Digital identities take many forms. They can be simple credentials such as usernames and passwords, or more complex forms such as PKI based X509 certificates or claims based assertions in SAML tokens. To be really useful in today’s identity infrastructures an identity device must be more than a secure store of static credentials. It must also be able to generate cryptographic keys, perform digital signature operations, parse request messages and emit security tokens in standard formats. Furthermore, it must bind identity operations to an authenticated user and be able to enforce security policies that have been defined by security officers.

One doesn’t normally associate these operations with USB storage. In fact, digital identity functions are very different from mass storage, but that doesn’t mean that they cannot exist on the same device, just as digital cameras now exist on cell phones. Despite the differences there are significant benefits to putting digital identity functions on a USB mass storage device.

The obvious question that comes to mind is why is it not just a simple matter of creating a composite device? After all, digital identity devices already exist in other form factors such as smart cards and yes, USB key fobs. These could easily be integrated into the same physical package with relative ease to produce a combined mass storage/digital identity device. The answer is that the benefits that we gain go beyond the convenience of having a multi-functional device and are attributable to using the USB mass storage protocol itself.

The USB mass storage interface itself has a number of desirable properties. First it is ubiquitous. Practically every PC and operating system in use today supports it natively and there are no device drivers or software to install in order to use a USB flash drive. This is what makes them so portable and interchangeable. It doesn’t matter which vendor or brand of USB memory stick you have, as long as the device implements the specification it will work.

Portability has been the Achilles’ heel of smart cards and USB tokens. Wouldn’t it be nice to be able to carry a smart card around without lugging a reader, device drivers and proprietary middleware? Without all of that the smart card just won’t work. In fact the situation is worse than that. Even when you have deployed a smart card solution with all of the required components and middleware, you’ll probably find that the solution won’t work with another brand of smart card without swapping in new middleware components.

The U.S. Government has addressed these interoperability challenges by developing GSC-IS (Government Smart Card Interoperability Specification) so that they can deploy smart cards to federal employees without being tied to one smart card or middleware provider. Despite these and other enormous efforts on standards and interoperability, smart cards have suffered from the lack of widespread adoption of a common specification.