Soft Tokens vs. Hard Tokens

2014-08-03
2014-08-04
  • Rainer Duffner
    Rainer Duffner
    2014-08-03

    Hi,

    I've got a general question.
    Currently, we use a rather old version of EJBCA for all our VPN-certificates and for convenience, we only issue Soft Tokens. I plan to modernize that, as time permits.

    Do people normally issue soft-tokens for the above purpose?
    How difficult would it be to issue Hard Tokens (i.e. Smart Cards) for VPN-access?
    (Cisco AnyConnect VPN Client). Is it actually doable, even if the can mandate the SmartCard, the reader and the VPN-Client (OS is still in the realm of the Client, usually Windows, but we have Mac OS X and of course iOS users, too, who, if they don't already run the Beta of the next OSX/iOS version, insist on upgrading when it goes gold and then complain that the client doesn't work anymore...)

    I ask, because Soft Tokens just seem "too easy" to generate (and because there is no real process behind it, nobody ever revokes a Soft Token).
    Also, you can copy around a Soft Token as much as you want. I imagine people treating SmartCards a bit more like their bank cards. We's also charge more money when someone loses it ;-)

    I confess that I want to solve a problem created by lack of process and discipline simply via a technical measure, but still, it bothers me.

    Another point: how do you handle iOS devices with a supposed policy of Hard Tokens?
    Some time ago, I did some research and there were SmartCard adaptors for iDevices - but they were all very expensive. It looks they've come down a bit, but still, 150 USD per reader is steep.
    Is there a way to make sure the enrollment actually takes place on an iPad/iPhone, so that the certificate sits on the device only?

    We are an ISP, the typical number of Client Certificates per VPN-device is probably in the low double digit (I've delegated the handling of all this stuff to the network-people - thank god even EJBCA 3.x let me do that - so I don't even know the exact numbers).

     
  • There is a mix between soft and hard tokens used by different organizations. A lot of soft tokens for sure.
    Soft tokens are revoked, that's one of the ways to manage the security level of course, you have the means to revoke.

    Issuing smart cards to USB tokens is common for workstations and laptops.

    Smart card readers for phones is probably a very small market today. The trend seems to be going towards SEE or security elements instead. Soft tokens are the most common today.

    Cheers,
    Tomas