Is using a USB key to secure an application the best option?
If it isn’t, what is the best way to secure an application in the form of requiring a valid user before the application can be used?
The reason I ask this question is that a client recently asked me to make an application require a specific USB device be inserted into the system before the app can be used or run. Basically, the application is a medical software and the client sees this method of security more trusted, as the app contains sensitive data of his paients. In that case of loss, I can tell the user how to generate another security key using the app in command line mode.
Not necessarily an answer to the question, but a point to be considered in response to the question and comments so far…
A USB key by itself is not going to be more secure than password-based authentication. It’s still one-factor, it can be lost/stolen/etc. What the client probably actually wants, and either doesn’t know it or hasn’t properly articulated it, is multi-factor authentication. Consider these:
Most systems use only the first one. For added security, you add the second one. For Mission: Impossible style high-clearance security, throw in the third one. The idea is that any one factor can be forged, but adding new factors adds new dimensions of security which exponentially make it more difficult (rather than linearly more difficult when just replacing one factor with a “better” factor).