Page 1
Copyright © 2008 CRYPTOCard All Rights Reserved Page 1
KT-2 Key Chain Token
QUICK Reference
Overview
The KT-2 Key Chain token generates a new, pseudo-
random TokenCode each time the token is activated.
The token is activated by pressing the button located to
the right and below the LCD display.
A KT-2 PIN consists of a string of 3 to 8 characters that
is used to guard against unauthorized use. If PIN
protection is enabled, the user must provide a PIN with
the one-time TokenCode to authenticate.
Using the KT-2
The token requires no input data to generate a new, one-time TokenCode, but the user must
pre-pend his PIN to the TokenCode displayed by the token in order to generate an acceptable
password.
Generating a TokenCode
Press the button to activate the token. A one-time TokenCode is automatically generated.
Enter the PIN (e.g. 1234) and TokenCode (e.g. 49d98b98) at the password prompt
(123449d98b98).
Page 2
Copyright © 2008 CRYPTOCard All Rights Reserved Page 2
Token Resync
The purpose of this section is to instruct end-users and administrators how to resynchronize
tokens using the on-line CRYPTO-MAS resynchronization tool.
If too many One-time password Codes (OTP’s) have been generated by a token since the last
time the server received a correct OTP, the server will not recognize the OTP and the token
and server are said to be “out of sync”.
For CRYPTO-MAS, the number of OTPs that needs to be generated by the token to cause the
server and the token to become out-of-sync is defaulted to 25.
Instructions
IMPORTANT: Please ensure that the user has only one token assigned to them. An ‘Access
Denied’ message will appear if the user has multiple tokens.
Step 1:
Open up a browser (IE6, IE7, Mozilla Firefox 1.5+) and go to http://resync.cryptocard.com/.
The following dialog box will appear:
Step 2:
Enter the “User ID” and “Auth ID” and click OK.
Contact your MAS Administrator if you don’t know the “Auth ID’.
Step 3:
You will be presented with a challenge to be entered into your token, along with a field to
enter your next OTP (after the resync process has been completed).
Page 3
Copyright © 2008 CRYPTOCard All Rights Reserved Page 3
Entering a Challenge into a KT Token:
a) Hold down the button on the KT Token until "Init" appears in the display then let go of the button.
b) The token will automatically start scrolling through a menu, and when "Resync" appears,
immediately click the button to stop the menu from scrolling.
c) “Resync” plus a scrolling digit 0-9 will appear in the display. Press the button to stop the scrolling
when the digit displayed is the first digit (from the left) in the “challenge” (step 3 above).
d) The “Resync” will be replaced by the first digit selected, and scrolling for the next digit in the
“challenge” will begin. Follow the same steps to stop the scolling at the correct digits until the
complete 8-digit “challenge” appears.
e) When the challenge number is correctly entered/displayed, click the button again and a new One
Time Password (or ‘response’) will be automatically generated by the token.
Enter your PIN (if normally required) followed by the OTP displayed on your token into the
dialog box and Click “OK”.
Your token should now be synchronized with the server.
Token PIN Change
A KT Token user can change their Server Side, User Changeable PIN at any time, if the Administrator has
configured the token to allow this.
To change the PIN, browse to the User Self-service web page at http://auth.cryptocard.com/hardware.
You must first authenticate before being presented with the PIN Change page.
Instructions
IMPORTANT: Please ensure that the user has only one token assigned to them. An ‘Access Denied’
message will appear if the user has multiple tokens.
Step 1:
Open up a browser (IE6, IE7, Mozilla Firefox 1.5+) and go to
http://auth.cryptocard.com/hardware. The following dialog box will appear:
Page 4
Copyright © 2008 CRYPTOCard All Rights Reserved Page 4
Step 2:
Enter the “User ID”, “Auth ID” and your OPT (PIN+TokenCode) and click OK.
Contact your MAS Administrator if you don’t know your “Auth ID’.
Step 3:
After successful authentication you are redirected to the PIN Change page where you are
required to enter your current PIN and the new PIN to complete PIN change process. The PIN
length and complexity reflects the minimum requirements for this specific token.
If the correct Current PIN is entered and the New PIN meets the complexity requirements of
the token a PIN Change Success message is displayed and the New PIN is now in effect and
must be used to Authenticate with.
Page 5
Copyright © 2008 CRYPTOCard All Rights Reserved Page 5
MAS Token Template
The following table identifies the default KT-2 token configuration. It may be slightly different
depending on your organization’s security policies.
MAS Token Attributes - KT-2
Display
Display Type Base 32
Telephone Mode No
Response Length 8 characters
Automatic Shut-off 30 seconds
PIN
PIN Style Stored on server, User-changeable PIN
Initial PIN 1234
Random PIN Length 4
Min PIN Length 3
Characters allowed Digit Only
Try Attempts 7
Allow Trivial PINs Yes
Operation
Mode QuickLog
Passwords per power cycle Single
User can turn token off Yes
Usage
Operational Flags Force PIN change on next use