Two-factor Authentication Using A Hardware Token


We ran into a friend a while back who was logging into her employer’s Virtual Private Network on the weekend. She caught our attention by whipping out her keys and typing in some information from a key-fob. It turns out that her work uses an additional layer of protection for logging into the network. They have implemented a username, pin number, as well as a hardware token system called SecurID.

The hardware consists of a key-fob with an LCD screen on it.  A code is displayed on the screen and changes frequently, usually every 60 seconds. The device is generating keys based on a 128-bit encryption seed. When this number is fed to a server that has a copy of that seed, it is used as an additional verification to the other login data.

This seems like a tech trickle-down of the code generating device from GoldenEye. It does get us thinking: with the problems free email services have been having with account theft, why aren’t they offering a fee-based service that includes a security fob? With the right pricing structure this could be a nice stream of income for the provider. We’re also wondering if this can be implemented with a microcontroller and used in our home network. As always, leave comments below and let us know if you’ve already built your own system using these principles.

Update: Thanks to Andre for his comment that tells us this type of security is available for Apache servers. The distribution includes a server side authentication system and a Java based token generator that can run on any handheld that supports Java.

106 thoughts on “Two-factor Authentication Using A Hardware Token

  1. Disappointed at the fact that hack-a-day just ‘discovered’ basic 20-year-old security technology everyone knows about.

    Pleased the average reader is familiar with and/or screwed with these already.

    Readers – Good work, carry on.
    Hack-a-day – WTF? look around once in awhile. The world isn’t entirely arduino-based.

  2. That Yubico thing looks neat. That would be easy to implement using just an AVR, a clock chip, and a battery. A couple of 8-pin surface mount chips could easily fit into a small key fob. There is already code out there for emulating a keyboard on AVR.

    The PayPal card had RFID hardware on it (I don’t know if it is activated). I’m hoping that someone figures out how to reprogram the key on those cards so they can be repurposed for custom applications.

  3. Along with the fob SecurID also provides an application, a softtoken they call it, oppossed to the fob which they call a token, that you feed a seed from the server and then it generates the code based on the system time.

    It would work on the phone as you just would have to set your clock correctly.

  4. I was hoping that someone had actually done his own Hacka-token. Only to find that it was just a SecureID token which has been around for well over the decade that I’ve been issued with various incarnations of these Tokens. Various PAM modules are around for all sorts of UNIX and no doubt windows variants, I don’t know if you can “re-Use” existing tokens or do you need extra information not physically on the token to derive the key…. This would be more interesting …Sorry

  5. Doing it yourself is not that hard as the algorithm does not need to be that complex.

    Hard part is fitting the algorithm in a nice and clean pocket size device.
    (for a reasonable price ;-)

    Thats why I wrote the midlet for my mobile (see posting above), if anyone wants to give a go on a PIC or atmega, javascript source code is included on my project page and one can download the java midlet project from the same page.

  6. Yep, old, also old-ish but similar – in the UK a challenge/response bit of hardware has been getting popular with banks for online banking, you insert your card into something which looks like a calculator, enter your pin + a code the website gives you, and it gives you another code you enter back into the website. Have these turned up in the USA yet (not being sarky, honest, just interested!). I assume the challenge code provided is hashed (based on account number & transaction amount or something?) and you’re entering the resulting value, anyone know any different?

  7. It’s so old. I’ve been using it for over a DECADE! :)

    There’s plenty of variants of it. The cutest one do not require a keyfob but can be installed on the cell phone as an app (you only need to distribute the seed), so there is not need for an additional gadged. The one I’m using for about 3 years now is the CERB solution made by:

  8. I’ve been trying to find a local vendor for these keyfob-substitutes, but all I have so far is a demo card:

    They look cheap enough (in theory) to junkmail to potential customers, and no more inconvenient than a keyfob. (If they open-sourced it, I think they could put SecureID out of business.)

