GoldKey Secure Web Finding Success in the Market

We are having good success with the deployment of GoldKey Secure Web.  The need for a very secure way to protect access to key websites is expanding daily.  As more and more important functions and transactions are accomplished online, the number of websites being compromised is a serious industry problem in need of urgent resolution.  The problem is not just limited to unfriendly parties getting into a website.  There are also the problems associated with users being misdirected to a counterfeit site where they might unknowingly divulge sensitive information. 

The idea of using security tokens to protect remote login has been around a long time, and has limited acceptance.  Upfront, this approach has the challenge of getting tokens distributed and users properly registered.  In addition, the idea that a user would carry around multiple tokens to access multiple sites is just not practical and is cost-prohibitive.  Furthermore, many of the token solutions that have hit the market have proven to be vulnerable to the various types of security attacks.  At the same time, customer support costs have skyrocketed as users have lost their tokens or forgotten their PINs.

The GoldKey entry into this market began over ten years ago, and was careful and methodical.  We started with the preconceived notion that something needs to happen, and when all of the elements are put together just right, the opportunity exists not only for a major deployment, but also for and the emergence of a de facto security standard.  To make all of this a reality, a solution is needed that combines military-grade security with the elements of easy deployment, user self-help, universal usage of a single device, and some sort of a history tracking system that would establish credibility with long-term usage similar to the rating system of sellers on eBay.

Now that a significant volume of users are beginning to depend on the system, we are becoming confident that GoldKey Secure Web is a winning proposition.  We are finding less and less new-product resistance from users as they begin to realize that the single GoldKey token can secure their local computer, protect and encrypt their files in the cloud, while also providing secure login to their favorite "GoldKey Ready" websites.  A common scenario is that a user will initially obtain a GoldKey token to provide access to a specific website which requires a GoldKey login.  From there, usage grows.

Websites wishing to add GoldKey Secure Web are easily able to do so by deploying a rack-mounted GoldKey Secure Portal to their datacenter.  By adding a few lines of code to their web servers' login sequence, they are able to immediately begin taking advantage of the enhanced two or three-factor authentication protection of the system.  To distribute the authentication and access privileges required by GoldKey to the website's users, various options are available, due to the fact that GoldKey tokens are hardware Managed by Master and Grand Master tokens. 

Among these options are onsite administration, such as requiring a customer to show up at a branch with proper photo ID and a GoldKey token; sending out email links; or even allowing existing customers to log in with their existing user name and password, then adding the GoldKey token authentication to secure the account once they are logged in.  The good news is with GoldKey it does not matter.  Each organization can choose just how rigorous a process is appropriate for the nature of the access being protected.

GoldKey security was specifically designed so one token would provide all of the security needs for a user.  This is a mandatory feature for any solution having even a modest chance for widespread deployment.  Using the GoldKey core technology (patents pending), it is possible for a user with just one token to securely log in to millions of unrelated sites, each with a separate and unique credential.  To my knowledge, this important capability is currently only available through GoldKey.

The other part of this whole system – that has already been deployed and is now in commercial usage – is the integration of the user history aspect.  Each user is issued a unique, personal GoldKey ID.  Through goldkeyID.com, users are able to recover forgotten PINs, deactivate lost or stolen tokens, and even make duplicate tokens when needed.  The GoldKey ID also provides subscribers with the ability to access user historical information to determine how much access will be given and to also obtain alerts issued by other subscribers to know immediately that a user ID may have been compromised.

Where does this all head?  I believe that a security revolution is at hand, forced upon us by necessity, but at the same time, providing to users new features and advantages that will quickly catch on.  We are soon to announce a line of GoldKey-based door locks which will allow users to gain access to secured buildings using the same GoldKey token they use to access their computer.  The units we are working on also keep track of access history, catch a photo of the user, and provide an easy way to change a user's building access privileges.  We are also working on the GoldKey credit card feature.  If things go the way I expect, it will not be long before you will see a USB port at grocery store checkout credit card scanners and on gas pumps.  Using the GoldKey credit card feature will be much safer than credit or debit cards in use today, and just one GoldKey token will handle all of your credit card and bank accounts.  Further down the road comes "Gold Bank."  That is when things all begin to get really exciting, but will need to wait for a later post.

GoldKey SecurID Alternative

 Authenticating a user on the network or over the Internet is one of the cornerstones of all security systems. Traditionally, authentication has been accomplished by asking for a username and password. In spite of the fact that this simplistic approach has been repeatedly compromised, it remains to be the predominant approach in use today. There are many weaknesses that have been exploited to compromise the username/password authentication model, including using the same password for multiple sites, using passwords which are easy to remember and therefore easy to guess, finding the place a user has written down the password, or a complexity of man-in-the-middle attacks where a user’s password is obtained and therefore compromised.

A superior method of authenticating a user involves the utilization of two factors or, as it is often called, two-factor authentication. In these types of systems, a user is given some kind of a security token or device, which is used along with a password to authenticate, resulting in the common adage “something you have and something you know.” In the realm of two-factor authentication, there are three basic strategies that represent the majority of the market. Each of these has its advantage and disadvantages and should be considered when choosing a two factor authentication system for deployment.

RSA SecurID

Although SecurID is by far the most popular two-factor authentication system in use today, it is an old technology with serious weaknesses.

Earlier this year, the entire RSA system was compromised by a security breach which compromised sensitive data and forced RSA to reissue millions of one-time password security tokens. The security industry is now exploring other options to replace this aging technology. The most popular two factor authentication system today is SecurID marketed by RSA. The SecurID method of two factor authentication involves issuing a card or a token to each user of the system.

These pocket sized tokens each contain a small battery powered electronic system that has been programmed with the algorithm of the one-time password strategy being utilized. Each time a user logs onto a securID system, a unique password is read from the device and keyed into the login computer by the user.

Smart Cards

Another increasingly popular strategy for two-factor authentication utilizes a smart card issued to each user.  The smart card, which could be a credit card shaped device or a smart card installed into a USB device, operates essentially the same in that they store security certificates, which can be read from the smart card when inserted into a computer at the time of log-in. The concept of using a security certificate to securely sign into a system is based on the notion or concept that certificates, which are a block of digital information, can be signed by a trusted authority at the time they are created.

Many systems utilize smart card technology. One of the most popular is the PIV System deployed by the United States government. Other enterprise organizations utilize smart cards issued to their users as a two-factor authentication method of log-in to Active Directory. The Achilles’ heel in smart card certificate authentication is the vulnerability of the trusted authority protecting the chain of creating signed certificates. This vulnerability has been underscored by a series of recent breaches, including the major breach of the Comodo signed certificates in 2011.

Gold ID

The third method of providing two factor authentication is Gold ID. This technology is based on a hierarchical hardware key management system developed by GoldKey Security Corporation. Rather than relying upon a one-time password algorithm or a reliable chain of signed certificates, the Gold ID system utilizes a process of registering hardware tokens to hardware management and grand management tokens. This approach has significant advantages as compared to the earlier technologies.

Gold ID greatly reduces the cost of initial deployment. The security function can be managed by non-computer personnel, bringing the matter of security back to the security department and out of the hands of programmers that already have access to the system. Since the process is managed entirely in hardware, it is much more flexible, giving the organization the ability to lock out disgruntled employees, recover lost credentials, and to control access of critical information assets by multiple users, even when the assets are stored encrypted at-rest.

To date, Gold ID is the only two-factor authentication system that has not been compromised. Gold ID is thoroughly implemented in the GoldKey offering by GoldKey Security Corporation. GoldKeys are not powered by internal batteries and therefore do not have end-of-life failures as batteries wear out. There is not an annual licensing fee for each user, and the initial cost of deployment is substantially less than other options. Most importantly, GoldKey Security tokens also contain a full deployment of the PIV Smart Card system, allowing users to continue utilization of their current Smart Card system while building the capability of transitioning all or part of the system over to Gold ID at some future date.

Additional information on Gold ID can be found at GoldKey.com.

Advanced Authentication for CJIS Compliance

Effective September 30, 2013, Advanced Authentication is required of all law enforcement personnel accessing CJIS, a computerized information system that is for the FBI’s National Crime Information Center. CJIS provides state, local, and Federal law enforcement and criminal justice agencies with access to centralized information such as fingerprint records, criminal histories, and crime reporting systems.

Law enforcement agencies throughout the country are scrambling to find the best security token solution to satisfy the FBI requirements. The first law enforcement agency to contact GoldKey, looking for an advanced authentication solution, was the Marysville Police Department of Washington State. GoldKey is an excellent choice for agencies desiring to comply with the FBI regulations. Not only does it provide advanced authentication, including dual factor authentication, but it also comes equipped with numerous additional security features and capabilities.

As one example, by utilizing GoldKey with internal secure flash storage, it is possible to store information downloaded from the FBI System onto the GoldKey rather than onto the disk drive of the computer. Since the place where this information is stored, according to the new requirements, must be encrypted, using GoldKey in this way eliminates the very cumbersome need of total disk encryption systems, the only alternative.

Working in conjunction with GoldKey Security Corporation, Marysville Police Department prepared and submitted a GoldKey solution option to the FBI for approval. Now that the FBI has approved this solution, other law enforcement agencies throughout the state of Washington and the nation are lining up to deploy the solution.

This is yet another market niche satisfied by GoldKey and Gold ID Security. The strategy of GoldKey is to become a single integrated security solution that will satisfy all of the authentication and security functions required by a user. What the market really needs is a single, robust yet simple solution that is secure, yet manageable, and affordable, yet resilient. One thing is very clear — better security technology will be required in the years ahead. GoldKey is the first and, so far, the only security system to come forward with hardware management of encryption keys and security tokens. So far, no alternative technology has emerged with the capabilities that future security challenges will demand.

