We have been getting questions about the security surrounding the shared secret key hashes (seeds) of our hardware tokens. On this page, we describe how this data is secured, operated, stored, and destroyed.
The seeds are randomly generated and sent to the factory in a secure manner (we use GPG encryption).
We store them on our servers for a limited period of time and then delete after seeds were transferred to end-users. The servers we are using to temporarily store the secret seeds can only be accessed from our office network and the access is protected with two-factor authentication. Our production servers are located in Switzerland only.
Following the recommendation of RFC6238 R7, the permanent storage of seeds is done at UBS Safe, which is basically our e-banking account attached storage and has the highest level of security (MFA protected, PCI-DSS compliant, etc.). The compliance with this recommendation, as well as all other recommendations of RFC6238 was checked by an external company (CertX AG, the first swiss accredited certification body for product certification in the scope of industrial cybersecurity and functional safety) and confirmed as a part of the Independent Compliance Check report. The report is available here.
When it comes to transferring the keys to end users, we strongly recommend using PGP or GPG encryption to transfer secret keys for all types of tokens. PGP and GPG are popular solutions for encrypting, decrypting, signing, and verifying messages and files, often found in email communications and package repository identity verification. If you are new to PGP we recommend having a look at the PGPTool
Furthermore, in this context, worth mentioning the following:
- All our employees use multi-factor authentication wherever possible - in addition to corporate email accounts, personal email and social network accounts are also protected with 2FA.
- TOKEN2 has started as a research project with the University of Geneva- the core operations team members hold M.Sc./Ph.D. degrees in Information Security.
If you are still concerned, there is an option of setting the seeds yourself, so you have full control and no one else touches your seeds. This option is only available with our programmable tokens. The procedures are explained below.
TOKEN2 has developed a simple HTML5 application ("Token2 TOTP Toolset") which can be run locally without accessing any libraries/resources on the Internet (including the QR image generation). This application is designed to generate random seeds and produce CSV file ready to be imported to Azure MFA. The source code if the application is available on GitHub.
The provisioning will be done in the following way: