I manage 40 pcs, and would like to increase login security, but still
have the password length the employees need to memorize to be just 4
characters.  I made this decision after reading Bruce Tognazzini?s
article on real-world security.  He maintains that stronger random
passwords are less secure, because the users are more likely to write
the passwords on easily found Post-It notes.  And the users would
rebel at stronger passwords being changed at often as they should.

AskTog.com, Nov 2003 http://www.asktog.com/columns/058SecurityD'ohlts.html

I think a hardware solution might do it.  I heard about iButton
technology (a chip in a tiny stainless steel can, with 16kbps
communication through a small serial interface, all components
relatively inexpensive).

IButton Overview http://www.ibutton.com/ibuttons/index.html

A solution that seemed quite flexible was eSecure?s eGuard, a small
device that the keyboard cable goes through.  With a key chain fob
pressed against the device, a keystroke signals the device to take the
password string from the fob and automatically type the password. 
This simple device could be used for Windows or Linux, obviously, and
it would store 10 passwords, easily re-programmable.  The device would
supply the first 8 strongly random characters, and the user would
complete the password with their 4 character PIN.  Passwords would be
changed by re-programming the fob.

eSecure's eGuard description
http://www.esecureperipherals.com/html/eguard.htm (user manual
downloadable)

I called that manufacturer, and found that they do not actively market
the device, because it has only sold 200 units over several years.  So
that seemed really dicey to me.

I was worried about biometric solutions, because of price and reliability.

My question is:

Is there a hardware device (biometric, key chain fob, whatever) that
would provide strong login security, with the users only having to
memorize a short, infrequently changing PIN?

That works with Windows or Linux?  (our network is currently Windows
only, but I would prefer that this hardware does not locking me into
Windows only)

That is less than $150 per workstation? ($200 would be pushing it)

Is reliable and not oppressive to use several times a day?

And that you have personally installed and managed on 10+ networked pcs?

Thank you in advance!

---

Request for Question Clarification by maniac-ga on 06 Dec 2003 07:26 PST

Hello Colemgarcia,

We can certainly make some suggestions related to two factor (or token
based) security. However, the clause at the end
  ...that you have personally installed and managed on 10+ networked pcs
would be unlikely met by any of the researchers.

For example, I have personal experience with strong security systems
(as part of a dial-in system) for several years and can relate from a
user's point of view. However, I cannot provide personal experience
related to the management aspects.

Would you accept an answer based on on line research combined with user experience?
  --Maniac

---

Clarification of Question by colemgarcia-ga on 08 Dec 2003 09:37 PST

>> Would you accept an answer based on on line research
>> combined with user experience?

Yes.  Mainly I was trying to avoid answers wholly based on sales literature.

My only condition would be I would definitely need info on "real
world" ease of installation and management.  If you can find "notes
from the field" from a third party, that would be fine, I guess.

Hello Colemgarcia,

I will describe the system I have personal experience with first, and
then describe a number of competing systems with additional references
to reviews and feedback on those systems. The first one has the
longest description, but many of the features and capabilities listed
would be available in a similar form for other products.

SecurID
=======

The hardware device I use for remote access at a large company is a
SecurID PINPad card from RSA Security.
  http://www.rsasecurity.com/products/securid/
  http://www.rsasecurity.com/products/securid/index.html
which supports a number of different network, system, and application
level security systems. I have found it easy to use and since the
company has used it for several years (and does not plan to replace
it), I expect the system administration to be reasonable. There are
other token types available as well but this method does allow the
user to enter a single value to the computer system for
authentication, yet still requires a short PIN to use.

The first time I got the card, I had to
 o pull up a "registration" web page
 o select and enter PIN into the card
 o enter the resulting value into the web page and submit the form
After this one time registration, I was able to use the card as described below.

From a user's point of view the card works like this:
 o initiate the connection to the corporate dial in line. Enter user
name at the prompt.
 o look at card, check the vertical bar on the right side (the time
limit the pass code will be accepted). Wait until the bar is near the
top of the display.
 o enter pass code (4 digits) and press the diamond button near the
bottom. The card will display a six digit number.
 o enter the displayed number as my "password"

The dial in system will then pass my information back to the
authentication server and if everything is OK, will grant me access.
The rest of the session operates just like any other dial in session
on the network.

I have used this system for about three years. During that period, the
first card I was issued worked well until near the card's expiration
date (printed on reverse). There was one day the display was blank and
the card did not respond to any actions. A short call to the help desk
was needed to get a new card issued and I returned the dead card. When
I got the new card, I had to repeat the registration process and the
new card has worked ever since. Cards apparently last between 3 and 4
years.

