryption of account information for online commerce, Mr. Bialick laughed.

"People are happy with SSL because it's not very invasive to the end user," he said. "The typical end user who is doing an e-commerce transaction is not extremely computer-literate."

While SSL offers some protection of the pipe that connects the consumer client and the merchant's server, "people don't have certificates, so there's no client authentication," Mr. Bialick said.

With hardware tokens "you're going to be able to do things like online banking with a high degree of assurance not only that you're talking to the right bank, but that the bank is talking to the right person," he said.

His company makes hardware tokens that meet a prestigious security specification, one that people in the industry toss off using the acronym FIPS 140-1 level 2 (the Federal Information Processing Standards' security requirements for cryptographic modules, set by the Commerce Department's National Institute of Standards and Technology).

Spyrus makes compliant smart cards and Universal Serial Bustokens, which are essentially readerless smart card that fit onto a computer's USB port. Some companies also make dongles, which are essentially USB tokens that plug into a USB or a parallel port to protect software.

Fobs and tokens can be worn around the neck or attached to a key chain, so the owner has a portable authentication device that theoretically could be used at any computer or wireless Internet contraption. They're handy.

Smart cards, however, have the advantage of extra real estate: a bank could put its logo on it, or an employer (like the U.S. government, which embraces smart cards) could put the owner's photograph on it. For some people, however, keeping it in a wallet could be a problem, since it could break if it were sat on too often.

Just as U.S. consumers did not demand stored value on smart cards, they will probably not clamor for hardware-based security. Someone buying a rare Pokemon card on the Ebay auction site probably does not need that level of security, while someone buying rare artwork the same way might want it.

Either way, both the legal and the technical infrastructures are falling into place to propel transactions that require industrial-strength security. Wireless technology may also serve as a prod.

"People are starting to do things in e-commerce that they never tried to do before," Mr. DaGuio said. "People will expect more robust passwords, and we expect most of those to be hardware tokens."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER