SUTL - SAFE USB Token Login

SAFE USB Token Login (SUTL)

SUTL is a SAFE application that uses a USB flash drive to log in to the SAFE Network without a keyboard.

01: Download SUTL from the SAFE Network.

02: Run SUTL (For the super paranoid only run SUTL on an off-line computer)

03: User prompted to insert a USB flash drive

04: User prompted to input desired log in credentials


05: USB flash drive formated and encrypted with users PIN

06: Generate public and private key pair with users login credentials

07: Store key pair on the encrypted USB flash drive

08: Encrypt login credentials with key pair and store on encrypted USB flash drive

09: Run SUTL in on-line mode (for the super paranoid use USB flash drive on a different computer)

10: Create SAFE account with SUTL

11: User prompted to input PIN to decrypt USB Flash drive

12: In lieu of typing log in credentials, users encrypted login credentials are used instead

13: Log in to SAFE account with SUTL

14: User prompted to input PIN to decrypt USB Flash drive

15: In lieu of typing in log in credentials, users encrypted login credentials are used instead

Damaged, lost, or stolen USB flash drives can be replaced using SUTL on any machine that already has SUTL installed or has access to download SUTL.

Criticism is welcome, solutions are even more welcome.

Edit: The PIN does not need to be used to encrypt the USB flash drive. A better way to encrypt it would be to use a pass phrase, this way it would be harder to crack and easier to remember.


great idea! I have no criticism! :wink:

Why does SAFE Network need this? And what are the advantages of such input?

1 Like

Logging in on a computer compromised with a keylogger is no longer a problem as the only password the keylogger snags is the key to decrypt the USB drive with the authentication details. The attacker would then need to get their hands on a copy of the USB key if they wanted access, instead of just inputting the credentials he would’ve gotten had the victim logged in traditionally.


Okay, but how can this work on smartphones and tablets?

Support for this sort of authentication could be coded into the launcher. Though it is a bit cumbersome on phones (and some tablets) as you’d need to have that MicroUSB->male USB-A adapter. I suppose you could also make an NFC module that would interface with the launcher to serve as a kind of 2 factor authorization module. That would probably be more user friendly than a USB for smartphones and tablets.

1 Like

Anything that can read and write data could be used as a token device. CDs, DVDs, Smart Cards, USB HDDs. So, the use could use thier smart phone instead of the USB flash drive as a token device. Or the user could use both the phone and the USB as a token device at the same time. The options are limitless.

Another idea I thought would be useful would be splitting the private key into two or more token devices and creating a multisig log in.

This is actually similar to how the US military secures their networks. But instead of having a centralized certificate authority the users have the ability to make their own private keys.