So, from this description and the documented information at RSA
Security site, as a system administrator you need...
 o an adminstrator / technician / help desk person responsible for
answering questions, issuing new cards, and other administrative tasks
 o a web server to act as front end to the registration process
  http://www.rsasecurity.com/products/securid/datasheets/dssecuridwebexpress.html
 o a server to do authentication, may be replicated for reliability
  http://www.rsasecurity.com/products/securid/datasheets/dsaceserver.html
 o client applications (e.g., OS login, dial in server, applications)
that use the authentication server. For the OS login, this appears to
be supplied by RSA Security / Microsoft / another operating system.
 o a precision time source (e.g., Network Time) that is synchronized
with GMT. The pass codes are only good for a minute each, and if the
server's time clock and card's time clock get out of sync, people will
not be able to log in. If you have an always on internet connection,
you can likely use a public server for this capability and I can
suggest tools to use if needed.

From your original question, this product can be used for
authentication of both Microsoft Windows systems as well as Unix
systems. It is somewhat odd that Linux is not listed, but you should
be able to do authentication through LDAP support which is described
in other places on the RSA Security site. There are also applications
that support the use of SecurID but check the web site for details on
those.

Pricing at the Network Security Store
  http://www.networksecuritystore.com/
indicates a complete SecurID solution runs about $10k (advanced server
plus tokens) for fifty users plus the price of the computer to act as
server(s). That is at the high end of your price range at $200 per
user. I also found at SecureHQ, a 25 pack "starter's kit" at roughly
$3k list, so that would be closer to $120 each, but this might not
include some features you need. That was priced at
http://www.securehq.com/item.wml&prodid=40348&deptid=83&sessionid=200312820491732581

Other Products:
==============

ActivCard
  http://www.activcard.com/
  http://www.activcard.com/products/activpack_win_specs.html?m=1
A pretty general system, touting its support of the Windows platform
and indirect support of Unix systems. Flexible in the types of tokens.
A five pack of tokens was priced at $200 at CDW, but they are
mysteriously "out of stock". No idea the pricing of the software part
of the product, if this sounds interesting, I can make calls and
report when I get feedback, use a clarification request. There was
some mailing list activity for this product but primarily about a
BugTrak report where information could be leaked out of the product.
  http://www.securityfocus.com/archive/1/318498/2003-04-13/2003-04-19/0
At least that means it is some level of use by some skilled system
administrators but the support email in the posting did not sound
particularly sound.

Imecom Group
  http://www.secure-messaging.com/products/securelogin/tokens.htm
Selling Cryptogram Secure Login, has a number of different token types
(shown on the page above) and directly supports Windows logins and
indirectly logins on Unix / Linux platforms [would require a PAM
module].  Pricing is hard to find, a review a year ago indicated 100
euro per user for the USB token solution, but I cannot determine what
this includes / excludes. A look for mailing list feedback from
administrators found nothing.

Securikey
  http://www.securikey.com/professional/index.html
A USB token solution, appears to be for Windows only. Described on the
web site that it acts like a "car key" for the user, unlocking the
computer for use. No key, no access. Pricing for the "personal
edition" is $129 at Think Geek, no pricing of the professional product
(multiple users, set up for companies) was listed. I did find one
press release like item indicating at 200 users, the price per user
was under $50, but that was the best I could find. Also, no real
messages on various mailing lists about this product (other than some
interest, no real usage feedback).

As a side comment, Think Geek had several token / biometric products listed at
  http://www.thinkgeek.com/gadgets/security/
with varying prices. Other than the one above, I did not review the
others. Use a clarification request if you want further information on
one of these.

Product reviews:
===============

Network World (1998)
  http://www.nwfusion.com/reprints/0824review.html
SecurID is the last one listed - this article reminded me to include
the comment about synchronized time above.

SC Magazine (2001)
  http://www.scmagazine.com/scmagazine/2001_02/testc/prod2.html
  http://www.scmagazine.com/scmagazine/2001_02/testc/prod1.html
Also check page 1 with other security products. There are several
products listed with a summary of capabilities and drawbacks listed.
The only problem I had with this site was the almost uniformly 4 and 5
star ratings.

Negative feedback from a Canadian University using SecurID
  http://ist.uwaterloo.ca/security/ogf-rev/secure-id.html
Of main concern was multiple levels of authentication, the application
apparently had an independent authentication method. If you have such
applications, you may want to consider a more comprehensive solution
or some kind of integration to achieve single sign on (SSO).

Further Searches:
================

For specific feedback from users - questions and answers, I would
suggest review of mailing lists and related resources such as found by
a search like
  [product name here] mailing list
  [product name here] pricing
  [product name here] feedback system administration
  [product name here] security review
or replace that product name with a phrase like
  two token login
  two token security
as I used to get the information above. Note that most of the on line
web resources refer to SecurID - perhaps a reflection that it is a
mature product and/or the market leader.

