Through my connection with PraizedMedia (a client of Les Laboratoires Phoenix- managed data infrastructure), I received a ‘Swekey‘ device. It look like an normal USB key, but their website seem to push toward something much more useful (and potentially dangerous). Hence, I decided to try it. It is advertised as :
The swekey is a small USB key that secures access to any swekey enabled web sites.
Swekey secured web sites won’t let you login without your swekey plugged to your computer.
The swekey can also be used to secure corporate’s intranet, unix servers access, and database administration.
[...]
Swekey device, Photo by Pascal Charest
The website mention integration with WordPress, SSH, putty, MediaWiki, Zabbix, Magento, SugarCRM… and much more… In fact they even speak about integration with any OpenID enabled websites – Might be very cool and interesting. Lets see how it work.
I’m an hacker at heart, so I don’t normally read much of a device documentation, but in this case – I was lost. How is the device working? Is it a key with auto-run partition + dedicated browser, is it the equivalent of an RSA key, is there any software to install ? To answer my questions, what would be better that some tests in a protected GNU/Linux workstation (which is what normal people do : plug it in and see what happen):
The device auto-detection work and recognize the device as an USB CDROM drive (from dmesg):
usb 2-8: new full speed USB device using ohci_hcd and address 3
usb 2-8: configuration #1 chosen from 1 choice
Initializing USB Mass Storage driver…
scsi10 : SCSI emulation for USB Mass Storage devices
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usb-storage: device found at 3
usb-storage: waiting for device to settle before scanning
usb-storage: device scan complete
scsi 10:0:0:0: CD-ROM Musbe Swekey 1.03 PQ: 0 ANSI: 0
sr1: scsi-1 drive
sr 10:0:0:0: Attached scsi CD-ROM sr1
sr 10:0:0:0: Attached scsi generic sg3 type 5
cdrom: This disc doesn’t have any tracks I recognize!
usb 2-8: reset full speed USB device using ohci_hcd and address 3
Then : Nothing. No auto-mount, no dialog box… Kinda of left there. The partition cannot be mounted…
Going to their website, I learn the official working steps: “BUY” (pseudo-done), “PLUG” (done), “REGISTER” (ugh?) and I’m “READY”. The REGISTER (the step I’m at, right ?) section give me an error of ‘missing plug-in’ from Mozilla Firefox 3.0.14. Ok, browsing “Support”/”Download” inform me of missing dependencies (a software must be installed) to access the device. I download the x64 GNU/Linux version and … hum ?
pcharest@hydra:~/Desktop/swekey$ cat README
Swekey client
This package install:
- the swekey-client command line tool
- the swekey HAL module
- the swekey Mozilla pluginThe swekey-client command line tool gives you the list of plugged swekeys
and let you calculate OTPs with them.type:
swekey-client –help
to get the available optionsTo install swekey-client just type:
sudo ./install
or
./install
if you are rootTo uninstall swekey-client just type:
sudo ./uninstall
or
./uninstall
if you are root
I have no idea what is an OTP but let say I try installing the client:
sudo ./install
and validate the device is detected:
./swekey-client –list
It work and give me a device ID. Good, at least the device is known by the system. I still don’t know how it should work. I guess I should be installing the Mozilla plug-in the readme mentionned, but… I never found it. I guess the client install worked (and it was included) because after a Mozilla reload, the Manage section of their web page give (or might also be one of the random file I clicked on) :
Registration is not mandatory but it will allow you to disable a lost or stolen Swekey.
So… I don’t really need to register the key… lets try it then (which I’ve been trying to do for quite a long time at this point).
I own quite a few Zabbix servers, so, from the list of supported service :
ZABBIX is an enterprise-class open source distributed monitoring solution.
A swekey integration exists, it is still a patch but you can ask for it if you need to test it.
Ok, still want to test the device – So i try with MediaWiki:
And it started to work well : creation of an account (user+password), then I get asked if I want to bind this account to my Swekey. This won’t allow me to auto-login but will require the key to be present in any computer (with the installed software) to access the account.
Summary: As a summary, I’d say that while it give a boosted security (require the Swekey to log) – it does seem to go a bit over the limit of the permanent fight between conviviality and security. Installing the software is complicated and might be very problematic on system without administrator access… Personally, having tried both, I would prefer Paypal key ID to be integrated to more website. There is no need to ‘install’ the software on any computer and it give you the same added security the Swekey does.