Solved

One-time-password token generating dongle

Posted on 2013-05-13
3
915 Views
Last Modified: 2013-05-29
I'm looking for a company that supplies "one time password" security token generating equipment.

http://en.wikipedia.org/wiki/Security_token

For example - a small keychain device which generates a one-time token when you push a button.

The idea is that the token can be used to for two-factor authentication of a user.

I know how to Google - there are many companies out there that provide this:

Yubico (Dongle)- http://www.yubico.com/products/yubikey-hardware/yubikey/
Gooze (Dongle) - http://www.gooze.eu/otp-c200-token-time-based-h3-casing-1-unit
Enix (Dongle) - http://www.square-enix.com/na/account/otp/
Authentify (SMS)- http://www.authentify.com/solutions/sms.html
.... dozens of others

Some of then deliver the token via a little LCD screen. Others use RFID or USB to talk to software on the computer directly. Some use SMS / text message or a voice call. Some are biometric, and there are lots of clever designs out there.


So what I'm looking for from the Experts here is for somebody who has actually USED these services directly and can tell me about their experience with that particular provider. How exactly does it work? Is it reliable? Affordable?

Also, who are the major players in this particular field? Are there any large companies that stick out above the rest?
0
Comment
Question by:Frosty555
3 Comments
 
LVL 20

Accepted Solution

by:
edster9999 earned 250 total points
ID: 39163206
Generally expensive.  
You are not paying for the plastic with the little chip inside and a screen.  If you were you would be paying $1.
Instead you pay for the software, the encryption underlying it and probably the name on the case - making them more like $100.

They work.  They allow you to login and authenticate and even if someone glances over the shoulder while it is logging in they cannot steal the login as it has then expired.

Is it total security ?  No.  If someone steals the keyfob and threatens the member of staff - there is a good chance they will reveal their pin (normally a 4 digit pin that goes with the number on the screen for double security).
I have even had these returned to me when someone leaves with their pin taped to the back on the unit    :S

They do have a tendency to drift off if they are not used for a few months and then an admin must resync them (normally by entering the code and the next code so the server knows where you are in the sequence).  This could be an issue if they are only used in emergencies or when people travel if it is not that common.

You have to weigh up the cost of them compared to using something like OpenVPN and having passwords or key files and teaching your staff to be careful with them.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39164044
We went with http://www2.safenet-inc.com/sas/index.html, having previously used vasco and rsa tokens. This is a fully hosted solution (so you lose control over the process, this can be an issue!) but there is a wide range of mobile phone based "apps" to generate the tokens, plus we could import our "legacy" tokens (vasco in this case, the rsa ones expired) to let us retain the benefit of our investment in those.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 39190825
I've use hard and soft-token from SafeNet/RSA/Symantec and yubico. Two factor is nice on paper, but once you are authenticated, unless you have further controls, there is nothing at the NETWORK level that benefits from 2-factor. Meaning, your users get VPN'd in to your network, they use 2 factor correctly and the tunnel is established. The user gets infected or is already, perhaps hacked already, now that the user is on your network, so is the attacker. If the attacker tried to \\ip.ip.ip.ip to the resources on your Lan from one of your user's computers, there is nothing stopping them, they will be able to as long as the users account is able to. They don't need to keylog, or steal creds, if the user ran something they shouldn't have, the attacker is now the user.
2Factor protects LOGIN's, interactive logins like your standard windows sign in, or citrix login. There is nothing at the network level. 2-Factor may be a requirement of PCI/DSS but it doesn't really do anything to add further protection aside from the initial LOGIN to the network.
Soft-tokens are much easier to deal with, having people place them on their phones is pretty convenient and makes the logisitics of issuing and token reclamation soooo much easier. Hard-Tokens (dongles) are a nightmare no matter whose you use, you have to ship them to users or offices for distribution, and you want to get them back because they cost a lot of money. Soft-Tokens are much better logistically, but they cost the exact same as the Hard-Tokens, because NO ONE would buy hard if soft was cheaper.
If you have a requirement you have to meet, like the one for VPN'ing into a PCI/DSS network, then try other compensating controls. I'm not impressed with 2-factor in the slightest. It only offers some additional assurance against account sharing and even then it's not really that much, see here:
http://www.theregister.co.uk/2013/01/16/developer_oursources_job_china/
The Yubico tokens, there are several, are different than any others and can be used in different situations than most of the LCD based ones.
-rich
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now