Re: "[a] device that connects to a website"
Great idea, Paypal. That way, the miscreants will have just one site to hack to steal personal data on everyone and gain access to absolutely all banking data there is.
Much as I dislike and distrust PayPal, I don't think the scheme they are suggesting is quite as bonkers as that!
What they seem to be proposing is a system in which every user would carry some kind of device that would enable them to authenticate to a system. The user would activate the gadget by some biometric pathway (such as a fingerprint reader on the gadget itself) and that would enable the gadget to authenticate the user to a computer system through some sort of secure protocol -- a cryptographic challenge/response exchange, perhaps. I guess the gadget would contain the user's ID as a digital certificate and would also have the ability to use the corresponding private key to effect the challenge/response calculation.
Users would register with services using the certificates from their devices as ID, and would authenticate by enabling the device to complete the cryptographic exchange that demonstrates knowledge of the private key. If a user registered with more than one bank using the same device neither bank would know the private key, so either could impersonate the user to the other.
Note that it is important that the biometric measurement and verification are performed by the device itself, and don't rely on (say) a fingerprint reader attached to the computer. If the device were to rely on the external hardware then an attacker could record capture the biometric data and activate the device automatically without the user's knowledge (possibly after it had been stolen).
The important points here are:
1. The device would be useless if stolen because it won't function without performing a biometric identification of the user.
2. The certificate on the device could be revoked if the device were lost or stolen, making it useless.
3. The private key would only be used on-board, and would never leave the device. That means that the device could never be spoofed or copied.
4. A user could have multiple devices, so wouldn't have to present the same identity for all services. All the devices could be activated by the same biometric mechanism, but the biometric data would be checked by the device, on the device, and would never need to be transmitted to the computer system asking for authentication. When you lose a device you only need to get a new device (with a new keyset and certificate) -- you don't need new fingerprints!
5. If the same device is used to access multiple service accounts, and one is closed, it is not a problem that the device can still be used to identify the user. If the user (or an attacker) attempts to access the service on which the account has been closed the system will be able to verify the user's identity, but not associate that identity with a live account.
Of course, to implement a system that did all this would be to place a lot of faith in the technology. If an attacker could obtain a user's device and spoof their fingerprints (before the device was reported missing and the certificate revoked) he could gain access. An attacker who could devise a way to extract the key data from the device would be able to spoof the device. An attacker who could break the cryptosystem used by the device would laugh all the way to ... wherever you go when there aren't any banks any more.
Mine's the one with cash in the pocket.