Foo - Help explaining something to people

For an academic project I am doing, I am using a number of Aladdin eTokens to show off to people why two-factor security is better than just a single password.

However, I keep running into this one question that takes forever to explain to people. Most everyone asks "Why do I need this token to store my private key? Why can't I use a USB thumbdrive?"

Nowhere have I found a good guide explaining the fact that the difference between a USB drive and a cryptographic token (like an Aladdin eToken) is the fact that the USB flash drive just does I/O such as block reads and writes. The computer reads the private key from the flash drive then performs the decryption/signing. The use of a smart card is totally different. The smart card does the decryption and signing on the card itself when requested to by the host computer. The host computer passes the encrypted data to the card, and takes the decrypted data when its processed. Nowhere does the private key get read to the host computer, so if someone compromises the host computer, the private key cannot be obtained. This is in contrast of storing a private key on a USB thumbdrive where the private key can be easily and undetectably read off by malware.

Of course, if I explain this to people, their eyes glaze over. (which is fine and I'm not trying to sound superior than other people, as not everyone needs to be a cryptographic geek.) I just want them to understand why this piece of plastic that plugs into a USB port gives them more security than just punching in a password.

Have you tried simplifying your explanation so that a small child could understand?

Tell them that since the magic happens all on the plastic thingy instead of on the computer, it's safer from viruses and spyware that can compromise the computer's integrity.

For an academic project I am doing, I am using a number of Aladdin eTokens to show off to people why two-factor security is better than just a single password.

However, I keep running into this one question that takes forever to explain to people. Most everyone asks "Why do I need this token to store my private key? Why can't I use a USB thumbdrive?"

Nowhere have I found a good guide explaining the fact that the difference between a USB drive and a cryptographic token (like an Aladdin eToken) is the fact that the USB flash drive just does I/O such as block reads and writes. The computer reads the private key from the flash drive then performs the decryption/signing. The use of a smart card is totally different. The smart card does the decryption and signing on the card itself when requested to by the host computer. The host computer passes the encrypted data to the card, and takes the decrypted data when its processed. Nowhere does the private key get read to the host computer, so if someone compromises the host computer, the private key cannot be obtained. This is in contrast of storing a private key on a USB thumbdrive where the private key can be easily and undetectably read off by malware.

Of course, if I explain this to people, their eyes glaze over. (which is fine and I'm not trying to sound superior than other people, as not everyone needs to be a cryptographic geek.) I just want them to understand why this piece of plastic that plugs into a USB port gives them more security than just punching in a password.
Simple demonstration.......crack a password with a random character generator or whatever.Then show the same attempt with the secondary protocol device.

Tell them that since the magic happens all on the plastic thingy instead of on the computer, it's safer from viruses and spyware that can compromise the computer's integrity.

That is probably the best explaination. Explaining the concept to children would be easier, as most children these days would just interrupt me, and state that 2048 bit keys on a token is insecure, especially if the NSA made a TWIRL machine to help speed up factoring.

Draw a flowchart diagram, it makes a lot more sense when people see the process step-by-step...

Prior to starting your presentation, threaten to stab them in the eye with a pointed stick if they ask stupid questions. First one to ask about drive thingee gets stabbed, problem solved. Anyone else that asks, just point to the bleeding yelling guy on the floor and explain that you already answered that question.

So let me get this straight... There are usually three possible metrics for authentication.

What you know (password, PIN, account number, login)
What you have (token, card, key)
Who you are (Retinal scan, biometric thumbprint, IR thermal map of your hand)

Most things have one factor. BikeForums just goes by what you know (user name and password). So do most combination locks. Cars go by what you have (a physical key). All one factor authentication.

This token is an encrypted device that fulfills the second factor (what you have), right?

You don't need to explain technically what the purpose is. Just tell them that two factor authentication is like having to know a password as well as having a key. Tell them that the reason the token is more secure than a USB key is because it can't be copied because of the encryption, so it is totally unique, much like the high-end keys found on luxury automobiles.


What you know can be passed along. You could intentionally or accidentally disclose your password to 10 people. Those 10 people could all masquerade as you and use your account.

What you have can only exist at one place at one time. If you don't have it, you know you don't have it, which means someone else may have it. 10 people can't use the token at the same time. It's also much easier to keep tabs on physical things (like a USB encrypted token, a set of keys, or your eyeglasses) than it is to keep tabs on your password. A shoulder-surfer can memorize your password but they can't use your token. A keystroke logger can record your password and e-mail it to an attacker, but it can't e-mail a physical device to the attacker.

That is why two factor authentication is more secure.