SecuriKey Professional Edition
Price: US $129.99
I had a near-death experience a few weeks ago. I left my PowerBook in my hotel room. When I opened my laptop bag at the airport to go through screening, I stared at an empty bag. My heart stopped, but only for a few beats. I got the laptop back before my flight left, and was relieved to find that it had not been tampered with. Or so I hoped. But I’d taken no security precautions, so I had no way of knowing if any of my personal data had been accessed. Did I need to start looking for strange charges on my Visa card? Several weeks later, my identity is still my own. So far.
This incident forced me to consider how best to secure my PowerBook. Like many users, I have credit card numbers and other sensitive personal data on my ‘Book. Griffin Technologies (not the same firm as peripherals maker Griffin Tech) has created a security solution called SecuriKey, a USB device that provides hardware security for most Mac OS and Windows computers.
SecuriKey comes in an elegant metal box, with reinforced corners and a hefty latch. The box sets the right attitude, as it screams “SECURE” to anyone who sees it. In exchange for your money, you get two small USB devices (Griffin call them “tokens”), an installation CD, and a small but useful manual. One token is the primary token, and Mac users can use the second as a spare. Windows users can use have two separate users each with their own token, but no spare.
SecuriKey operation is easy to understand: No token, no work.
Plus, even when the SecuriKey is plugged into the USB port, you still have to know the password. Griffin calls this “two-factor authentication.” If someone knows your password, they still can’t get in without the SecuriKey. If they have the token, but no password, they’re still locked out.
Installation is quick and painless, with the installer prompting to insert the token at the appropriate time. The installer asks you how you wish SecuriKey to operate. If you wish to change your options after the initial installation, you use an OS X Preference pane. You may choose from three options for what happens when the SecuriKey token is removed:
1) Switch to Login Window. This option is what Griffin recommends. If you remove the SecuriKey, you are gracefully deposited at the Login window, but the current user is not actually logged out. You must enter your user name and password to continue. When you have entered them, you pick up right where you left off.
2) Log out the current user. This is more drastic. Removing the token will immediately log out the current user, WITHOUT saving changes. You’ll lose any unsaved work.
3) Shutdown the computer. This will immediately shut down the computer with no warnings and no opportunity to save any unsaved work. As you can see, this is the most drastic option.
SecuriKey is smart enough to allow automatic logins at boot time, as long as the token is inserted when the system is booted. Even so, you’ll need to remember your user name and password for any subsequent reauthorizations. If you don’t have the token inserted when required, and then enter the correct password, the log in window vibrates just as it does when an incorrect password is entered. Sooner or later, you’ll remember that you need to put the token in, and then your password will be acknowledged!
Owners of Macs with more than one USB port will be happy to know that SecuriKey will work from either USB port, regardless of which port held the SecuriKey during initial installation. Windows users aren’t so lucky; they must fiddle with their Hardware control panel to get another USB port to recognize the token. This is due to the fact that Windows isnâ€™t as smart as Mac OS X about recognizing new hardware. Windows sees the SecuriKey in a previously unused (to SecuriKey) USB port as a new hardware installation.
I was surprised to find that SecuriKey does not default to requiring a password to wake from sleep. I can only assume that Griffin feels that you will be physically present when your Mac is asleep, as the manual stresses you should always remove the token when away from the Mac. If you wish, you can use the Security Preference pane to require a password when waking from sleep. After installation, SecuriKey can be configured and turned off/on via the preference pane. If you deactivate it, your Mac no longer needs the token, even though the software is still installed.
If you lose the physical SecuriKey token, Mac users can employ the spare, assuming they have it with them! If you’re on the road, and don’t have the spare, Griffin can provide another token IF you are a registered owner. You’ll get the token FedExed to you, but you’ll pay $49.99 plus FedEx charges for it. Personally, I’d always bring the spare token when on the road, and keep it safe, but not in my laptop bag.
I found SecuriKey to work as advertised. Try as I might, I was unable to fool the device, and it worked reliably during my tests. SecuriKey is an easy-to-use method of securing your computer, as long as you remember to remove the token each and every time you are not with your Mac. But is SecuriKey the best bang for your security buck?
Almost all Macs built in the past five years incorporate Apple’s Open Firmware, low-level code running on rewriteable chips on the Mac logic board. Open Firmware is programming that loads as soon as your Mac powers on. Apple has built very secure password protection into Open Firmware that can be enabled via a free Apple-written application called Open Firmware Password.
