USB security tokens may not be as secure as you think

USB tokens aren't as strong as you think. Multifactor authentication is meaningless when the supporting software is insecure.

Strong multifactor authentication is crucial for high-security environments. Even strong password policies can fail in the face of cracker tools and users who carelessly share passwords or write them on Post-it notes.

USB security tokens give security managers the proverbial "something you have" and "something you know." Further, the token provides secure storage for multiple login credentials, so users need to remember only a single password or PIN to access a VPN, network login, sales and marketing intranet or employee Internet site, making the USB token an attractive authentication solution.

Information Security tested tokens from ActivCard, Aladdin Knowledge Systems, Authenex, DataKey (using a SafeNet token) and Griffin Technologies on ease of setup and configuration, administration and the range of supported applications (see "About This Review"). The upshot? Although the tokens themselves are secure, we found disturbing security weaknesses in the client software. Each of the tested tokens has flaws that could allow an intruder or thief to bypass the token protection and gain access to the network and local hard drive.

The tests also revealed a wide range of differences (see "Report Card"). But first, let's examine the security problems that undermine this otherwise promising security technology.

End runs

The tokens themselves aren't the security problem. A year ago, there was considerable risk that firmware and certificates could be copied from the hardware itself, but the OSes supporting the latest generations of tokens are black holes, running on ARM microcontrollers that turn off the section of flash memory that holds critical information.

The weakness is the client software. Vendors continue to overlook or ignore problems that circumvent the tokens' security and diminish their effectiveness. Does the software really provide a layer of security? Each of the five tested products had issues in one or both of these problem areas:

  1. Plaintext passwords/PINs. The authentication process is controlled by software on the token. The password/PIN should be hashed prior to being passed to the token for authentication. However, three of our products, we found passwords or secret words in plaintext on hard drives. That means a hacker could grab an unattended laptop, steal the token, scan the hard drive with a disk editor and find the password/PIN. The hacker would then have both items he needs for two-factor authentication.
  2. Safe mode bypass. Consider a very large enterprise that's frequently targeted by competitive intelligence spies. If these spies get hold of a senior executive's laptop with strategically important data, how difficult would it be for them to boot the machine without the USB token? As it turns out, it would be child's play--with the exception of the Griffin Technologies offering. Why? Because the spy could boot up in safe mode, completely bypassing the token and its software to access the hard drive.

The vendors say enterprises that employ file and folder encryption products or PKI solutions won't have this problem. That's reasonable if encryption and PKI are already part of the enterprise security strategy.

But, even in that case, what's really providing the protection? It's the encryption and/or PKI, not the token/software, which begs the question: Do token products provide any value beyond convenient storage of application/Web credentials? The network logon component certainly isn't providing an additional layer of security, and, if a bad guy can crack or steal the network password, he can boot in safe mode with network support and manually login to the network.

Given the advancement of today's programming technology, it should be easy to build a mechanism that prevents or controls authenticated access via safe mode--Griffin Technologies has already proven that it can be done.

If and when these security flaws are addressed, you will be able to judge the products on their merits--ease of installation and configuration, administration and the range of features they support (see "USB Token Features").


ActivCard USB Key was one of the stronger solutions tested, but it was hampered by the plaintext/password problem and ActivCard's failure to provide the components needed to test its full feature set.

ActivCard's strong suit is its broad assortment of supported applications. Unfortunately, we couldn't test them all because ActivCard requires a complete public key infrastructure--the other products had a disconnected mode login option.

Further, ActivCard failed to supply us with all the client software necessary to test its GINA and Web credentialing features. (Information Security asked vendors to provide all the authentication components of their solutions.)

The token can be circumvented by safe mode bypass, but ActivCard does encrypt its passwords.

USB Key's features are impressive. ActivCard Gold automates the sign-on process to the network and integrates with existing PKI infrastructures. Additionally, the ActivCard ActivPack provides one-time password authentication. The SSO product supports token authentication for any Windows, Web, Java or hosted application. The suite includes VPN, firewall and Citrix support.

Unfortunately, each of these products is a separate installation with little more than external documentation to guide the infrastructure build. Consequently, deployment in a large enterprise would be a challenge. ActivCard desperately needs a wizard-based process that allows a cafeteria-style installation of any or all of these clients.

The basic documentation, though, is rock solid and enables the easy installation and configuration of both the client and administrative components. The only drawback is minimal online help.

ActivCard enjoys the widest platform support of the five tested products--Windows, Novell, *nix and Mac OS--as well as support for Active Directory and LDAP.

ActivCard, alone among the five vendors, sports a state-of-the-art remote help desk that allows a user who has forgotten his password--for exapmle, while he's flying at 30,000 feet--to sign in using a temporary password/PIN.

ActivCard is worth watching as its products mature.

Aladdin Knowledge Systems

Aladdin's eToken, with its good feature set, smooth installation and easy management, scored best overall, although its lack of documentation was frustrating. Security --the ability to bypass the token via safe mode --keeps it from being the no-brainer choice among the tested products.

Aladdin has strong application support, especially for file and folder encryption products such as PC Guardian and Pointsec Mobile Technologies. It also has solid support for Web-based application access, VPNs and secure e-mail.

Aladdin requires Active Directory and LDAP. However, it lacks Novell and *nix support, which is problematic for organizations implementing Linux on any scale. Additionally, the Web Sign On client is an Internet Explorer plug-in, while the other products are browser-agnostic.

