UmiKey – OTP authentication to the Web and Windows

This time we would like to present another innovative One-Time-Password token -  UmiKey.  This is a small Key-like USB device that doesn’t need any driver on the client. With this token you can sign-in securely into practically any software or hardware system where you have USB Port. When you need to log in you just connect it and press a small button on it to generate One-Time-Password string into any text field (login form).

The token is manufactured in China by a startup company since 2008. They have web site in Chinese and English office in USA.

The token doesn’t require any driver because it works like USB-keyboard chip that generates and auto-types OTP string. So this OTP will appear in a currently focused input filed (On Windows/Mac/Linux etc. systems that support generic USB-keyboard device).
The same “auto-typing” technology is used by YubiKey and pcProx Sonar, AIR ID Writer/Playback devices by “RF IDeas”.

How does it Work

  • When you connect it to USB Port it auto-generates a string:
    “explorer “http://umikey.com/zh_t.php?otp=eceddk….”
    that ends with an OTP value.  As you see this string auto-navigates user to umikey.com first.
    (this behavior can be disabled or changed).
  • Later you can press on a small button on Umikey to generate OTP once again.
  • Umikey generates  OTP based on Encryption algorithm (AES).
  • UmiKey configuration can be changed with a Writer Tool (set static OTP, AES key, auto-navigation, etc.). The good sign is that internal configuration can be protected with a password.
  • See detailed specs and what’s new in the latest Umikey v.3.0.

Umikey OTP is 48 characters length –

“eceddkcjfjjjncctgbtkfhrkgfetbenintekijiedrfhvfee”

It contains UmiKey version, ID and encypted part: the counter, number of button presses, also times of insertion and removal from the USB port, and the crystal ticks counter.

Security Evangelist Dr. Fredrik Björck in his blog shares security review of YubiKey OTP token.  The issues that were found are also related to Umikey. We tested the security-issue when “Generated OTP is valid regardless of time” and it doesn’t work for Umikey as well as for Yubikey right now. While some of issues maybe removed by properly configuring the token others are independent from user-side (they are on the server-side).

Authentication availability

Currently UmiKey is available to authenticate into a few Web services, Password Managers and Windows (see how Rohos Logon Key supports UmiKey).

The UmiKey web site provides a quick and detailed integration guides for web-developers and solution providers.

Umikey Price is 9.99$, a few colors as well as customization options are available. Visit site: umikey.com

Photos

We could say that Umikey better fits into USB port and doesn’t loose contact while you touch it. This is because UmiKey has a non-flat USB connection part.

  • Users won’t insert it up side down to the USB port
  • The button is clickable and therefore token gives user a sense of confidence.

From the Yubikey and slim-sized USB Flash drive experience we know that the Key may loose USB contact for seconds thus making user to reconnect the device.

Let’s compare it with Yubikey OTP token: