We have been getting questions about the security surrounding the shared secret key hashes (seeds) of our hardware tokens. In this article, we will try to describe how this data is secured, operated, stored and destroyed.
The seeds are randomly generated and sent to the factory in a secure manner (we use GPG encryption). We store them on our servers for a limited period of time and then delete after seeds were transferred to end users. The servers we are using to temporarily store the secret seeds can only be accessed from our office network and the access is protected with two-factor authentication. Permanent storage of seeds is done at UBS Safe, which is basically our e-banking account attached storage and has the highest level of security (MFA protected, PCI-DSS compliant etc.) When it comes to transferring the keys to end users, we strongly recommend using PGP or GPG encryption to transfer secret keys for all types of tokens. PGP and GPG are popular solutions for encrypting, decrypting, signing, and verifying messages and files, often found in email communications and package repository identity verification. If you are new to PGP we recommend having a look at the PGPTool
If requested by customers, we can send the seeds by email assuming the tokens are not to be used in production, however, this is not recommended as transferring secret keys in plain text format by email may lead to a compromise of your token seeds which could potentially result in MFA bypass.
If you are still concerned, there is an option of setting the seeds yourself, so you have full control and no one else touches your seeds. This option is only available with our programmable tokens. The procedures are explained below.
Hardware token provisioning with the full control of the seeds
The guide below is using Azure MFA as an example. The same provisioning flow can be used with other systems as well.
TOKEN2 has developed a simple HTML5 application (“Token2 TOTP Toolset”) which can be run locally without accessing any libraries/resources on the Internet (including the QR image generation). This application is designed to generate random seeds and produce CSV file ready to be imported to Azure MFA. The source code if the application is available on GitHub.
The provisioning will be done in the following way:
- Download and launch Token2 TOTP Toolset — local. You may want to run this app on a computer that is fully offline (or firewalled) to be sure no information is being transferred to third parties
- Install Token2 Burner App on an Android device with NFC. After the app has been installed, you can set the device to flight mode with Bluetooth, Wifi and Cellular data off to ensure no data will be transferred outside
- Generate a random seed using Token2 TOTP Toolset.
- After the seed is generated, burn the seed using the Burner App
- Verify the OTP shown on the device with the OTP value shown on the TOTP Toolset
- Enter the serial number of your token and the username in UPN format to the relevant fields on the TOTP Toolset and click on “ ⇲ append to CSV” button
- Repeat steps 3 to 6 for every token you are provisioning
- Click on “save as file” button and save your MFA CSV file
- Import the CSV to Azure MFA
- Your tokens are ready to be activated for users
Originally published at www.token2.com.
