Re: USB key

[Morrow <morrow.long () YALE EDU>]

We've bought 35 of the RSA 6100 USB Tokens and are using
them for our Windows enterprise and domain admin accounts
as we also felt that such important accounts needed 2 factor auth.

       http://www.rsasecurity.com/node.asp?id=1220

These devices can be used in a manner similar to the
SecureID Card and SecurID Keyfob (you need to use
the SecurID 'software token' software on the host and
you need to store the RSA SecurID symmetric key on
the USB key PIN protected).

However the method that we use for authentication is to
store X.509 certs on them (the private key can be locked
to the device) and use the on-device h/w RSA public key crypto
(the private key for the cert never leaves the USB device).

We generate the certs on the device using Microsoft's Certificate
Server integrated with our Active Directory.

We use the RSA Passage software to provide Windows login
via the 6100 USB tokens.  The devices work with both local
Windows login as well as for Remote Desktop (e.g. into servers
over the network).  We're using them on both XP Pro desktops
as well as Windows Advanced Server 2003.  We've had fairly
minimal problems with software on a few computers (driver &/or
login software).

The h/w price isn't bad but the cost of licensing the Passage s/w
and yearly maint. drives us the TCO.

They can store multiple certs (though only one can be the default
active one for the purposes of Windows login apparently) as well
as passwords and Java applets.  Too bad they don't have a lot of
storage space (e.g. to carry around files) on them as well.

We also looked at the Sony Puppy ( cert auth token plus Thumb Drive
plus fingerprint scanner ).  It didn't support all of the functionality
we
needed plus it is quite expensive (but you don't need to carry a
separate
Flash Ram USB drive as they have quite a bit of storage on them).

We also looked at the Authenex and Aladdin (eToken).

- H. Morrow Long, CISSP, CISM
  Director - Information Security
  Yale University, ITS








On Nov 8, 2004, at 5:14 PM, Joel Rosenblatt wrote:
> Theresa,
>
> RSA (www.rsa.com) makes a USB version of their secureid card .. same
> security as the card, but it plugs into a usb port.
>
> Regards,
> Joel Rosenblatt
>
>
> --On Monday, November 08, 2004 3:54 PM -0600 Jim Schug
> <schugj () MATC EDU> wrote:
>
> > Theresa,
> > I've had good success with using a fingerprint reader on notebooks.
> > There
> > are key boards that have fingerprint and/or card readers that may
> > work for
> > you as long as remote access isn'nt a concern.
> > Jim
> >
> > At 02:09 PM 11/8/2004, Theresa M Rowe wrote:
> > > We've had a situation here that now leads us to believe that
> > > we can no longer rely just on passwords for critical system
> > > areas, such as domain administrators.  We need to start
> > > implementing something you have in addition to something you
> > > know.
> > >
> > > We are looking for two way authentication with a USB key
> > > device, but not a card.
> > >
> > > Any suggestions?
> > > Theresa Rowe
> > > Assistant Vice President
> > > University Technology Services
> > > www.oakland.edu/uts - the latest news from University Technology
> > > Services

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.