Installing eToken is relatively straightforward. It's the most polished of the tested products, but the lack of printed documentation was a nuisance. We had to dig through several large PDF files and search Aladdin's Web site for directions.

As with ActivCard, the suite requires separate clients for each function. The fact that it supports a wide range of applications makes the number of discrete client installations a burden. A wizard-driven interface would go a long way toward greater usability.


Authenex's A-Key boasts the largest number of supported applications of our tested products but is dragged down by torturous installation and security flaws--it's susceptible to safe mode bypass, and the required "secret key" for the server installation is stored in plaintext on the hard drive.

We spent several hours digging through Authenex's voluminous, but poor, documentation looking for clues on starting the installation. Only after a lengthy tech support call were we finally up and running. Authenex maintains that its sales engineers would have typically given us white papers to ease installation. Nevertheless, we never found the documents that are supposedly posted on the Authenex Web site.

Deployment and administration can be a nightmare. Authenex has separate clients for just about everything, except one that stores logon credentials. This means that instead of deploying one client that incorporates all updates, enterprises must update each client app. This is a major headache in terms of version control, security hot fix deployment and verifying that any version change to one client won't adversely affect others or the desktop itself.

Authenex supports only the Microsoft GINA and AD.

The server installation requires two USB keys to create and use the server. The catch: Windows 2000 recognizes new hardware as you insert the keys and reboots the server in the middle of the installation. Two tokens are needed for the server and one for the client logon, which becomes troublesome when you only have two USB slots in the front and four slots in the back. Trying to manually switch the locations of the tokens while Windows 2000 was trying to reboot (because it, again, recognized new hardware) was like a tragicomic dance. Basically, we had to insert the tokens into every USB slot until Windows 2000 recognized the token in all of them.

This shouldn't be an issue in Windows XP or 2003 servers because both do a full search of all USB slots the first time any are accessed.

This is all a shame in light of Authenex's rich feature set: Web access and extensive support for VPNs, encryption products, secure e-mail, popular firewalls and Metainfo DHCP. Authenex has the right components, but it certainly needs to create a more cohesive and secure package. Large enterprises will find implementing A-Key a challenge.


Datakey's software--marketed in our test product as SafeNet iKey--is highly flexible, supporting just about any application but carrying tremendous administrative overhead.

The database server must be built first because the client is produced from the server. Every time security managers want to modify a client app or change a single policy, they must create and deploy an entirely new executable.

Every Web site requires a separate user name, login and policy describing client and token credentials. Security managers must manually create a new executable for users' stored credentials to every app, including the browser front end to Web-enabled e-mail, the travel- and expense-reporting Web site, the health and benefits Web portal, etc. Imagine the headaches of updating multiple custom apps and worrying if one modified app will "break" the others.

ActivCard, Aladdin and Authenex sacrifice this flexibility for usability. Each provides out-of-the-box clients, so, if the product has the VPN and Web access support you want, it meets your needs; any changes are through vendor updates.

Considering the administrative burden of the Datakey approach and the number of applications the other vendors support, it's a reasonable tradeoff for most organizations: Less flexibility, less work.

The Datakey installation went without a hitch; the interface is positively elegant, and the documentation is straightforward and easy to follow. The product works well with Microsoft, Novell and *nix.

The suite includes Smart Recovery, a useful utility through which a user can gain basic network access through a password if he loses his token.

But, Datakey struck out on security. The password credential is stored in plaintext on the hard drive, and the token can be bypassed in safe mode.

Griffin Technologies

Griffin Technologies' SecuriKey also requires the server to be built first. This is less of a hassle, however, because Griffin provides only the most basic USB token functionality--network login authentication--and doesn't provide any repository for Web/application credentials or LDAP support.

The server and client setup is easy enough by following Griffin's good documentation. However, additional manuals and documents are only available from technical support.

The online help wasn't useful. It's virtually impossible to find out how to manually change the token password. In fact, we typically received only basic Windows command help--not Griffin product help--through the help menu.

Significantly, SecuriKey was the only product to block safe mode access--demonstrating that this capability should be within the means of all USB token vendors. However, we did find the password in plaintext on the hard drive.

Like Datakey, Griffin's custom client function affords broad cross-platform support for Windows, Novell and *nix.

Griffin is working hard to enter a competitive field, but overall it has quite a journey ahead to compete effectively.

Not there yet

None of these products are quite where they need to be. All have serious security flaws and received mixed grades on installation, administration and application support.

Overall, Aladdin and ActivCard are nearest to the mark, but both are in need of a more cohesive client installation process. Large enterprises won't want the headaches of maintaining multiple client components to ensure that this one layer of security is working as expected.

Authenex needs to focus on client usability. It has tremendous technology and a wide range of integration clients, but the suite is difficult to navigate and would be a maintenance nightmare.

Griffin is a very basic network logon client and needs a richer feature set. It does, however, have safe mode blocking, which we believe is critical.

The Datakey partnership with SafeNet needs more time in the oven before it's fully baked.

About the author:
Tom Bowers, CISSP, PMP, CEH, is manager of information security operations for a Fortune 100 pharmaceutical company and has been a featured speaker at numerous security conferences.

Dig Deeper on Two-factor and multifactor authentication strategies