  9. This is not something I’d make myself for security. I’m assuming RSA did it right, which they probably did given that they’re almost exclusively a security company. Typically these devices are protected from disassembly and key extraction down to the silicon level–there are likely tamper sensors on the chip itself, so that removing power or trying to de-encapsulate the chip will immediately cause complete erasure of the memory (look up some of dallas’s secure microcontrollers for some examples). Unlike your ol’ standard DRAM or SRAM, the memory cells they use are also designed to leave no trace whatsoever when the power is removed, so you can’t do things like freeze attacks. (I think there’s also an on-chip temperature sensor that causes forceful erasure of memory on most of these guys if you try that attack anyway)

  10. my work uses a similar OTP system, but instead of carrying a seperate keyfob I get a SMS message to my registered work phone when I log in giving me a 6 digit number which expires after 5 minutes. saves on the cost of extra hardware

  11. I’ve been thinking about this a while ago: I’m using full harddisk encryption on all my systems. Sometimes my girlfriend needs to have access to them as well, even when I’m not around. I really don’t want to tell her 20 Bytes over the phone, so I thought I’d implement a device that acts like a smartcard:

    Within the next days I will implement this in hardware. I expect that to be reproduceable & stable in two weeks ;)

  12. Thank you, hackaday, for this hackless, everyone-has-already-seen-it, absolutely uninteresting post.

    And not even a mention to how if you get a hold of the seed, the token’s useless.

    What is all this irrelevant posting, really?
    A bunch of writers keeping up their writing quotas?
    If there was one thing this website would benefit from, it’s _less, more relevant_ content.

  13. CardXX used to (maybe they still do) manufacture these in a credit card format. Thin-film battery with an LED based display. Looked really slick since they were so thin and still had LED’s…

  14. I can’t believe you guys are holding this up as a “hack”. Do you not live in the same world as the rest of us? Every company and government agency I’ve ever worked for has used these tokens.

    What’s up for tomorrow’s hack – sending data over a wire? Recording spoken words on paper using a pen? The wheel?

  15. >> #comment-102824
    @Simon, I agree, one a day. and maybe a preview page where we can see/vote the submissions?

    I think the value here is clearly all the opensource implementations everyone shared above, as well as the discussion itself.


  16. Hardware dongles for DRM on software have been around a while too, just not in use as much as software protectors like AsProtect, SecuRom etc..

    I’ve actually seen a couple variants reversed. I think Securemetric still offers hardware fob DRM.

    You put some anti-debug on a PE, then generate VM op codes and string crypto off of an algorithm internal to the fob, which has no debug interface on the chip, and you have an insane level of software protection. Just make sure the PE VM thread that does inline emulation can’t be patched to dump VM translations like VMprotect/SecuRom/Themida are susceptible to.

    I’ve also seen RSA dongles used, this was at a state government data center though. You could in theory still get the data by hooking input in an OS. This is why I use Password Safe.

  17. I’ve got the paypal one of these.. (not the credit card sized one.. this ones tiny)

    Its an awesome bit of kit.. and fully compatible with ANY sites/apps that use Verisign Identity Protection (VIP).

    If you loose your fob theres also a backup service that will one time text (SMS) a code to a pre registered mobile.. so you can get a code that way to login if you have the registered phone with you.

    Dunno why more places dont use it.

  18. Don’t forget – a year or two it was going around in the Geek News that there are sniffers sitting in the StarBucks of the world who can see the PIN and SecurID generated number that you typed and if they can then also enter the same PIN and Toekn Number before the SecurID Token Number changes – they are In!!
    Just don’t hit Enter/Send until the number is just about ready to expire! (Try getting 1000+ people in your Company to do that!! ;-)

  19. Wrong. You can’t use the same number twice in a row.

    Case in point: I have to log in to a VPN, then I have to RDP to a server. The VPN connection requires a one-time pass from my SecurID fob, and maybe 10 seconds later I can get the RDP prompt, which also asks for my OTP from SecurID. I always have to wait for the number to change before it will let me in. The central authentication server won’t let you use the same number twice between changes.

  20. @SecurID: I highly doubt that’s how it works. The ones I have used void that generated number the moment it is used to successfully login and won’t accept it again, thus someone would have to enter your SecurID number and login with it /before/ you get to do so yourself, which is probably possible but improbable.

    Those have been around forever, even world of warcraft offers this.

