Gemalto sees online safety in USB smart card

At next week's RSA Conference in San Francisco smart card vendor Gemalto will introduce new technology designed to give online shoppers an easy way to log on to their accounts using a smart card device that plugs into any PC.

Gemalto, based in Amsterdam, is already a major provider of smart cards to government and the enterprise, but the company hopes that its new system, called the Network Identity Manager, will be easy enough to use that it will appeal to consumers.

The USB devices will not require any specialized software and will work with standard browsers and use the same Transport Layer Security (TLS) mechanisms already used by Web sites. Network Identity Manager will also use a "token management system" that will sort out which credentials need to be supplied to different Web sites, and will support Verisign's VIP Network Identity federation framework, according to Gemalto's Web site.

Because the user has to have the smart card device plugged into the PC before logging onto an online bank or e-commerce site, the device will thwart many common identity theft tactics including phishing or keylogging, according to Amol Deshmukh, a marketing manager with Gemalto. "It can create a much stronger link with whatever back-end you're trying to connect with," he said.

Gemalto may face a tough sell, according to Avivah Litan, a Gartner analyst. While, products like the Network Identity Manager will provide protection from many types of attacks, but so far U.S. banks have not been clamoring for this kind of USB device, she said.

Still, as phishing losses continue to rise, U.S. financial institutions have been offering their customers more secure ways to log on to their Web portals. In 2005 ETrade Financial began giving customers RSA Security's SecurID tokens, which generate a random numerical identification number that users must enter in order to log onto the ETrade network. EBay's PayPal plans to introduce a similar system to its customers in the coming months.

But the USB device vendors said that consumers will not be willing to lug around too many of these devices. "It seems very complicated," said Ron LaPedis, a product manager with Sandisk. "Users don't want a plethora of tokens."

Like Gemalto, Sandisk will be promoting USB products that can be used to simplify key management at next week's show, but the Sandisk products will have more of an enterprise focus.

"We're going to be introducing a product that can centrally manage and secure Sandisk USB flash drives and enable secure remote access to the enterprise," LaPedis said.

Sandisk already sells a USB smart card product called the mToken, but unlike Gemalto's Network Identity Manager, the Sandisk device uses flash memory to store applications on the USB device.

Sandisk acquired the mToken technology as part of its November purchase of Msystems and the RSA Conference will give the flash memory maker its first opportunity to discuss what it plans to do following the $1.5 billion acquisition.