Exploring Hard Tokens

I'm currently looking around for a great all around solution for identity management. Apart from offering top notch security, the main criteria is that it should be very simple and easy to use.

The User Is The Problem

Everybody knows the basic identity management method: the username & password. The problem with it though is that it makes your system as weak as user's weakest efforts to safeguard it. We've all seen ridiculously simple username & password combinations, people sharing credentials with others or just being sloppy and somehow making their confidential info available to the world…

Sure there are ways system administrators can try and enforce the use of secure passwords… There's the rotating password technique for example (welcome01, welcome02, etc.), where the number at the end indicates the month of the last password change. But this method is quite well known by now, so not very secure… There's also the special characters method (Pr0d@dm1n anyone?). The problem here is that people tend to use the same special characters as character replacements. So the special characters are not that special after all, rather predictable actually… And you still depend on users safeguarding their credentials, which is unfortunately not a given.

So a system purely based on users safeguarding it has obvious limitations as many don't understand the risks, while simple methods are too often common knowledge and therefore unreliable… So now what?

Soft Tokens

Another simple solution would be to base identity management on something unique a user possesses (a digital key) in combination with credentials. That sounds great! You could distribute digital X509 certificates (.p12 files) along with secret pin codes to access them. Users just need to install it in their browsers and BAM! Ready to rumble!

Could it be that easy? Well... no, not quite. A digital X509 in a .p12 file is a soft token and is therefore linked to a device and maybe even to a specific network. And in today's business world, users want to access their stuff all the time, from anywhere and on any device. So what happens is that someone in the office inevitably installs the certificate on his smartphone - and voilà! He can access the secure and private company information from anywhere and at anytime. Good for him! But what about your company security? What if he loses his phone? Is it even a company phone? Is there a policy for it?

Hard Tokens

Ok, so security based on soft tokens is an improvement, but it could still lead to disaster… Hey, maybe a hard token! Yeah, something you can hold on to… hardware! That's cool, we all like gadgets… right!?

X509 certificates are pretty common, so lets use something based on that technology… It sure is easy on the server side, no infrastructural changes… we like that! We only need to buy and distribute some hard tokens and again, users are ready to rumble. Well... not quite yet. It turns out that while the X509 certificates are commonly used there's not much in the way of standards when looking at the hardware. There are issues with interoperability (between the different OS types) and connectivity (there sure is a wide collection of hardware types!).

To keep it simple, let's use a USB token. Hmmmm... Windows AND OSX was a requirement right... It turns out this avenue leads straight to driver hell! Unsupported devices, new OS' that are not (yet) supported, incompatible drivers, etc. Quick tests led to a world of system administrator pain…

The Solution?

But there might be a simple but effective solution yet! A yubikey… This is a really simple and smart device. It completely bypasses the driver hell as it works like a USB keyboard. Therefore it works on all OS/Device types (Yes, even on my iPad!).

There are two ways of using it. The first is with a pre-shared key. A simple 'click' on the yubikey and a really long combination of characters is generated. The other way of using it is to program a fixed set of characters into the device. That last one is what I'm currently exploring. I've bought one of them to play with (they're quite inexpensive compared to other security solutions) and I've programmed a 32 random character string on it. Besides that I've remembered a rather short (4 character) digit code. The combination of the 4 digit code and the 32 random character string (that I don't know) is now my identity key. A password of 36 purely random characters. Take my word for it, password security check programs go all green with this password! I'll also check out the pre-shared key variant from yubico and will update the blog.

Basically, with this solution your system is only vulnerable if your users share their hardware and credentials on purpose… It takes the sloppiness out of the equation and it's really easy for administrators…