Overview

The ESS Safeword authentication service provides a two-factor one-time password authentication system utilizing hardware tokens from Secure Computing Corporation. At Rutgers these are also known as enigma cards after an old branding from that company. The safeword authentication service provides strong authentication to validate the identity of a token holder. All users of the service are individually registered with the system and the resulting security is much stronger than traditional static-password technologies.. This technology is used to secure various systems and services run by ESS and may be utilized by groups within Rutgers. The service is funded by fees charged to users which cover the costs of hardware, licensing, and support.

How it works

New users must first be individually registered with the service. The registered user can then utilize their token card to authenticate to any protected service to which they have access. When prompted for a password from such a service the users enters a PIN into the token card. The token will then display an 8 character alphanumeric password. Each time a password is requested a new one is generated. There is no limit on the number of passwords that can be provided, though the life of a token card is limited to about 3 years. Password sequences are different for every card and strong cryptography is used to prevent a compromise of any token card or the safeword servers. Since identity checks are performed when a user is registered and a secret PIN must be used in addition to physical possession of the token it is difficult to hack the service or steal someone else's access. Likewise the level of encryption used by the service (triple-DES) is strong enough that significant computing resources would be necessary to break it. The result is an authentication service that is of sufficient strength for almost any potential use at Rutgers.

Authentication Services

Users of this service primarily authenticate via either of two available network based services. The first method is to indirectly authenticate via the ESS RADIUS service. This is most commonly selected for applications such as web servers that have RADIUS authentication capability available to them. The second method is a set of PAM libraries for UNIX that allow capable systems to authenticate directly against the Safeword authentication server. Code for the first method is included in many web servers or can be added by a system administrator when needed. For apache mod_radius works well. Code for PAM on Unix is provided by NBCS' RPM software distribution service and source code can be made available for other operating systems. A number of other, less-used authentication methods are also available from the Secure Computing website, while a few other authentication methods managed by OIT can also perform Safeword authentication (LDAP).

Costs

Users are responsible for paying the cost of licensing and yearly support. When a token card is needed it can be purchased through ESS as well. The safeword authentication service can also support compatible foreign tokens that a user may have acquired elsewhere so long as domain 2 (the authentication domain for the ESS service) is not already in use on such a token and provided the user can supply the necessary secret key for their token to register it with the ESS service.

_{* Some products are provided at cost to users of this service. Such fees are subject to revision whenever the costs to ESS change.}

License Support is a yearly cost billed to the department in early June. Payment is due before August 1st. Unpaid support results in suspension of service. On registration a new user must pay a pro-rated support cost for any remaining months, whole or partial, in the current term of service. After one year of non-payment on support a user's license will be revoked. Future use of the service will then require re-purchase of a license at full cost.

The administrative fee is applicable to any request that requires changes to the service's authentication database. This includes registering new cards, replacing cards, or reassigning a card to a different person.

Service Level

Services that utilize the safeword servers directly can expect at least 99.999% availability. This equates to about 8 hours of total unavailability in a year. There are two caveats to this service level. First, a server utilizing this service must be correctly configured to utilize all three safeword servers in case of a single server failure. Second, availability is ultimately only as good as the network over which the service is provided; currently the service level on large portions of that network is best effort.

Services that act as proxies for Safeword authentication will be subject to the service availability agreements for those proxies (RADIUS, LDAP, ETC.).

New user registration can take up to one business day to complete following receipt of payment. New tokens must be picked up by the individual they are registered to so that an ID check can be performed by staff.

Tokens are warranted by the manufacturer for two years*. ESS will replace a broken card purchased through us within that period free of charge provided the conditions of the manufacturer's warranty are met (i.e., no physical damage or evidence of improper use. ESS has final say on the application of warranty coverage to a failed card. Relevant fees are charged to replace tokens which are lost or cease to function for reasons not covered by warranty. User-replaceable batteries are not covered by warranty.
* Subject to change by the manufacturer. Cards often last 3 years or more.

Subscription and Support Information

All payments for the safeword authentication service should be made through RIAS. Our supplier name is OIT ESS Authorization Safeword . The item name is Safeword Authentication Token and Service, and the item number is 383.

Requests for registration or support should be made through email to safeword_support@email.rutgers.edu before placing an order in RIAS.

For users on the New Brunswick campus, cards are normally issued by ESS front desk staff in the Administrative Services Building, Room 101, on Busch Campus. For users in Newark, cards can be picked up in Hill Hall, Room 219. For Camden, cards may be picked up in the Business and Science Building, Room 121. A valid photo-identification issued by Rutgers or a State/Federal government agency (drivers license, passport, etc) is required for identity verification when tokens are issued.