    That made me think of a similar authentication factor for ssh, called skey. It’s basically a one time password authentication scheme. When you login, instead of a password, the system offers you a challenge, which you enter in an OTP generator along with your passphrase, which in turns generates a one time password that looks a bit like this:


    Once you authenticate with that password it’s null and void. And since the OTP algorithm is pretty simple (it uses SHA1 in the latest revisions) you can easily get an OTP generator for your phone (j2me, iphone, etc). This way you never enter anything sensitive into the computer you are logging into, which thwarts keyloggers. Perfect for internet cafés and untrustworthy places.

  21. I really appreciate aXon’s link…I have one of these. I actually have a really nice small version -for the hip Sys Admins. Just this morning I was trying to think of a way to pass the credentials from my nt terminal server session to the server session(0) where the authentication window opens. I figured I would use a javascript to authenticate the token and get the next numbers in queue on my webserver and then run the code I receive as a send key (using the next code supplied) to my server. Why? Why not figure it would be cool to add to my current virtual pc in a Win2kAS terminal services session.

  22. RSA has already released a software app for the iPhone/Blackberry. We use the soft and hard versions at my job for VPN and OWA. You still have to use a PIN to get a correct code, which is an 8-digit code instead of the keyfob’s 6-digit code. The software always gives you a code, it just give you a bad code if you use the wrong pin, so you can’t tell until you try to use the code. If the server is on a 4-try lockout, it is pretty secure. Your ID is set through an encrypted user token that is imported into the software. The only way to hack this is if you know the PIN and acquire the token, you can get in.

  23. You kids…

    I used to administer a secureID server I believe I bought it in 1995. Ran on a solaris sparc 10.

    I was running version 3.52 of the code, not exactly new.

    They allow all sorts of devices, software and operating systems to authenticate using radius or tacacs to a centralized server, the user has a 4-8 digit pin and enters a usrename and the pin+the code on the fob.

    The server keeps track of the fob, and knows what the code on it should be at any particular time. Each successful login resets the clock sync, if you don’t login for a while (or the server has a lot of clock drift) you need to get in touch with the admin to sync the pin manually. If you are a doofus and reset the system clock to 1985 to try to avoid Y2K bugs then all 5000 people on the server have to call in and resync, as my replacement discovered.

    A successful login makes the user unavailable until the code changes. A code entered wice puts the token into next token mode, which can be annoying. I think you can enter your pin in reverse to get an under duress login, if someone has a gun to your head trying to get into your bank account, or sensitive system. The admin gets an email and is supposed to call the cops.

    I did this twice, it always involved alcohol.

    You would need to do a man in the middle attack to hijack the ssl or IPSEC connection, and then enter the code into the remote system before the user and send user a bad result somehow. This is all encrypted so, good luck super cracker.

  24. This is news? lol.

    These things like a few of you had said have been around for so many years. AOL Oppsec employees used to have them to log into their internal accounts.

    When you’d log into one of the employee’s internal’s accounts you couldn’t sign on without the current key. The way around that was to use a very out of date AOL version, hehe.

  25. It seems to me there are two possible approaches to this using something people already carry.
    A cell phone.

    Option 1: Mobile Phone Synchronized Encryption App
    An App could be written for various phones (iPhone, Pre, Android,
    ect … ) that work on the same concept of an encryption key. The user
    could generate his own custom key, and enter it into his phone via SD
    card, SMS, or EMail. This key would be unique to his account allowing
    only him to log in. The code would change every few minutes and use
    the cell network clock as the source. This would work just like the RSA Key Fob.

    Option 2: Randomly Generated Code sent via SMS
    A new code could be randomly generated and
    sent to the user’s phone via SMS. The code would include upper and
    lower case letters, numbers, and special characters, just like any
    good password should. Each code would only be valid for a few minutes
    and logging on before the server had received the request for
    the code would be prohibited.

    of course it could be hacked,
    Just like any other security method.
    But it does stack the odds to be more in your favor.

  26. We use the Cryptocard version and it works fine. The person that said it can be compromised if you’re using it from Windows clearly doesn’t understand the technology.

    Until biometrics and RFID implants have matured, this is probably the most effective protection against illegal access.

    Not cheap though!

    And yes, it requires a user PIN and the code from the token to gain access; the user still then has to login to the domain. You can get SSO options but in my book that weakens security so why bother?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.