|
Tokens
Getting tokens for use with mod_authn_otp
Featured Supported TokensAny RFC 4226 compatible one-time password generator from which you can access the token key should work with mod_authn_otp. Note that the token key is not the same thing as the token ID, which is typically a alphanumeric string like MATM89382348. The token ID is simply a identifier for the token, like a serial number. The token key on the other hand is typically 16 to 20 bytes of random binary data looking something like "f136803ab9c241079ba0cc1b5d02ee7765df3421". This is the actual cryptographic secret on which the security of the token rests. The token key must be provided to you separately and securely by the token vendor. You will need a token that is not tied to a specific vendor by way of proprietary design or withholding of information. Of course, this means the token must be OATH-compliant. Many vendors do indeed sell "OATH-compliant" tokens, but they require you to also purchase their expensive, proprietary server-side software to use them. They won't give you the token keys unless you do. For example, Verisign's VIP tokens are popular but are not compatible with mod_authn_otp because it is not possible to extract the token's key. In any case, do you really think you can trust your security those so-called experts? If you do, you might want to read some of these articles. Perhaps over time this "stay proprietary" strategy will evolve away, as it has done in so many other technology areas. In the meantime, when you call a vendor to inquire, tell them that you are using the open-source authentication solution mod_authn_otp and that you require token keys. Hardware Tokens
Software Tokens
|
► Sign in to add a comment
I tried to purchase the "Authenex's A-Key 3600" listed here through the link. Their sales representative stopped my order and said that I need to purchase their ASAS software for over $1000. I'm wondering, does mod_authn_otp require third party ASAS software? (Perhaps I need their ASAS to extract the token key?) Can I just buy the tokens and use it with mod_authn_otp? Thanks.
You certainly do not need to purchase their server software. I purchased tokens from them without buying the server. The sales guys of course want you to spend a bunch of money on their server. Just be clear that you want tokens only with no server. The are probably not used to selling only tokens and may get temporarily confused.
However, they also may have some minimum number of tokens that they will sell in a single transaction. I don't know what their policy is. Keep trying until you find a sales person with a clue. If they insist on preventing you from purchasing from them then find another OATH compatible token vendor or use one of the cell phone apps.
Got my tokens from Authworks, 3 on 10 are defectives. You need to open a ticket on Authenex side to get the OATH seeds. It's working great now =)
I bought one Aladdin eToken PASS unit and was unable to get the seed from their support
Got my tokens from Authworks, luckily all 10 are functional and work well with mod_authn_otp. Thanks!
http://www.gooze.eu sells Feitian c100 (password) and c200 OTP (time-based) tokens. We would like to ship you some free token. Could you contact us? Email: jmpoure at? gooze.eu
Gemalto sells a time based OATH token called Ezio ($12.99USD as of 2010-07-28)
Does anybody know of any manufacturer who provides an interface to program the seed into the tokens? For me it is not really secure to use two-factor authentication with one factor already known by a Chinese manufacturer ...
Tokens are usually sealed to avoid any intrusion/reprogramming. It would be probably more insecure to program tokens from a Windows desktop than from factory.
A lot of hardware now is Chinese and your computer probably includes Chinese parts.
Furthermore, you can monitor access. I doubt there can be any illegal access.
By the way, I would like to inform you that Gooze now ships to the US. You may contact me on jmpoure@gooze.eu
Kind regards, Jean-Michel Pouré
Gemalto won't send you the seed for their tokens. So you should remove them from the list.
I purchased two tokens through Amazon, and asked Gemalto for the seed for one of them. They said they transmit the seeds to amazon and destroy them. I asked if they have products that they can provide seeds with, and my email has gone unanswered.
Just a quick note that the c200 is sold for 9,90€ and and the c100 for 8.90€ including VAT (19.6%). There is no limit of number of tokens purchased. You can even buy one. We are currently out of stock for the c200 but we will soon get more. So don't hesitate to visit http://www.gooze.eu
Android Token is an open-source token app that runs on Android. Use your token ID when prompted for "Serial No", or just use something arbitrary if you don't have a token ID.
@costin.en: I remember saw some information from linotp. "The eToken NG-OTP is only supported by the Enterprise Edition. The eToken NG-OTP is a hardware token, that comes without a preinstalled secret/seed (or HMAC key)."
But I don't think it's really not safe when you using a preinstalled seed token,because you have a different time,and you can have your own PIN.It's enough safe for most of your environment,but for ebank,i think you should have some other way,like PKI+OTP.
I'd be grateful if someone could point me to a J2ME Midlet for my older Sony Ericsson K750i that works with mod-authn-otp. I tested both oathdsss.jar (DS3 OathToken J2ME Midlet, HOTP) and MobileOTP.jar (cf. the Mobile-OTP project page), but to no avail.
I bought promo pack of 5 Aladdin eToken PASS units, the tokens comes with serial number in this format: XXXX-XXXX-XXXX-XXXX activated for free on the website of the manufacturer only one time of course, then used token purchased from ebay usually are unusable.
The activation consists in a zip containing two ldif format dat files, you can extract the token key parsing the text from "importAlpine.dat" file:
sccAuthenticatorId: (means token serial number) sccKey= (means token key)
eToken PASS are event based tokens, I've tested successfully using otptool.
Leo
Yubico sell the YubiKey? that you can program in OATH mode and also change the HMAC-SHA1 key in easily. There is GNU/Linux support for it. See https://store.yubico.com/
Hello, I'm trying to get the right mix of protocols in order to use Google Authenticator. I already have tokens generated by otptool working just fine. When constructing the Key URI do I want totp or hotp? Similiarly in the users file do I want MOTP or HOTP? I tried the logical combinations (hotp & HOTP/E) and then the plausible ones (totp & HOTP/T/30) and then some wag ones (hotp & MOTP/E) without any success. Thanks.
Try the combination Google: Time Based and Users File: HOTP/T30. Be careful to convert the base32 key properly.
Thanks, it was just the base32 conversion that was throwing things off, I believe I had an invalid number of digits in my secret, and hence the conversion got padded. I used the secret right off their documentation page (JBSWY3DPEHPK3PXP (base32) -> 48656C6C6F21DEADBEEF (hex) and everything worked great.