Occasionally requests to reprogram older cards are received. Every effort will be made to perform this function, but we do not guarantee it will be successful with cards that are not covered by our warranty. Programming attempts on older cards can result in the destruction of the unit. The customer accepts this risk when making such a request.

The following is a list of total costs for various administrative functions related to the safeword authentication service. Please contact the support email address for needs which are not listed if there is any question as to which fees are applicable.

Using your new card

Safeword Platinum cards are programmed with an initial PIN. Safeword Support will provide you with a default PIN number before your initial login. When you turn the card on the first time it will say ENTER PIN (or EP). Enter the default PIN as provided in the documentation that came with your card.. It will then prompt NEW PIN. Enter a new 4 digit PIN of your choice. It will request that PIN again, if entered correctly the new PIN will be set and the card will output the message "SUCCESS".. If entered incorrectly the second time it will start again with NEW PIN. Once the PIN has been successfully changed the card will generate a password. To get additional passwords you can press the Ent button as many times as needed. The card will automatically power off after several seconds of inactivity; once it does that you can turn it on again and enter your newly set PIN again for additional passwords at any time.

The Safeword token card and Safeword server always know what password is next based on the last password successfully used. If for any reason the card is allowed to generate 10 unused passwords consecutively, the server will no longer be synchronized to the card. If this ever happens then re-synchronization can be configured by entering a new password twice in a row.

The Safeword service has an anti-hacking mechanism. Multiple unsuccessful authentication attempts will cause the attack lock to be enabled for a user. This will reset automatically after 30 minutes.

Troubleshooting authentication problems

The Safeword service rarely has problems that a user cannot resolve on their own. Most commonly a user unknowingly enters the wrong PIN by accidentally pressing the wrong button. Please try to diagnose and resolve the problem yourself before contacting Safeword support. Often you will find you do not need our assistance.

If you find you cannot authenticate to the server here are the steps to follow to resolve the problem:

Turn off the token card, turn it back on, enter your correct PIN. Use the resulting password twice in a row to login. This does several things. First, it insures you didn't type a PIN wrong. Second, it re-synchronizes the server and your card. Third, it creates two sequential log entries on the server at the same time so the service administrators can easily find log messages for the failed authentication attempts.

If the above fails to authenticate you then your account may have been attack-locked. You should wait a minimum of 35 minutes and then try the above procedure again.

A few users utilize safework authentication for services like email (IMAP/POP) or web pages. If you have recently provided a safeword generated password to a mail or web client then that program may still be trying to use that password to re-authenticate you to a service. Such automated use can easily (and quickly) result in an attack-lock being placed on your token card. Make sure no such programs are trying to authenticate for you. Disable anything you find that could be doing this and wait 35 minutes and try step 2 again.

If you still fail to get in you should contact safeword_support@email.rutgers.edu.

When contacting Safeword Support please be sure to indicate that you have followed the above steps. Provide your Netid and the approximate times for each of the authentication attempts so that the administrators can find the associated log records for your card.

Safeword FAQ

Q: What are the differences between a Platinum V1, Platinum V2, and Gold 3000 token?
A:

• Platinum V1: Older cards, distinguished by a gray bar running across the front of the card. Non-replaceable batteries.

• Platinum V2: Newest version of the Platinum cards with replaceable batteries. Has an "L" shaped blue or grey sticker on the upper right hand corner.
  
• Gold 3000: Functionally identical to the Platinum cards except in a small keyfob form. Non-replaceable batteries.

We currently issue both Platinum V2 and Gold 3000 tokens. If you prefer a specific token type you may request the type of card you prefer (availability is dependent on current inventory.)

Q: I'm having difficulty reading the token's display. Is that a "zero" or an "O"? Is that a "one" or an "I"? How can I tell the difference?

A: The token uses what we call a "friendly" display mode, intended to minimize confusion between similar characters. This includes numbers 0-9 and six letters. Only these characters are used in passwords: 0 1 2 3 4 5 6 7 8 9 A H C P E F

Q: The "on" button on the card does not seem to work and my display is blank/fading. What should I do?

A: The battery may be dead or dying. If you have a V2 Platinum card, you can replace the battery. Access the battery by unscrewing the two small screws on the back of the card and removing the battery cover. Otherwise, if your card's batteries cannot be replaced, contact Safeword Support for replacement.

Q: When I switch my card on, the buttons have no effect and it displays an alternating pattern of "88888888", "********" , "88888888", "********" ...(or some other unusual pattern). What should I do?

A: The card is displaying a preprogramming test pattern. Contact safeword_support@email.rutgers.edu Your card will need to be reprogrammed or replaced.

Q: When I switch my card on, the buttons have no effect and it displays the error message "ERASEd". What should I do?

A: The programming of the card has somehow been wiped from the card's memory. Contact safeword_support@email.rutgers.edu Your card will need to be reprogrammed or replaced.