ST-1 Quick Reference - CRYPTOCardportal.cryptocard.com/documentation/MAS/token_guide/KT2_TokenGui… · is used to guard against unauthorized use. ... Time Password (or ‘response

Copyright © 2008 CRYPTOCard All Rights Reserved Page 1

KT-2 Key Chain Token

QUICK Reference

Overview

The KT-2 Key Chain token generates a new, pseudo-

random TokenCode each time the token is activated.

The token is activated by pressing the button located to

the right and below the LCD display.

A KT-2 PIN consists of a string of 3 to 8 characters that

is used to guard against unauthorized use. If PIN

protection is enabled, the user must provide a PIN with

the one-time TokenCode to authenticate.

Using the KT-2

The token requires no input data to generate a new, one-time TokenCode, but the user must

pre-pend his PIN to the TokenCode displayed by the token in order to generate an acceptable

password.

Generating a TokenCode

Press the button to activate the token. A one-time TokenCode is automatically generated.

Enter the PIN (e.g. 1234) and TokenCode (e.g. 49d98b98) at the password prompt

(123449d98b98).

Copyright © 2008 CRYPTOCard All Rights Reserved Page 2

Token Resync

The purpose of this section is to instruct end-users and administrators how to resynchronize

tokens using the on-line CRYPTO-MAS resynchronization tool.

If too many One-time password Codes (OTP’s) have been generated by a token since the last

time the server received a correct OTP, the server will not recognize the OTP and the token

and server are said to be “out of sync”.

For CRYPTO-MAS, the number of OTPs that needs to be generated by the token to cause the

server and the token to become out-of-sync is defaulted to 25.

Instructions

IMPORTANT: Please ensure that the user has only one token assigned to them. An ‘Access

Denied’ message will appear if the user has multiple tokens.

Step 1:

Open up a browser (IE6, IE7, Mozilla Firefox 1.5+) and go to http://resync.cryptocard.com/.

The following dialog box will appear:

Step 2:

Enter the “User ID” and “Auth ID” and click OK.

Contact your MAS Administrator if you don’t know the “Auth ID’.

Step 3:

You will be presented with a challenge to be entered into your token, along with a field to

enter your next OTP (after the resync process has been completed).

Copyright © 2008 CRYPTOCard All Rights Reserved Page 3

Entering a Challenge into a KT Token:

a) Hold down the button on the KT Token until "Init" appears in the display then let go of the button.

b) The token will automatically start scrolling through a menu, and when "Resync" appears,

immediately click the button to stop the menu from scrolling.

c) “Resync” plus a scrolling digit 0-9 will appear in the display. Press the button to stop the scrolling

when the digit displayed is the first digit (from the left) in the “challenge” (step 3 above).

d) The “Resync” will be replaced by the first digit selected, and scrolling for the next digit in the

“challenge” will begin. Follow the same steps to stop the scolling at the correct digits until the

complete 8-digit “challenge” appears.

e) When the challenge number is correctly entered/displayed, click the button again and a new One

Time Password (or ‘response’) will be automatically generated by the token.

Enter your PIN (if normally required) followed by the OTP displayed on your token into the

dialog box and Click “OK”.

Your token should now be synchronized with the server.

Token PIN Change

A KT Token user can change their Server Side, User Changeable PIN at any time, if the Administrator has

configured the token to allow this.

To change the PIN, browse to the User Self-service web page at http://auth.cryptocard.com/hardware.

You must first authenticate before being presented with the PIN Change page.

Instructions

IMPORTANT: Please ensure that the user has only one token assigned to them. An ‘Access Denied’

message will appear if the user has multiple tokens.

Step 1:

Open up a browser (IE6, IE7, Mozilla Firefox 1.5+) and go to

http://auth.cryptocard.com/hardware. The following dialog box will appear:

Copyright © 2008 CRYPTOCard All Rights Reserved Page 4

Step 2:

Enter the “User ID”, “Auth ID” and your OPT (PIN+TokenCode) and click OK.

Contact your MAS Administrator if you don’t know your “Auth ID’.

Step 3:

After successful authentication you are redirected to the PIN Change page where you are

required to enter your current PIN and the new PIN to complete PIN change process. The PIN

length and complexity reflects the minimum requirements for this specific token.

If the correct Current PIN is entered and the New PIN meets the complexity requirements of

the token a PIN Change Success message is displayed and the New PIN is now in effect and

must be used to Authenticate with.

Copyright © 2008 CRYPTOCard All Rights Reserved Page 5

MAS Token Template

The following table identifies the default KT-2 token configuration. It may be slightly different

depending on your organization’s security policies.

MAS Token Attributes - KT-2

Display

Display Type Base 32

Telephone Mode No

Response Length 8 characters

Automatic Shut-off 30 seconds

PIN

PIN Style Stored on server, User-changeable PIN

Initial PIN 1234

Random PIN Length 4

Min PIN Length 3

Characters allowed Digit Only

Try Attempts 7

Allow Trivial PINs Yes

Operation

Mode QuickLog

Passwords per power cycle Single

User can turn token off Yes

Usage

Operational Flags Force PIN change on next use