Are OTP/OATH (RFC 4226) Hardware Tokens Re-seedable?

Question

We set up a two-factor authentication system that uses Google Authenticator to use OTP via mobile phone apps. Some of our users however don't have smart phones so we want to be able to use hardware tokens with it.

If the secret key/seed set by the manufacturer, then someone else obviously may know your secret key. This doesn't seem secure. So wouldn't it make sense if they were re-seedable. Can these types of hardware tokens be reset with a new secret key when you get them? Does it just depend on the key manufacturer?

Answer 1

There are several hardware tokens that can be seeded.

A cute version is indeed the yubikey, as you need no additional hardware to seed it and all necessary software is publically available. The yubikey even works fine for blind users. But you need a USB port to use it.

There are also the eToken PASS and the eTokenNG OTP, both tokens of SafeNet (former Aladdin). The PASS is a key fob token and can be seeded with an additional device. The eToken PASS can be seeded as an HOTP and a TOTP token.

The eTokenNG OTP is a hybrid device (OTP and Smartcard). It also has a USB connector and can be seeded using this USB connector.

But if some of the users are only lacking smartphones, you could also:

1. use motp, which will also run on older feature phones or

2. SMS-Tokens, where the OTP is transmitted via SMS to a mobile phone (not smart). (But I really, really wouldn't recommend this! ;-)

What I would recommend is, take a look at LinOTP or privacyIDEA which is a backend, that works with all these token types (Google Autheticator, YubiKey, eToken Pass, eTokenNG OTP, motp, SMS...) thus giving you the possibility to choose, which user will have which token.

Finally, and yes I work for the company, that provides enterprise extensions for the open source LinOTP.

Answer 2

Oh, I hate contradicting people.

Yes, you can re-seed a hardware key. Or, to be precise, there exist OATH-compliant hardware tokens that can be re-seeded; specifically, the yubikey. The secret is stored in what is effectively write-only memory; anyone with physical possession of the device can write a secret to it, but it will not give the secret back out; it will only perform OATH and other one-time password operations with it.

I have no connection with the manufacturer; I just liked their products, because I wanted two-factor authentication where I was in control of the secrets. Whilst I don't use mine in OATH mode, I do use it in another OTP mode, and have definitely generated and uploaded my own secrets for both my personal token, and those used by others who use my systems.

If you're curious, I've written more about it in my technote.

In any case, now you know that re-seedable hardware tokens exist, you can look around for one that suits you.

Answer 3

No, you can't re-seed a hardware key.

The seed value on [compliant] OTP/OATH hardware keys is stored, encrypted, in RAM. In order to extract or alter the key, you'd need to break the encryption and alter the memory, while it's powered on, which is just not feasible. (Because these devices use RAM to store the seed value, if you disconnect the battery/power, you lose those contents and brick the device.)

And, just as something to consider, how do you know that someone may know your key's seed value? Just because it's set at the factory doesn't mean that any person ever knows your key's seed value, let alone knows your key's value and can associate it with your key. (My computer generates crypto keys all day long for things like SSL websites, doesn't mean I could tell you any of those key values if my life depended on it.)