Here’s the list of Macintoshes that have Open Firmware:
iBook – all models iMac (Slot Loading) and later models eMac PowerBook (FireWire) and later models Power Mac G4 (AGP Graphics) and later models Power Mac G4 Cube Power Mac G5
The Apple Knowledge base article on Open Firmware passwords tells that it can do the following:
â€¢ Block the ability to use the “C” key to start up from a CD-ROM disc.
â€¢ Block the ability to use the “N” key to start up from a NetBoot server.
â€¢ Block the ability to use the “T” key to start up in Target Disk Mode (on computers that offer this feature).
â€¢ Block the ability to start up in Verbose mode by pressing the Command-V key combination during startup.
â€¢ Block the ability to start up a system in Single-user mode by depressing â€¢ the Command-S key combination during startup.
â€¢ Block a reset of Parameter RAM (PRAM) by pressing the Command-Option-P-R key combination during startup.
â€¢ Require the password to use the Startup Manager, accessed by pressing the Option key during startup (Figure 1).
â€¢ Require the password to enter commands after starting up in Open Firmware, which is done by depressing the Command-Option-O-F key combination during startup.
That’s a very comprehensive list, and it provides far more protection than SecuriKey does. With an Open Firmware password, if you simply configure OS X to require a password for the initial log in (disable automatic login), and require a password to wake from sleep, your Mac will be as safe, or safer, than using a SecuriKey. Plus, you don’t need to worry about losing the token, or forgetting to remove it. One disadvantage of SecuriKey is that it does not prevent the Mac from starting from bootable CD’s/DVD’s, or being used in Target Disk mode. Open Firmware requires the password before either of those two operations.
Can you get around an Open Firmware password? Sure, a technically adept bad guy can disable Open Firmware, but it involves physically opening up the machine and removing certain components. Or, the bad guy can physically remove the drive, and install it in another case. As the security experts say, if someone has physical access to a machine, they will eventually get in.
One alternative to Open Firmware or SecuriKey is to put all your critical files on a disk image that’s protected by 128-bit AES strong Encryption. To do this, just use Disk Utilityâ€™s â€œNew Imageâ€ command to create a disk image big enough to hold your files, and choose AES-128 encryption. Whenever you need access to your secure data, you mount the disk image, and enter the password. It’s a lot harder to break an encrypted disk image than to remove a drive from a PowerBook. Security is always a tradeoff for convenience. Of course, you need to remember which files need to be secured. Be aware this technique does leave the rest of your computer unsecured, and that may be unacceptable for many.
After using the SecuriKey token for four days, I found that it worked well. I eventually got used to remembering to remove the token when I left my Mac, and then insert the token each time I came back.
For comparison, I used Apple’s Open Firmware password utility to protect my Mac. I also set the Security preference panel to require a password on bootup, as well as when waking after sleep. Normal operation was much like with the SecuriKey: you enter the password to log in after startup. Requiring a password to wake from sleep meant entering the password more frequently than when using SecuriKey. I also had to enter my password each time I put my PowerBook into Firewire Target Disk mode for synchronizing my laptop. The tradeoff was that I did not need to worry about the using (or losing) the token.
SecuriKey is a well-engineered USB device that can, if properly used, provide fairly tight security for your computer. It’s not perfect, but it significantly raises the barrier for people trying to get into your machine.
Apple’s built-in Open Firmware passwording can provide security that in some ways is better than SecuriKey’s. While not providing “two-factor authentication,” the password governs more ways of getting access to your data than does Griffin’s device. Perhaps the best approach is to use both an Open Firmware password AND SecuriKey, if you can tolerate the hassle factor. This would provide the best of both worlds.
SecuriKey costs $129.99. Apple’s alternative is free. If you want the security that requiring both the token and a password require, SecuriKey is the only way to go. If a password-only solution that can restrict more ways of getting into your machine is acceptable, then use Open Firmware.
Typical users will prefer SecuriKey, as it will allow you to use Target Disk Mode, or boot from CD’s without having to fool with Open Firmware. An Open Firmware password may be more suitable for advanced users willing to work with Open Firmware, or those desiring tighter (but software only) password protection.
Pro: Easy installation. Reliable. Very easy to use, especially for the average user. Requires both the token and the password to access the computer.
Con: Expensive. Compared to Open Firmware, it allows more ways of circumventing the protection.