Use standard USB flash disk as security token
We want our users in company to login their computers by using their USB Flash Disks or something else. Is there a way to achieve this without buying a USB token from a company ?
Solution 1:
Security tokens are tamper-resistant processors. USB flash disks are storage media. These things are, fundamentally, two different things. You're comparing apples and oranges.
A security token contains a secret (private key, random number generator seed, etc) that can't (easily) be removed from the device. This tamper-resistance is the reason that the device (and, indeed, an entire system based on these devices) has any security properties. You can say, with a reasonable degree of certainty, that the bits inside the security token only exist inside that token, and can't be copied to other tokens / devices.
A USB flash disk (at least, the vast majority) are not active processing elements. They can't perform cryptographic operations (signing a message, generating the HMAC of a message, etc) and the bits that they store are, by design, easy to copy.
A malicious attacker (inclduing a compromosed computer, in the case of security tokens that are physically attached to the computer) can't steal the secret out of a security token (at least, that's the idea).
Solution 2:
Most USB flash disks are not designed for that. You could have a look at Yubico at the cheaper end of the spectrum.
Are you intending to use the USB device as the only authentication mechanism? I assume not, but if so, consider what happens if it's lost, or if one of the office juniors "borrows" the general manager's device, or if someone leaves it at home.
There are USB devices that duplicate the smart card certificate storage functionality so that could be worth looking at - but AFAIK they are all the "USB tokens" that you want to avoid.
Solution 3:
You could just store a password protected private key on a USB flash drive, and use that in your authentication. Not sure how you would make this easy for the user (depends on your OS), but it is an option.
As pointed out, you probably don't want this to be the only authentication, as it can be stolen, lost etc. But it would be cheap and does count as part of three factor authentication, which I guess is what you are trying to achieve.
Answering the "something else" part of your question - I've been using Swivel's PINsafe product for a couple of years, which gives what they call 2.5 factor authentication. It doesn't quite give what you are looking for, but after the initial investment in the product, you don't have the cost of distributing any devices, but is pretty secure against all but the most elaborate key loggers. If you were worried about that, you probably wouldn't be looking for a cheap solution :-)