eToken Passwords 101

1.       Types of eToken Passwords - eTokens have two types of passwords, an administrator password and a user password. The administrator password is used to reset the user password and can be used to reformat the eToken. The user password can be used to change the current user password, access private key functions , and can be used to reformat  the eToken.
2.       Creation of eToken Passwords - eToken user passwords are created by the user during the PDC(Personal Digital Certificate) enrollment process when the PDC is issued to the user on the eToken.  Unique eToken administrator  passwords are  randomly  generated by TAS(Token Administration System) and assigned to each eToken during the enrollment process. The administrator passwords  are encrypted and stored in the TAS database and can only be decrypted by  TAS operators authorized to reset  eToken user passwords or recycle(reformat) eTokens.
3.       eToken User Password Composition Requirements -  Password must be at least 8 characters long; Password must contain at least THREE of these FOUR types of characters:
-          Numbers: 0-9
-          Uppercase English Letters A-Z
-          Lowercase English Letters a-z
-          Special Characters except for right brace, right bracket and equal sign
4.       eToken Password Changes - Users can change their current password at anytime by using the Aladdin RTE eProperties Tool or a browser like FireFox, Netscape, or Sea Monkey which support eToken user password changes. The user must have knowledge of the current eToken user password in order to successfully change the password.
5.       eToken Password Blocking  Thresholds - eTokens have password blocking thresholds defined for both user and administrator passwords.  After 10 invalid consecutive user passwords (15 for administrator passwords) the  eToken will automatically become blocked.  A blocked eToken prevents any further attempts to login to the eToken and renders the eToken temporarily unusable until it has been reset.  If both user and administrator PINs have reached their blocking threshold, the token becomes unusable and is toast!  If the user password has reached the blocking threshold, then the eToken administrator can login to the eToken using the administrator password and reset the user password. At any time a correct user or administrator password has been entered or a password has been reset, the corresponding invalid password counter for the password is automatically reset to zero.
6.       Current Procedure for Resetting eToken User Password - In order to get an eToken user password reset, the owner of the eToken must take their eToken in person to the Student Telecommunications Office located at 120 Student Services building on the Blacksburg campus and create a new eToken password for their eToken.  They must show their Hokie Passport card and provide one other government-issued photo identification. Examples include drivers' licenses, passports, military ID cards.

  Self Service eToken User Password Reset

1.      Pros

  •          A convenience to the eToken user (especially off campus uses) who would not have to appear in person at the StuTel Office in order to get a eToken user password reset. 
  •          A convenience to the eToken administrator  who does not have to reset eToken user passwords
  •          A self service or remote pin reset  service will be needed before any large scale (6500) deployment of eTokens to faculty and staff.
  •          Provides a more efficient method  and less costly alternative for resetting user eToken passwords
  •          Users can leverage the use of their high assurance eToken/PDC identity credentials  to establish an equally high assurance personal identity authentication profile of questions and answers. This high assurance identity profile can  then  be used by the self service eToken user password reset application or other applications to help authenticate users.
  •          There is an inventory of  6500 eTokens which been purchased and are ready to be deployed. 
  •          Remote authentication of users by the self service eToken password reset application can require users to authenticate using  identity credentials like PID/password in conjunction with the high assurance personal identity profile to enhance the assurance level even more.  Note using PID/password by itself  to authenticate remote users would not be acceptable since this could potentially compromise the assurance level of the  eToken/PDC credential.
  •          The inconvenience of having to personally visit the StuTel  office to get an eToken password reset will create an incentive for users to create their high assurance identity profile so that they can use the self-service.
  •          The development of a secure web application that would allow users to authenticate with their eToken/PDC (client ssl) and create/update their high assurance identity profile is not a complex programming effort.
  •          The self service eToken user password reset application can make use of blocking to enhance security  if users exceed a threshold of invalid responses to questions. Blocked users must then use go in person to the StuTel  Office to get there password reset.
  •          The self service eToken user password reset application can be designed to randomly select form the questions to be asked to enchance security so that consecutive attempts never provide exactly the same set of questions.
  •          The self service eToken password reset can be an optional service. Users can still opt to go to the StutTel office to get their eToken password reset.
  •          Other applications besides self-service eToken password reset could take advantage of and benefit by the creation of the high assurance personal identity profile which has been created by users.

2.      Cons 

  • There are currently only 500 eTokens/PDC that have been issued to users. The time to deploy an additional 6500 eTokens will most likely be staged and take some time.
  • Users who need to get their eToken user password reset but have not yet created their high assurance personal identity profile must use the current method and appear in person at the StuTel office.
  • Resetting a user's eToken password requires that the user authenticate to the self service using credentials that are at least at the same assurance level as the eToken/PDC.  Currently there are no existing identity credentials that meet this requirement.
  • A way must be provided for users to easily establish high assurance identity credentials ( could be in the form of question/answers) that can be used by a self service eToken user password reset application or other applications  for remotely authenticating users.

