USB Security Token

[Inafking]

I've had my security token for a while and I'm worried about the bettery running out. All FFXI platforms have USB support. Shouldn't be hard to make something you can plug in that would comunicate directly without the need for a battery or typing in anything manualy. Just set it up to interface as a USB keyboard, then have a button on it that would register the 6 digit 1 time password as key presses. Basicly you put the cursor where you want it to type in the 1 time password (weather it's in the POL application or web browser) and press the button. The token would read the system time, generate the 1 time password and type it in for you. No need to change any of the current software for this to work, just make the new usb tokens.

[Misi]

Not too sure about this, but I think USB drives can be attacked by viruses. (like a keylogger) While it sucks that the token is on a one time battery life span, at least its not susceptible to being attacked as a device. ie: can't be connected to the machine to stay safe. I can see why they wouldn't want to go that route.

[Laraul]

You people make the assumption that people are going to simply leave their token connected all the time. I keep my token on my key chain. And how would this help with the battery life? Why are you worried about the token's battery NOW? What makes you think the battery is getting weak? Have the numbers become very faint to read? These things should last a good five to ten years.

This device is immune to key loggers. The purpose of a security token is to generate a unique number that can only be used once. The generated number has a lifespan of maybe 20 to 30 minutes. And if you want a new code, wait ten seconds and press the button again. The new code when entered will automatically prevent the any prior code from working.

As for being a USB device being prone to viruses, well have you ever heard of a keyboard or mouse being "infected" by a key logger?

[Misi]

You people make the assumption that people are going to simply leave their token connected all the time. I keep my token on my key chain. And how would this help with the battery life? Why are you worried about the token's battery NOW? What makes you think the battery is getting weak? Have the numbers become very faint to read? These things should last a good five to ten years.

This device is immune to key loggers. The purpose of a security token is to generate a unique number that can only be used once. The generated number has a lifespan of maybe 20 to 30 minutes. And if you want a new code, wait ten seconds and press the button again. The new code when entered will automatically prevent the any prior code from working.

As for being a USB device being prone to viruses, well have you ever heard of a keyboard or mouse being "infected" by a key logger?

And I keep mine near my comp and don't carry it around. Point? If a virus is made particularity for it, all the person who made it has to do is program it to go after drives, keystroke, dl malware,ect. it isn't impossible. and as soon as its recognized as being plugged it its too late. Doesn't matter if its 1 second or 30. Tokens are effective because they arn't "apart" of your computer. If its connected you may as well not have a security device at all.

I'm fine with the token being the way it is. even with having to replace one after a few years. It is much safer being a "token" then a usb device. I'd think the only realistic concern is waiting for the new token to get here while your battery is dying. i'd imagine you'd have to still use the old one to sign in to even unlink said dying token so you'd have to do it before it did kick the bucket. Then wait weeks/months in some cases for your newly ordered token to arrive.

[Zagen]

And I keep mine near my comp and don't carry it around. Point? If a virus is made particularity for it, all the person who made it has to do is program it to go after drives, keystroke, dl malware,ect. it isn't impossible. and as soon as its recognized as being plugged it its too late. Doesn't matter if its 1 second or 30. Tokens are effective because they arn't "apart" of your computer. If its connected you may as well not have a security device at all.

I'm fine with the token being the way it is. even with having to replace one after a few years. It is much safer being a "token" then a usb device. I'd think the only realistic concern is waiting for the new token to get here while your battery is dying. i'd imagine you'd have to still use the old one to sign in to even unlink said dying token so you'd have to do it before it did kick the bucket. Then wait weeks/months in some cases for your newly ordered token to arrive.

Thing is they aren't any safer unplugged from the computer than they would be plugged in.

Do yourself a favor and research what a hacker is capable of doing once they have a program on your computer, it will do much more than the security token ever will for you. Everyone who honestly thinks their account is safer with a token should do this not just you specifically.

[Misi]

Thing is they aren't any safer unplugged from the computer than they would be plugged in.

Do yourself a favor and research what a hacker is capable of doing once they have a program on your computer, it will do much more than the security token ever will for you. Everyone who honestly thinks their account is safer with a token should do this not just you specifically.

Not denying that, I agree. Tokens are not infallible like people tend to believe.

[Ziyyigo-Tipyigo]

Do yourself a favor and research what a hacker is capable

If the NSA really wants your gil, they will get it. That doesn't mean they'll bother.

It's called "risk analsys." Simply because someone can do something to compromise you doesn't mean they will, especially if the cost and effort to do so outweighs the potential reward. If a hacker can compromise 50% of your user accounts with 5 mintues' work, but it will take 5 hours to get the other 50%, why would he? That's 5 hours he could have spent selling the gil he already has.

You don't have to outrun the bear, just outrun the guy next to you.

[Runespider]

When the tokens run down we will probably just have to unlink them, I have zero faith they will make linking a fresh security keychain thing in any way easy at all.

[Oddwaffle]

The security token is something like a coded watch. It ticks every so often (like a watch) and gives you a number. That means it's constantly running and will run out of battery similar to a watch. The battery for these are usually large and can last for a few years unless you constantly press the button to make it shows the numbers. However, the quality of the battery leaves a bit to wonder as it's made in china and I don't have many good experience with china made electronics. On the other hand, I have opened a similar token before and it's possible to replace the battery. You might have to reset it and sync it again with SE (like syncing a watch with your current time).

While the token is fairly secure, it's not going to miraculously preventing you from getting hacked. I'll give you an example. Suppose you have a keylogger on your PC that can interfere with POL. You log on, type in your 6-digits and the keylogger steals the digits while crashing your POL. So you can't put in new digits to prevent a log on until you can get rid of the keylogger. On the other side of the world, the criminal now has a fresh 6-digit code every time you attempt to log in. Thus he can log in and steal all your stuff. The whole process of stealing all your valuables take about 10-15 on your main if he just throw away the rare/ex and load your character with valuables and teleport it.

A clear head will go much further in protecting yourself in the hostile internet.

[Atomic_Skull]

On the other hand, I have opened a similar token before and it's possible to replace the battery. You might have to reset it and sync it again with SE (like syncing a watch with your current time).

Square Enix and Blizzard use VASCO Digipass GO 6 tokens. It is not possible to replace the battery in these, it will suicide if you tamper with it. Also the key is kept in volatile RAM and when the battery runs down to a certain % it is lost (I'm not sure if it just runs down and is lost or if the token suicides itself when it determines the battery has lost too much power for it to run reliably anymore, probably the latter)

It is in theory possible to extract the key from one of these tokens but it requires equipment and facilities only available to large corporations and governments, and because each token has a unique key you would be spending millions to break one person's account and one person's only. So it's completely not worth it. They have designed these things to be very physically tamper resistant.