Correct approach?
Why not apply the classic security solution? That is, the "key" should be based on :
- Something you have (a physical thing)
- Something you know (typically a password)
The "something you have" has been very much undersold. I understand one of the major banks (Barclays?) is starting to issue hardware keys (I'm guessing they are on the lines of a standard VPN random number thing) to customers for use on the web. These things are cheap, and though I am in no way a security expert, I'm guessing they are pretty secure and very very difficult to crack.
I've never quite understood why more use isn't made of the classic hardware dongle; the sort you stick in the parallel port (remember those?) or USB port. The security of these things has increased greatly over the years, and if more use was made of them, I'm sure their security would increase even further through investment by those with a vested interest in keeping their software (or whatever) out of the hands of those that shouldn't have it. If (say) Microsoft had issued dongles with each version of Windows they have sold/pushed, I wonder what the piracy rates would be? Nothing like what they are at the moment, I would guess. Ok, dongles cost a bit of money, but economies of scale would make the additional cost negligible.
Instead, they mess about with trying to identify your PC by pulling in serial numbers and other such nonsense, with all the problems that incurs when someone replaces a hard drive or a graphics card. A separate hardware dongle would cleanly eliminate these problems.
And, of course, you can store stuff on a dongle, like security keys and passwords and code (!) etc etc. Indeed there's nothing to stop you including a level of computing power into them (incredibly useful); they are much more than the simple "yes/no" devices they were years ago.
Dongles - you know it makes sense! :-)