3.       How would the user self service eToken password reset work?

In order to use the self service eToken password reset application, the user must have previously created their high assurance personal identity  profile.  Any user who has been issued an eToken can  at any time use a self service web application to register their personal  authentication credentials to create their identity profile.  In order to register their authentication credentials, a user must authenticate using their eToken/PDC when logging in to the registration web application. No identity credential  other that  eToken/PDC which provides strong two factor authentication and a high assurance credential (because enrollment for the PDC required face to face registration and presentation of at least two picture ids) in the form of a PDC can be used when authenticating to the registration web application (client SSL). Users can be notified of the self  registration service in the email which is automatically sent to all users who enroll for a eToken/PDC.  In addition, links to the service can be made available on the PDC website and advertised via bulk emailing, newsletters or other means.

The self service registration web application will allow the user to register their personal authentication credentials in the form of questions and answers that only they are knowledgeable  enough to answer correctly.  Users will be given an opportunity to choose from a list of predefined questions  as well as the ability to enter their own questions and answers to create their personal authentication profile. All answer (responses) to questions will be stored as hash values to enhance privacy.  In addition to the initial selection of their personal profile question/answers, users can at any time use the self registration web application to make changes to their profile and select new questions/answers.

Users who need to get their eToken password reset and have previously created their personal identity profile can use the self service  eToken password reset by authenticating to the web application using their PID/password. After successfully authenticating with PID password,  questions (# of question can be decided later) are randomly selected from the user's personal identity profile and presented to the user for a response.  Hash values are created from these responses and compared to those stored in the users identity profile.  If incorrect responses are detected the web application can enforce blocking after a predefined threshold of invalid responses has been received. If the responses are successful, the web application proceeds to allow the user to create a new password for their eToken. Users who are blocked because of incorrect responses must go to the StuTel office to have their eToken password reset. Resetting the eToken password automatically resets the  self-service blocking counter to zero. 
Definition:

High assurance personal identity profile - In this context it is a set of pre-defined and user defined questions along with answers that only the user is knowledgeable to answer correctly. The user creates/updates their high assurance personal identity profile using a self-service web application which requires that the user authenticate using  their eToken/PDC.

Additional layers of authentication - In additon to requiring the user needing a eToken passsword reset to authenitcate using PID/pasword and repsonding to questions from their identity profile, it would be easy to add an additional layer of authenitcation by requiing the user to enter a random one-time, which they would receive via their VT email account. In addtion to being random and one-time use password, a valididty period could be associated with the password so that it could only be used for a predefined duration (or example one hour).

  • No labels

6 Comments

  1. Mary Dunker

    Dec 12, 2007

    We are going to need to re-issue new eTokens to IT employees. Would it be possible/feasible/secure to use something like the high assurance personal identity profile to allow a current eToken holder to receive a new certificate on a new eToken? 

  2. Mary Dunker

    Dec 20, 2007

    The PMA will need to approve a proposal for allowing remote resetting of eToken passwords. Please consider something like the following scenario:

    1. PMA approves a policy whereby eToken password can be reset using a combination of
      • Challenge questions entered by the eToken owner after having authenticated with his/her eToken to a service that allows them to select questions and enter answers.
      • The eToken owner's supervisor, the person who signed their leave report, or their departmental leave representative is allowed to authorize the eToken owener to reset their password. Authorization is given online via the supervisor's/leave rep's digital signature, which "enables" something to allow the user to reset their eToken password.
    2. User who needs to reset PWD calls 4Help (perhaps StuTel and IRM can also take a call)
    3. 4Help/Stutel/IRM has a way to identify the person who can authorize the user's PWD reset request.
    4. 4Help uses a service that puts something in the "digital signing queue" and sends e-mail to the authorizing party saying there is a request in the queue for them to authorize password reset for someone.
    5. Authorizing party performs authorization using digital signature with VT PDC. After authorization completes, a process sends e-mail to user saying they can now go to a web page where they can log in with PID, answer eToken challenge questions and reset eToken password.

    What do you think? Would this process be "secure enough?" Would it be less trouble than appearing in person someplace to have the eToken password reset?

  3. Randy Marchany

    Jan 25, 2008

    I think the procedure looks ok. We have to have this service running before we deploy the remaining 6K tokens. We need to remember that not every VT person may be geographically close to the StuTel office when they need to reset their password. If I'm on a business trip and I need to reset my token password, I need this remote reset service.

    I'm also concerned that without this service, we can potentially create a DOS on the token owner. For example, I get a hold of your token, type in 10 bad passwords to log out the token and you're stuck. The remote service helps mitigate this attack.

    I also believe the PMA will have to remove the "don't share token" clause from the Terms and Conditions of Use. Departmental leave reps would violate this requirement and if that happens, they won't use the token. Since the owner is responsible for use of the token (according to the AUP), we are covered from a security standpoint. 

  4. Mary Dunker

    Jan 28, 2008

    I agree that it is important to provide a remote password reset capability. I hope the software will allow it!

     I am not convinced we need to allow people to share eTokens. There are other ways to allow leave reps to enter information on behalf of someone else without sharing tokens. I will be pursuing this issue with HR and the leave reporting design team.

  5. Mary Dunker

    Feb 21, 2008

    Mike Naff suggested that we look at a "proxy" capability for digital signatures. Something generic like this might be useful to work into our self-service password reset functionality.

  6. Marc DeBonis

    Mar 06, 2008

    Is there any concern that an Administrator can effectively reset a token and impersonate the user, even without knowing the user's original password?