US-based startup uQontrol has pre-launched what it claims is the world's first 'three-factor' authentication token consumers can use to secure online shopping transactions and personal data from sophisticated man-in-the-middle attacks, keyloggers and phishing trickery.
Outwardly the Qkey is a metal USB stick in a key shape but a closer look reveals an embedded EMV chip of the sort Europeans have been using for a decade on credit and debit cards but which are only now being offered to US consumers.
Users first add their credit card data, shipping information and preferred websites to the Qkey through a dedicated browser interface which is then stored on its 4GB of storage in an encrypted state.
Using the Qkey to buy something from a website requires first inserting the device into any Windows PC (Mac support is promised), firing up the secure browser after entering a strong master password (factor one). Users next choose a card from the digital wallet interface after which a one-time PIN is sent to them via mobile device (factor 2). After entering the PIN, the key must be physically tapped to confirm payment (factor three).
The three-factor layering is important. If a thief gets hold of the physical key, to proceed they would need both the master password to access the wallet and the user's mobile device to receive the PIN. Any two of those won't work - guessing the password incorrectly more than three times renders the key unusable. Each Qkey is unique to each user so having a random Qkey makes no difference.
As for mobile, the Qkey will work today with Windows OS devices with support for Android and iOS promised for the near future. The Qkey will connect to these using built-in NFC, an upgrade that will be enabled later in 2015, the firm said.
Although probably not hard to use, the firm still has a job on its hands explaining some of the possible complications.
What happens if the Qkey is lost or the user forgets the master password? Forgetting this data will require a reset by uQontrol, a process one assumes to be extended because of the obvious need to authenticate every caller. As for the data stored on the device, one encrypted backup is allowed on a designated 'home' PC.
"Just like chip and PIN cards are being introduced this year to secure retail transactions, we created a chip and PIN key with the same micro-chip technology to make online purchases more secure," said uQontrol founder and CEO, Christopher Maus.
"Then we went one step further and designed an ideal online shopping experience that's not only more secure but also easier, faster and more engaging."
According to Maus, the Qkey emulates a chip and PIN terminal for online shopping, something the credit card industry has been trying and failing to do for a decade, mainly because it added too much expense and complexity for the average consumer to put up with.
On that topic, the Qkey currently costs $79 (including shipping) for early adopters wanting the Premium version but will revert to $129 after 17 April. That price includes a second Qkey 'basic' to give to a friend of family member. A free replacement key is also part of the deal although after year one an ongoing subscription fee of $49 is necessary to retain premium features.
The design is clever but will its target market grasp the benefits?
That could be a tough sell as might the $129 upfront cost and ongoing subscription fee. Currently, the product still has some way to mature and you suspect it will need to offer support for Mac as well as PC and both major mobile platforms to stand a chance of gaining traction. Note that delivery timescales are stated as being 120 days from the April deadline, which might put some people off.
For now at least the Qkey seems unlikely to become a mass-market product and its business model might need an institutional partner if it is to establish itself. It could also do with a rival to legitimise the approach to security - currently there is no other product quite like the Qkey.
What isn't in doubt is that online consumer security is in need of a shot in the arm. Too many people are being ripped off by the vulnerability of Windows computers and the lack of an adequate, affordable, convenient system for authenticating people on the Internet.
The Qkey might or might not be the answer but with so much insecurity about it has a chance.