Authentication USB tokens

Discussion in 'privacy technology' started by TKHgva, Mar 3, 2009.

Thread Status:
Not open for further replies.
  1. TKHgva

    TKHgva Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    77
    Location:
    Confoederatio Helvetica
    Hello,

    What are your opinions regarding authentication tokens manufactured by these two companies: Safenet (iKey) and Aladdin (eToken)?

    Has someone heard or read of any issues surrounding these two products or companies?

    I have no experience whatsoever with authentication tokens. However, I'm looking for a solution to manage multiple account passwords, also enabling the token holder to be the only one authorised to access the accounts.

    I've started to read about T-FA, but I need to understand a really basic thing about it's purpose:
    when logging into an account using the security token, does it serve to add a layer of authentication by requiring one to log into the account with a password + the token?
    Or does it replace the need for filling in a password (by containing it and handling authentication on it's own) in order to ease authentication?
    So is it for adding extra layers of security or for easening access... or both?

    Can the same token manage authentication for several accounts of different types, for example e-banking, e-mail, PC user login etc?

    If anyone has experience with usb token solutions, could they also kindly recommend a particular company.

    Thanks a lot.
    --------------------------------------------------------------------------------------------------------------------------------
    Edited note:

    Ok, apologies for the basic question on what's the actual function of the token; I've been reading and learning (which should always be done beforehand...). I provide here one of the articles which helped me understand, in case other viewers looking for same type of answers.

    However, it would be very much appreciated if someone using tokens can adivise, suggest or recommend, for multiple use. Thanks!
     
    Last edited: Mar 5, 2009
  2. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I remember of some easy hardware attacks on the ikey... but I am not sure on what model and I know it is something aged... so it might not be true anymore. On the other hand, I am not aware of any succeful hardware (or software ) attack against the aladdin eToken.

    Abylon LOGON (http://www.abylonsoft.com/) lets you use a token for logging into windows. If I am not wrong, a password is still used for accessing windows, but since you don't need to remember it, you can use an extremely strong password. Such password will be encrypted with an asymettric key, and the private key will stay on the token. I am not sure where the encrypted password is stored (on hard disk or on token).
     
  3. TKHgva

    TKHgva Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    77
    Location:
    Confoederatio Helvetica
    Thanks for the info, that's already a very good start for the token quest.

    That's the type of token I'm searching for. However, I believe or seem to have read that there are also multi-purpose tokens, one token can be used for entering many accounts, and also to store other data I think. That would be more practical. I've been looking on Aladdin and Safenet, but because I'm new I have to take time to look up definitions, terms etc. Not sure which of their keys does multipurpose.

    What you mentioned at the end, I've seen (Aladdin or Safenet) they have tokens that handle the whole process without the need to have an application on the computer, sort of like "plug-n-play" (although I'm not sure about all this, still reading).

    This is taken from the article, I think it sort of answers our question:
    Some authentication tokens generate random passwords that are keyed into the authenticating application. Others generate and store public keys while holding the certificates based on the keys. Still others perform all cryptographic functions on the token.

    Thanks for the link. I'm checking it still. I like the way "Abylon Logon will automatically lock the computer if you pull the USB stick or smart card out".

    I see they also offer the type of solution I was intitially looking for: Abylon Keysafe; "The abylon KEYSAFE is a simply password manager to manage all your secret data. You need only one password or alternatively an USB Stick, CD, chip card or certificate as “keys”." Thanks.

    By the way, for anyone interested, The Bat Pro email client is also available at double the price (65 Euros) and comes with authentication token (either Rainbow iKey1000 or Aladdin e-token pro).
     
  4. TKHgva

    TKHgva Registered Member

    Joined:
    Feb 19, 2009
    Posts:
    77
    Location:
    Confoederatio Helvetica
    As I initiated the thread implicitly agreeing that tokens is THE solution to ID theft and fraud, thought I should post this article...dated 2005! I'm somehow a bit late on all this...
     
  5. swekey

    swekey Registered Member

    Joined:
    Apr 19, 2009
    Posts:
    2
    Hello,

    I'm one of the swekey designer.
    We choose to create a token taht can be easily used in any web site/application.

    We do not associate a password to our device. The web site just ask for a password as usual and we just check the the swekey is plugged to validate the login.

    If course the same device can be used on all web sites.

    We already intergrate the swekey authnentication (http://www.swekey.com) in numerous open source solutions.

    If you have any questions you can contact me directly. And if you want to review the swekey just ask me for a free sample.

    Regards,

    Luc
     
  6. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I find a tool like sweekey a good step towards the spread of two-factor authentication, so I was taking a look at your website. Being quite cheap, it could be easily sellable, and substitute the use of only username/password at least for some of the structures in many companies.
    What I can't understand from the website is: what technologies/standards does the sweekey use? How does it store the credentials? Or better: does it store the user credentials at all? Is it possible to upgrade/delete the certificates on it? Or better: does it use certificates at all?
     
  7. swekey

    swekey Registered Member

    Joined:
    Apr 19, 2009
    Posts:
    2
    It doesn't store user credential at all, It is just able to calculate One Time Passwords, it doesn't do any encryption.
    The OTP is based on the key id, the site's hostname, a server generated challenge (time limited) and a unique private key (taht is not readable from the key).

    It does not use certificate at all.
     
Loading...
Thread Status:
Not open for further replies.