Is this the future of online security? Why uQontrol thinks its Qkey is different

Startup launches affordable 'three-factor' authentication for the masses

US-based startup uQontrol has pre-launched what it claims is the world's first 'three-factor' authentication token consumers can use to secure online shopping transactions and personal data from sophisticated man-in-the-middle attacks, keyloggers and phishing trickery.

Outwardly the Qkey is a metal USB stick in a key shape but a closer look reveals an embedded EMV chip of the sort Europeans have been using for a decade on credit and debit cards but which are only now being offered to US consumers.

Users first add their credit card data, shipping information and preferred websites to the Qkey through a dedicated browser interface which is then stored on its 4GB of storage in an encrypted state.

Using the Qkey to buy something from a website requires first inserting the device into any Windows PC (Mac support is promised), firing up the secure browser after entering a strong master password (factor one). Users next choose a card from the digital wallet interface after which a one-time PIN is sent to them via mobile device (factor 2). After entering the PIN, the key must be physically tapped to confirm payment (factor three).

The three-factor layering is important. If a thief gets hold of the physical key, to proceed they would need both the master password to access the wallet and the user's mobile device to receive the PIN. Any two of those won't work - guessing the password incorrectly more than three times renders the key unusable. Each Qkey is unique to each user so having a random Qkey makes no difference.

As for mobile, the Qkey will work today with Windows OS devices with support for Android and iOS promised for the near future. The Qkey will connect to these using built-in NFC, an upgrade that will be enabled later in 2015, the firm said.

Although probably not hard to use, the firm still has a job on its hands explaining some of the possible complications.

What happens if the Qkey is lost or the user forgets the master password? Forgetting this data will require a reset by uQontrol, a process one assumes to be extended because of the obvious need to authenticate every caller. As for the data stored on the device, one encrypted backup is allowed on a designated 'home' PC.

"Just like chip and PIN cards are being introduced this year to secure retail transactions, we created a chip and PIN key with the same micro-chip technology to make online purchases more secure," said uQontrol founder and CEO, Christopher Maus.

"Then we went one step further and designed an ideal online shopping experience that's not only more secure but also easier, faster and more engaging."

According to Maus, the Qkey emulates a chip and PIN terminal for online shopping, something the credit card industry has been trying and failing to do for a decade, mainly because it added too much expense and complexity for the average consumer to put up with.

On that topic, the Qkey currently costs $79 (including shipping) for early adopters wanting the Premium version but will revert to $129 after 17 April. That price includes a second Qkey 'basic' to give to a friend of family member. A free replacement key is also part of the deal although after year one an ongoing subscription fee of $49 is necessary to retain premium features.

The design is clever but will its target market grasp the benefits?

That could be a tough sell as might the $129 upfront cost and ongoing subscription fee. Currently, the product still has some way to mature and you suspect it will need to offer support for Mac as well as PC and both major mobile platforms to stand a chance of gaining traction. Note that delivery timescales are stated as being 120 days from the April deadline, which might put some people off.

For now at least the Qkey seems unlikely to become a mass-market product and its business model might need an institutional partner if it is to establish itself. It could also do with a rival to legitimise the approach to security - currently there is no other product quite like the Qkey.

What isn't in doubt is that online consumer security is in need of a shot in the arm. Too many people are being ripped off by the vulnerability of Windows computers and the lack of an adequate, affordable, convenient system for authenticating people on the Internet.

The Qkey might or might not be the answer but with so much insecurity about it has a chance.

Join the CSO newsletter!

Error: Please check your email address.

Tags uQontrolsecurity

More about NFCPremium

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place