KerPass UST ("universal security token") is an advanced personal security application which allows its user to securely store sensitive information like website passwords, credit card numbers and security tokens to be used in the context external websites.
The application allows to store and retrieve two differents kinds of cards, "Info Card" and "Token Card".
"Info Card" allows securely storing website passwords, textual notes of unlimited length, urls and phone number. The card reader directly connect to stored urls or phone number. Strong website password may be automatically generated.
"Token Card" extends "Info Card" and are created after interacting with a KerPass enabled website. Each "Token card" generates "one time password" (time synchronous variant of OATH HOTP algorithm). The password generated maybe used at most one time, and remain valid for at most 5 minutes.
Additionally "Token card" provides an advanced transaction validation system, which allow the end user to securely review/approve on its phone the content of transaction summary message emitted by the website with which the card has been set, and digitally sign the reviewed message in order to materialize the approval in a tamper proof manner.
The content of each card is encrypted using NIST certified high grade FIPS 197 AES algorithm, effectively protecting card content when stored. Additionally the access to card content maybe restricted by mean of a PIN/password which can only be validated from the phone after interacting with a remote validation service.
Relying on an external service to grant access to phone stored cards provides various security benefits, main ones being :
1. The ability for the end user to lock out all of his card, if a PIN/password reset is attended from its phone.
2. The impossibility for a third party to retrieve the service PIN after having taken control of the phone.