If you’re supporting a large number of remote or mobile users, security is always a crucial concern. And finding the right security device for a large deployment is often difficult. One product that promises to do this is SecuriKey, a USB device that locks out any user that does not have a key. Although the product does add a secure layer to laptops and Windows 2000 and XP desktops, many loopholes make it an impractical solution for large deployments. I’ll go over how to set up the SecuriKey system on a workstation, as well as provide a few reasons why this product might not be a complete solution for a multiuser, networked environment.

Background
SecuriKey is a USB hardware “key” authentication system made by Griffin Technologies.

It prevents unauthorized access to a Windows 2000 or XP workstation. It will remind users of a dongle, except that the device is used in conjunction with a password. Users must plug their individual keys (called tokens) in the computer’s USB port and enter their passwords at the SecuriKey login screen to be granted access to their accounts. On the road, the SecuriKey token adds a secure layer to laptops.

Two-factor authorization
SecuriKey requires two credentials to authenticate users—a system called “two-factor authorization.” The idea is that the user knows one factor, such as a password, and the user owns one factor, such as a fingerprint, a smart card, or in this case, the USB token. Requiring both makes it harder for your identity to be faked or hacked.

One problem with two-factor authentication is that you can lose the “thing” you own. Even a fingerprint can be damaged, but it’s more realistic to assume that the biometric device, such as a keyboard or mouse, will be stolen or broken. (See my review of the Siemen’s ID mouse.) Additionally, biometric authorization is often considered a one-factor method. Fingerprints or retina patterns are considered to be so unique that they negate the need for a password.

Griffin claims that users won’t be inclined to lose the USB token because it attaches to a key ring (Figure A). This claim is a reasonable assumption, yet the device has the same risks one takes with any key—people will occasionally forget, lose, or misplace it. As a backup, Griffin provides a company token, which functions as a master key. I couldn’t test the company token, however, since it wasn’t included in the evaluation kit.

Figure A
Griffin’s USB-based SecuriKey can be attached to a key ring.

Setup
You must have administrative rights to install SecuriKey. Installation begins automatically when the product CD is placed in the drive. When the install screen appears, choose the Administration Manager, which is used for setting up logins and configuring tokens (Figure B). After choosing the administrator, click Next. The installation of drivers and executables is routine, so when the process finishes, select Restart to continue.

Figure B
Make sure to install the Administration Manager, not the local client.

After restarting, insert the token into any available USB port. Windows recognizes the new hardware (called WIBU-BOX/U), and installs the drivers. To begin configuration, choose Start | Programs | Griffin Technologies SecuriKey | SecuriKey Administration Manager. This snap-in console lets administrators set up local machine and enterprise user accounts.

Right-click on your local machine from the list. Select Import Local Windows Users (Figure C), and a list of users will appear in the right pane.

Figure C
Import users from the local machine.

For each user account, select the user, right-click, and select Properties (Figure D).

Figure D

From the Properties screen’s Basic tab, you can choose the method of access (automatic or manual) and the type of access (SecuriKey Token Required for Logon, SecuriKey Token Not Required for Logon, or No Access Allowed). Automatic login in effect turns a two-factor system into a one-factor system. This choice bypasses the password and allows access with the token only.

Manual access requires users to enter their passwords, which you can change by clicking Set Password. Otherwise, the user’s Windows password will be required.

Under the Advanced tab, you can change the default behavior. By default, if the SecuriKey is not present, the workstation is locked. Other Advanced options include Suspend Workstation, Shutdown Workstation, and Logoff User.

On the Properties sheet, click Token Management to bring up the Security Token Management screen. Click a Detected SecuriKey Token from the list (your token should still be in the USB port), and click Pick (Figure E). This action will automatically fill in values for a Company Key Code and User Key Code. You can change these values if you wish so that they are unique to each user account. Once you have made all your choices, click OK to continue.

Figure E
Choose a token and click Pick to add its values to the Properties sheet.

Logistical nightmare

One reason this system is unwieldy becomes clear now. The administrator setting up local accounts may be in another building, but the user must be present in order to place the key in the local machines’ USB port for it to be recognized.

To complete configuration, you’ll now need to activate the SecuriKey authentication scheme. Simply select the computer in the left pane of the installation screen and click the Export SecuriKey Profiles icon on the toolbar to send the data to the SecuriKey login system. Finally, click the Activate SecuriKey icon. Do not install the Safe Mode Blocker when asked. This app prevents unauthorized access to the computer that can be gained through Safe Mode. You should install it, but not until after testing the configuration. Following a reboot, the SecuriKey system will be active. The replacement logon screen prevents access to Windows 2000 or XP without a USB key. In addition, when a key is removed during a session, the screen is locked until the token is replaced.

Uninstalling
To remove the SecuriKey system, first remove the Administration Manager with the Control Panel’s Add/Remove programs option. Next, remove the client. In the Add/Remove Programs list, uninstall the item SecuriKey Setup (Part 2 – Logon Protection). After rebooting the computer, remove the entry called SecuriKey Setup (Part 1 – Hardware Drivers).

Loopholes
SecuriKey’s “Best Practices” guide mentions a number of situations in which this authentication system can be compromised or rendered useless. SecuriKey only works on Windows 2000 and XP. Dual booting with Windows 9x, NT, or Linux bypasses security. While Windows 98 doesn’t read NTFS drives, it could read a Win2K FAT file system installation. In addition, there is third-party software that allows Windows 98 to read NTFS, such as the free NTFS98 by SysInternals.

You could access a single OS system a number of ways. For instance, you can install an OS on top of Windows 2000 or XP, allowing data files to be read. Windows Safe Mode does not install the SecuriKey system drivers; therefore, anyone can boot into Safe Mode and gain access to the computer. To counter this security risk, Griffin recommends that you install the Safe Mode Blocker application. However, Safe Mode is essential for troubleshooting and recovering from errors; it’s not practical to ask an enterprise to install the Blocker application.

The way Windows registers USB ports can adversely affect security. Windows detects new hardware after logon. If a user puts the token in a different USB port, it won’t be recognized. If there’s a change of configuration—for instance, switching or adding USB devices, users won’t be able to log in. To get around this problem, you have to insert the token into every available USB port during setup to install the drivers in all ports. If a USB hub is removed, the problem is even more difficult to solve.

And finally, when computers are renamed, if the Administrator’s profile isn’t changed to the same name, the administrator won’t be able to log on.

Not a complete solution
Griffin’s literature claims that its method of authentication is cheaper for enterprises than a PKI (Public Key Infrastructure). No pricing was available on the Web site or in the evaluation kit, however. Cheaper or not, with so many ways to cheat the system, the headaches of using this type of authentication are simply not worth it, especially when more secure methods are available, such as biometric mice and keyboards or Windows server/client schemes, such as Kerberos. However, special-purpose standalone Windows 2000 or XP computers could benefit from the SecuriKey solution, as long as the user never loses his or her keys.