If you need further research on some part of this answer - perhaps
additional details for one or more of the other products, please use a
clarification request. I can also make some further suggestions on
deployment, such as a phased implementation or training of staff if
you provide some information on the types of systems / users at your
site. Good luck with your deployment if you choose to implement this
kind of solution.

  --Maniac

---

Request for Answer Clarification by colemgarcia-ga on 08 Dec 2003 20:41 PST

Mainly want more info on the USB solutions.

RSA's SecurID:
sounds interesting, but sounds like it is mainly for security with
remote access.  higher pricing may not be a problem, because it looks
like a very solid system.  how does the system handle 'locking' your
workstation when you get up for a coffee break, etc?  I want to
encourage 'locking' or logging off when people step away from their
terminal for a bit, but I don't want to drive them crazy.  Also, what
is the story with the 25 pack "starter's kit" pricing?  I can't find
on the RSA website information on a "starter's kit" or any limit on
its capability.
Frankly, I see the users complaining about fiddling with a keypad
every time they log in.  Does RSA offer a fob solution so the user has
to fiddle with less stuff?

Otherwise, the USB fob solutions you mentioned seem the way to go.  It
would be easy to offer front access of the USB port with an
inexpensive USB hub, and machines without USB can get the capability
with an inexpensive PCI card.

If the system is relatively inexpensive, I can live with Windows only,
looks like I have to.

What is the cost per user for 40 users for each USB solution,
hopefully with discount pricing?  What is the cost for adding single
users after, replacing damaged fobs, etc?  If the pricing is shrouded
in mystery by the vendor, forget them, I don't have time for coy
vendors.  Need to have a US distributor or rep, will not risk
headaches with foreign currencies, etc.

Can a workstation support multiple users, each with different fobs? 
Can it all be centrally managed? (I am thinking some solutions cannot
be centrally managed)

Thanks!

---

Clarification of Answer by maniac-ga on 09 Dec 2003 05:13 PST

Hello Colemgarcia,

Getting feedback from each vendor will take a little time, but let me
answer your other questions right now.

Q: How does the system handle 'locking' your workstation when you get
up for a coffee break, etc?
A: For SecurID and similar authentication systems, that would be a
function of the operating system. For example, on my PC, the screen
saver is set for 5 minutes of activity and requires a password to
resume work. That password would be from the card, just like an
initial login.

Q: Also, what is the story with the 25 pack "starter's kit" pricing? 
I can't find on the RSA website information on a "starter's kit" or
any limit on its capability.
A: I found a better description of a couple different starter kits is at
  http://www.rsasecurity.com/partners/channel/ataglance/SWAAG_CS_0503.pdf
  http://www.rsasecurity.com/partners/channel/ataglance/SWAAG-AP_CS_1002.pdf
which is documentation for the resellers of the SecurID product. Both
list a 25 user server package with a variety of hardware / software
tokens but I can't tell for sure if this is strictly for resellers.

As an alternative, a search on
  SecurID starter kit
brings up a number of articles or resellers of this (and similar)
security products. For example
  http://www.lesjones.com/archives/2003_07_29_lesjones_archive.html
has a long description of problems with use of public internet sites
and recommends the use of SecurID including a link to
  http://www.securehq.com/group.wml&deptid=83&groupid=446
which describes the starter pack as
 o ACE/Server Base for 25 users,
 o 25 3-year SD600 Keyfobs,
 o and 1 year of technical support and software updates

Q: Frankly, I see the users complaining about fiddling with a keypad
every time they log in.  Does RSA offer a fob solution so the user has
to fiddle with less stuff?
A: Yes. I thought I had pasted this link in before, but here it is
  http://www.rsasecurity.com/products/securid/hardware_token.html
which shows the various token types. The PINPad is the most secure
choice, but if ease of use is more important, than choose one of the
other solutions.

I agree with the "ease of use" arguments for the USB tokens. They
don't help you in the remote access case, but if that is not an issue,
then you can certainly go this way.

Q: What is the cost per user for 40 users for each USB solution,
hopefully with discount pricing? [and so on]
A: I will respond later today with answers from the vendors I track
down. Of course, you already have prices from Think Geek for the items
offered there.

Q: Can a workstation support multiple users, each with different fobs? 
Q: Can it all be centrally managed? (I am thinking some solutions
cannot be centrally managed)
A: I believe this varies by product, but I read at more than one site
that multiple users were supported. The central management for all of
them should come through the Windows authentication set up. For both,
I will clarify with the prices.

  --Maniac

---

Request for Answer Clarification by colemgarcia-ga on 09 Dec 2003 09:28 PST

>> Q: Frankly, I see the users complaining about fiddling with a keypad
>> every time they log in.  Does RSA offer a fob solution so the user has
>> to fiddle with less stuff?
>> A: Yes. I thought I had pasted this link in before, but here it is
>>   http://www.rsasecurity.com/products/securid/hardware_token.html
>> which shows the various token types. The PINPad is the most secure
>> choice, but if ease of use is more important, than choose one of the
>> other solutions.

