Are OTP/OATH (RFC 4226) Hardware Tokens Re-seedable?
We set up a two-factor authentication system that uses Google Authenticator to use OTP via mobile phone apps. Some of our users however don't have smart phones so we want to be able to use hardware tokens with it.
If the secret key/seed set by the manufacturer, then someone else obviously may know your secret key. This doesn't seem secure. So wouldn't it make sense if they were re-seedable. Can these types of hardware tokens be reset with a new secret key when you get them? Does it just depend on the key manufacturer?
Solution 1:
There are several hardware tokens that can be seeded.
A cute version is indeed the yubikey, as you need no additional hardware to seed it and all necessary software is publically available. The yubikey even works fine for blind users. But you need a USB port to use it.
There are also the eToken PASS and the eTokenNG OTP, both tokens of SafeNet (former Aladdin). The PASS is a key fob token and can be seeded with an additional device. The eToken PASS can be seeded as an HOTP and a TOTP token.
The eTokenNG OTP is a hybrid device (OTP and Smartcard). It also has a USB connector and can be seeded using this USB connector.
But if some of the users are only lacking smartphones, you could also:
use motp, which will also run on older feature phones or
SMS-Tokens, where the OTP is transmitted via SMS to a mobile phone (not smart). (But I really, really wouldn't recommend this! ;-)
What I would recommend is, take a look at LinOTP or privacyIDEA which is a backend, that works with all these token types (Google Autheticator, YubiKey, eToken Pass, eTokenNG OTP, motp, SMS...) thus giving you the possibility to choose, which user will have which token.
Finally, and yes I work for the company, that provides enterprise extensions for the open source LinOTP.
Solution 2:
Oh, I hate contradicting people.
Yes, you can re-seed a hardware key. Or, to be precise, there exist OATH-compliant hardware tokens that can be re-seeded; specifically, the yubikey. The secret is stored in what is effectively write-only memory; anyone with physical possession of the device can write a secret to it, but it will not give the secret back out; it will only perform OATH and other one-time password operations with it.
I have no connection with the manufacturer; I just liked their products, because I wanted two-factor authentication where I was in control of the secrets. Whilst I don't use mine in OATH mode, I do use it in another OTP mode, and have definitely generated and uploaded my own secrets for both my personal token, and those used by others who use my systems.
If you're curious, I've written more about it in my technote.
In any case, now you know that re-seedable hardware tokens exist, you can look around for one that suits you.