pam_usbng offers USB authentication for PAM, allowing secure and convenient user authentication using USB devices. The module simplifies access to systems and applications with minimal setup, increasing security by reducing the risk of password theft or misuse.
One of the remarkable features of pam_usbng is its ability to enable users to set up rescue devices that can serve as a fallback when the primary device is lost or stolen. The software automatically recognizes when a rescue device has been used for authentication and can perform several actions, such as immediately lock the old (main) device, limit possible authentications, and much more.
Another significant feature of pam_usbng is its capacity to handle a large amount of authentication fingerprints of users on only one device, while maintaining support for multiple devices for multiple users as well. Furthermore, users have the option to add a specific passphrase or PIN number for 1 or 2-factor authentication, which doesn't correlate in any form with the passwords of normal system accounts.
When dedicating an USB device as authentication token, users can still use almost the whole space for normal data storage, even on Windows systems, which commonly doesn't like multi-partitioned flash-devices. Additionally, pam_usbng introduces a new event-scripting interface that executes scripts upon event triggering.
With its physical dependency feature, pam_usbng checks the USB authentication device against certain values directly stored in the hardware, like vendor-name and serial-number. This feature prevents thieves from stealing data and replicating the device by not succeeding in authentication, even if the whole content of authentication data on the device is copied byte by byte to another device.
Pam_usbng implements a smart layout of authentication fingerprints by not storing valuable information such as usernames, passwords, timestamps, and other relevant data on the devices themselves. The authentication information on the device is only valid for one login, and the software performs a password-regeneration procedure every time an authentication succeeds.
Rescue devices have an additional security mechanism that makes it mathematically impossible to determine if the device holds any authentication information at all. Any thief would not be able to determine if the data on the device may possibly serve as authentication data or if it's just complete garbage.
Pam_usbng runs independently of any filesystem drivers or HAL-routines, making it easy to install and use. The focus of the implementation process is on security, making it less susceptible to bugs. However, if you find any bugs, the developer would be delighted if you can report it.
Version 0.2: N/A