At that link I only see 2 types of tokens, hardware and software, and
both require a short PIN yielding a random password which is then
typed in by the user at the workstation.  Are there other types?

Based on your answer, it seems the USB fob is an excellent way to go,
and it can be easily used in a limited rollout, which I like.  I will
keep RSA's SecurID in mind, but will not consider using it at this
time.

>> Q: Can it all be centrally managed?
>> A: The central management for all of them should come
>> through the Windows authentication set up.

By centrally managed I mean that I could add, remove users from a
number of PC's all from my desk.  I think that is exactly what you
mean too, so we are on the same page.  I got the impression some of
the USB solutions worked with a little utility that runs on boot-up,
before Windows even gets a chance to run, I could be mistaken.

These 2 issues, plus the pricing info for the other vendors, and this
should wrap up the answer.  Thank you so much for your help!

---

Clarification of Answer by maniac-ga on 09 Dec 2003 19:26 PST

Hello Colemgarcia,

An answer to your SecurID question and an update about information
requests. I also found another vendor that seems to have much better
on line documentation / pricing for your consideration.

Q: At that link I only see 2 types of tokens, hardware and software,
and both require a short PIN yielding a random password which is then
typed in by the user at the workstation.  Are there other types?

A: Yes. There are complementary products such as
  http://www.rsasecurity.com/products/securid/datasheets/dsusbtoken.html
which is their USB token solution. It does not appear to have the same
ease of use features as the SecuriKey solution and based on your other
comments, it may be better to try the other solutions first.

To answer the other questions (central management, pricing) for the
other products (and a few others I looked up) see the following.

ActivCard
Previous references provide links to documents describing the
administration through the Windows Login Agent. Still waiting for
pricing details.

Imecom Group
I have an inquiry pending for pricing. The administration appears to
meet our needs from the previous references but I also asked for
benefits of their product compared to these others.

SecuriKey
I have asked for more information from the vendor of this product
since the on line documentation was a little meager. Have pricing of
the personal version $130 each, but waiting for professional pricing
for both the trial period and full deployment

Aladdin eToken for PKI and Network Login
I found this vendor while looking for other information. They have a
lot of good online information and pricing data. For references, check
out
http://www.securehq.com/item.wml&prodid=38630&deptid=79&sessionid=2003121443313499
for a general description and single unit pricing,
http://www.ealaddin.com/etoken/enterprise/datasheets/DS_smartcard.asp?cf=
for some screen shots and other general descriptions
http://www.ealaddin.com/support/list.asp?selectProduct=et&pd=eToken%20for%20Microsoft%20Network%20Logon&vr=3
for detailed information and downloads,
http://www.securehq.com/group.wml&storeid=1&deptid=79&groupid=370&sessionid=200312921463021213
for pricing data. I wish the other vendors had this level of detail in
their web sites.

I believe we are getting close to a good solution for your company.
  --Maniac

---

Clarification of Answer by maniac-ga on 10 Dec 2003 15:20 PST

Hello Colemgarcia,

Some more information - Securikey provided a nice response to my
inquiries as follows:

Evaluation / Trial Offer
We can let legitimate businesses "borrow" a 5 user system for
evaluation purposes.  You (or they) may request the eval package by
contacting me direct,  I will forward them (you) a simple evaluation
agreement for review and signature.

40 Seat Deployment
All of our costs--- divided by 40 seats would be approx $86 per user

Central Management
I can forward a copy of the documentation in the form of a help file.
Basicaly, we do not replace the Windows User profiles. Instead we camp
on top of the Windows user management system via a simple MMC snap-in.
Simply stated, we provide two-factor authentication to a Windows
login. The domains and Active directory remain untouched and intact.

Why SecuriKey and not other solutions
The other alternatives involve some sort of biometric device or moving
to PKI security solutiuons.  PKI is not cost effective for a small 40
user office. The "I" portion of PKI stands for Infrastructure and can
cost an enterprise thousands of dollars to set up and adminster. 
Biometrics sound cool and "James Bondish".  The coolness quickly
evaporates when the users and administrators have to deal with false
positives, false negatives and spoofing with such "high tech" hacking
tools as silly putty and Jello.

I can certainly second the comments related to biometrics. There are
some good articles about how fingerprint recognition systems can be
easily defeated with about $5 in materials and a relatively short time
in prepartion.

I will follow up with other vendor responses if they get back in the
next day or so.
  --Maniac

very dogged research!  i greatly appreciated it, since I have limited
time to research myself.  Very professional as well.