With a couple of security-related concepts in mind, pam_usbng allows users to easily setup an USB storage device for serving as basis for system-wide authentication, using PAM.

If the main device gets lost or stolen, you'd be happy to have an additional preconfigured rescue device for your account. Since the authentication information on devices can't be easily copied and reused, pam_usbng provides a simple and efficient way to create so called rescue devices, serving as fallback.

The software automatically recognizes when a rescue device has been used for authentication and may perform several actions: For example, immediately lock the old (main) device, limit possible authentications and much more.

pam_usbng is capable of handling a large amount of authentication fingerprints of users on only one device, while providing support for multiple devices for multiple users as well.

You can easily tell pam_usbng to additionally check for a specific passphrase or PIN number, which doesn't correlate in any form with the passwords of normal system accounts (as compared to doing the same directly via PAM with an additional module).

When dedicating an USB device as authentication token, you will still be able to use almost the whole space for normal data storage. This even works on Windows systems, for these commonly don't really like multi-partitioned flash-devices.

pam_usbng introduces a new event-scripting interfaces. When certain events occur (e.g. when the USB authentication device has been plugged in, or when an authentication has failed), you can easily define hooks which execute every script you like upon event triggering.

The USB authentication device is checked against some certain values directly stored in the hardware, like vendor-name and serial-number. These values can not get easily modified (at least if do don't work at the NSA) and therefore provide a basis for physical device dependency.

This means that, if the whole content of the authentication data on your device is copied exactly byte by byte to another device, authentication will still not succeed. This helps preventing thieves to steal your data and replicating the device.

Everything which is stored on the authentication device will be completely useless to attackers and thieves. Neither usernames nor passwords, timestamps and other valuable information are stored on the devices themselves.

The authentication information on the device is only valid for exactly one login. Every time an authentication succeeds, pam_usbng will perform a password-regeneration procedure which will calculate a new password for the next authentication and prepare the device appropriately.

Rescue devices offer one more security mechanism: It is mathematically not possible to determine if the device holds any authentication information at all. Any thieve will not be able to determine if the data on the device may possibly serve as authentication data, or if it's just complete garbage.

Neither any filesystem drivers nor HAL-routines are essential in order to run pam_usbng.

The whole implementation process had security as highest priority. Nevertheless, I can't promise that there would be no bugs. If you find a bug, I'd be pleased if you tell me.