Educause Security Discussion mailing list archives
Re: USB key
From: Morrow <morrow.long () YALE EDU>
Date: Mon, 8 Nov 2004 22:50:47 -0500
We've bought 35 of the RSA 6100 USB Tokens and are using them for our Windows enterprise and domain admin accounts as we also felt that such important accounts needed 2 factor auth. http://www.rsasecurity.com/node.asp?id=1220 These devices can be used in a manner similar to the SecureID Card and SecurID Keyfob (you need to use the SecurID 'software token' software on the host and you need to store the RSA SecurID symmetric key on the USB key PIN protected). However the method that we use for authentication is to store X.509 certs on them (the private key can be locked to the device) and use the on-device h/w RSA public key crypto (the private key for the cert never leaves the USB device). We generate the certs on the device using Microsoft's Certificate Server integrated with our Active Directory. We use the RSA Passage software to provide Windows login via the 6100 USB tokens. The devices work with both local Windows login as well as for Remote Desktop (e.g. into servers over the network). We're using them on both XP Pro desktops as well as Windows Advanced Server 2003. We've had fairly minimal problems with software on a few computers (driver &/or login software). The h/w price isn't bad but the cost of licensing the Passage s/w and yearly maint. drives us the TCO. They can store multiple certs (though only one can be the default active one for the purposes of Windows login apparently) as well as passwords and Java applets. Too bad they don't have a lot of storage space (e.g. to carry around files) on them as well. We also looked at the Sony Puppy ( cert auth token plus Thumb Drive plus fingerprint scanner ). It didn't support all of the functionality we needed plus it is quite expensive (but you don't need to carry a separate Flash Ram USB drive as they have quite a bit of storage on them). We also looked at the Authenex and Aladdin (eToken). - H. Morrow Long, CISSP, CISM Director - Information Security Yale University, ITS On Nov 8, 2004, at 5:14 PM, Joel Rosenblatt wrote:
Theresa, RSA (www.rsa.com) makes a USB version of their secureid card .. same security as the card, but it plugs into a usb port. Regards, Joel Rosenblatt --On Monday, November 08, 2004 3:54 PM -0600 Jim Schug <schugj () MATC EDU> wrote:Theresa, I've had good success with using a fingerprint reader on notebooks. There are key boards that have fingerprint and/or card readers that may work for you as long as remote access isn'nt a concern. Jim At 02:09 PM 11/8/2004, Theresa M Rowe wrote:We've had a situation here that now leads us to believe that we can no longer rely just on passwords for critical system areas, such as domain administrators. We need to start implementing something you have in addition to something you know. We are looking for two way authentication with a USB key device, but not a card. Any suggestions? Theresa Rowe Assistant Vice President University Technology Services www.oakland.edu/uts - the latest news from University Technology Services
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- USB key Theresa M Rowe (Nov 08)
- <Possible follow-ups>
- Re: USB key Paul Dokas (Nov 08)
- Re: USB key Jim Schug (Nov 08)
- Re: USB key Joel Rosenblatt (Nov 08)
- Re: USB key Morrow (Nov 08)