Managing Multiple Computers in an Organization

Many organizations such as schools, banks, and the enterprise have a large deployment of computer systems managed by a central support team. Often individual laptop computers issued to various employees are also maintained by a central support organization. These types of users are discovering that GoldKey Security tokens are a valuable tool to aid in the secure management of these major deployments.

Here is how it works. A user account is set up on each computer with administrative privileges. Then this administrator account is secured on each computer by GoldKey. This is a simple process, which sets up the account so that the only way a user can log into the computer using that account is if they have a GoldKey with the appropriate user group installed. This strategy can be deployed even if the everyday user of the computer does not have a GoldKey, but rather logs into their own user account with the traditional username and password.

If, at any time, it becomes necessary to perform support functions on the computer, a support technician can login using a GoldKey. This could be, in a situation, as simple as where the everyday user has forgotten a password and therefore locked themselves out of their computer. The support user then logs in using the GoldKey, resetting the password in the user account. When working with a lot of machines, it is very handy in the USB port and then entering the single PIN of the GoldKey, no matter which computer you are trying to log into.

The way the GoldKey secure login authentication system works is like this. When the GoldKey user secures the account login with GoldKey, a special random number generator inside the GoldKey token generates a complex, random, and long login password for that account and submits it to the local computer’s operating system as the user’s password for that account. Then inside the GoldKey this new “long” password is encrypted using the encryption key for each GoldKey user group that will have access to this account. The encrypted version then, of the “long” password, is then stored in the open on the computer to be secured. When the GoldKey user attempts to log onto the computer, the encrypted version of the login password is pulled inside the GoldKey where it is decrypted and then fed back to the operating system to complete the login process, and the user is logged in.

There are many advantages of this approach over conventional username and password login systems. In the first place, the GoldKey generated passwords are so long and random that it is virtually impossible to break into the system by trying to guess the user’s password. Second, since the password is stored in encrypted form on the computer, any GoldKey having been given the appropriate user group by a Master Key is able to read the encrypted version of the password, decrypt it, and thereby log into the system. Perhaps most important, each computer secured in this way utilizes a completely random and different login password. In other words, if you had an enterprise with 10,000 computers all secured by GoldKey login, every single one of those 10,000 computers would have its own ”long” login password, and yet any GoldKey holder with the appropriate GoldKey user group would be able to log into any of those computers by simply remembering the PIN of their own GoldKey.

GoldKey Receives 5 Star Rating

A year ago, Neil Rubenking, the lead analyst for security at PC Magazine, did a review of GoldKey, giving it a very good Four Star Rating. That put us in a tie with the very best of the other security token products on the market. We decided that was not good enough.

In his list of “cons” Rubenking pointed out that some of the features of GoldKey were not very useful to the individual. We went to work on a special version of GoldKey that was optimized for individuals and small organizations. This product would be shipped from the factory already registered to a Master Key so that it could immediately be put to use by the user, and so that many of the advanced features of GoldKey — like disabling a lost GoldKey, recovering a PIN, or making a duplicate — could be performed utilizing the GoldKeyID.com website.

When the new version of GoldKey hit the market, it was again reviewed by Rubenking at PC Magazine, who gave it another Four Star Rating. This time the only “con” was that that it did not have any internal storage.

For a long time, users have wanted to have secure storage built into their GoldKey Security token. The problem is that GoldKey is so small it is almost impossible to add any significant amount of internal memory. There is just no space available inside the Key. It is extremely important that we maintain the very small size of GoldKey so that users can carry it conveniently with them on their keychain or even in a key wallet. That was all true until one of our major customers came forward needing to purchase a million dollar order of GoldKeys but having that the requirement that each Key would have a minimum of 16 Gig of internal secure memory.

The prospects of this and other potential orders like it inspired our technical team to sit down and really scratch our heads. The solution came when we figured out how in the same micro GoldKey package to insert a second circuit board piggy back to the first and “voila” the next generation of GoldKey with up to 64 GB of internal secure storage emerged.

On April 16 of this year Neil Rubenking issued his review of this new rendition of GoldKey. This time he gave it a perfect Five Star Rating, and under “cons” he listed “none.” GoldKey is now the PC Magazine Editors’ Choice, having received the highest security rating for any security token device.

Now it is possible for a user to carry around a smart card encryption key management system and a secure flash drive all in one package. This is a bright day for GoldKey and its growing number of worldwide users.

To read the full review from PC Magazine, please visit:
http://www.pcmag.com/article2/0,2817,2403082,00.asp

*A trademark of Ziff Davis, Inc. Used under license. Reprinted with permission. © 2011 Ziff Davis, Inc. All Rights Reserved.