One-time-password token generating dongle

Posted on 2013-05-13
Medium Priority
Last Modified: 2013-05-29
I'm looking for a company that supplies "one time password" security token generating equipment.


For example - a small keychain device which generates a one-time token when you push a button.

The idea is that the token can be used to for two-factor authentication of a user.

I know how to Google - there are many companies out there that provide this:

Yubico (Dongle)- http://www.yubico.com/products/yubikey-hardware/yubikey/
Gooze (Dongle) - http://www.gooze.eu/otp-c200-token-time-based-h3-casing-1-unit
Enix (Dongle) - http://www.square-enix.com/na/account/otp/
Authentify (SMS)- http://www.authentify.com/solutions/sms.html
.... dozens of others

Some of then deliver the token via a little LCD screen. Others use RFID or USB to talk to software on the computer directly. Some use SMS / text message or a voice call. Some are biometric, and there are lots of clever designs out there.

So what I'm looking for from the Experts here is for somebody who has actually USED these services directly and can tell me about their experience with that particular provider. How exactly does it work? Is it reliable? Affordable?

Also, who are the major players in this particular field? Are there any large companies that stick out above the rest?
Question by:Frosty555
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 20

Accepted Solution

edster9999 earned 1000 total points
ID: 39163206
Generally expensive.  
You are not paying for the plastic with the little chip inside and a screen.  If you were you would be paying $1.
Instead you pay for the software, the encryption underlying it and probably the name on the case - making them more like $100.

They work.  They allow you to login and authenticate and even if someone glances over the shoulder while it is logging in they cannot steal the login as it has then expired.

Is it total security ?  No.  If someone steals the keyfob and threatens the member of staff - there is a good chance they will reveal their pin (normally a 4 digit pin that goes with the number on the screen for double security).
I have even had these returned to me when someone leaves with their pin taped to the back on the unit    :S

They do have a tendency to drift off if they are not used for a few months and then an admin must resync them (normally by entering the code and the next code so the server knows where you are in the sequence).  This could be an issue if they are only used in emergencies or when people travel if it is not that common.

You have to weigh up the cost of them compared to using something like OpenVPN and having passwords or key files and teaching your staff to be careful with them.
LVL 33

Expert Comment

by:Dave Howe
ID: 39164044
We went with http://www2.safenet-inc.com/sas/index.html, having previously used vasco and rsa tokens. This is a fully hosted solution (so you lose control over the process, this can be an issue!) but there is a wide range of mobile phone based "apps" to generate the tokens, plus we could import our "legacy" tokens (vasco in this case, the rsa ones expired) to let us retain the benefit of our investment in those.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 39190825
I've use hard and soft-token from SafeNet/RSA/Symantec and yubico. Two factor is nice on paper, but once you are authenticated, unless you have further controls, there is nothing at the NETWORK level that benefits from 2-factor. Meaning, your users get VPN'd in to your network, they use 2 factor correctly and the tunnel is established. The user gets infected or is already, perhaps hacked already, now that the user is on your network, so is the attacker. If the attacker tried to \\ip.ip.ip.ip to the resources on your Lan from one of your user's computers, there is nothing stopping them, they will be able to as long as the users account is able to. They don't need to keylog, or steal creds, if the user ran something they shouldn't have, the attacker is now the user.
2Factor protects LOGIN's, interactive logins like your standard windows sign in, or citrix login. There is nothing at the network level. 2-Factor may be a requirement of PCI/DSS but it doesn't really do anything to add further protection aside from the initial LOGIN to the network.
Soft-tokens are much easier to deal with, having people place them on their phones is pretty convenient and makes the logisitics of issuing and token reclamation soooo much easier. Hard-Tokens (dongles) are a nightmare no matter whose you use, you have to ship them to users or offices for distribution, and you want to get them back because they cost a lot of money. Soft-Tokens are much better logistically, but they cost the exact same as the Hard-Tokens, because NO ONE would buy hard if soft was cheaper.
If you have a requirement you have to meet, like the one for VPN'ing into a PCI/DSS network, then try other compensating controls. I'm not impressed with 2-factor in the slightest. It only offers some additional assurance against account sharing and even then it's not really that much, see here:
The Yubico tokens, there are several, are different than any others and can be used in different situations than most of the LCD based ones.

Featured Post

Take our survey for a chance to win!

As a valued customer of Targus, we’d like to ask you a few questions about us. As thanks, you will be automatically entered for a chance to win a $500 VISA gift card. To enter, just complete the survey by September 15, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question