The GateKeeper Halberd is a portable security token that let’s you log into your computer simply by being in its proximity and to automatically log out when you’ve moved away from it by relying on the Bluetooth connection to perform the cryptographic key exchange with the receiver. This way, you don’t have to continuously log in and out of a computer which is the case with many industries, while also removing any possible vulnerability due to human error (and these happen more often than you may think).
I know that this is more than enough to make it the ideal enterprise solution for many businesses out there, but the GateKeeper Halberd went a step further and it also included the possibility to securely log into various websites and applications (either by relying on the 2FA technology or the proximity sensing technology).
Keep in mind that the Halberd is actually the second device developed by Untethered Labs and yes, there are some improvements from the previous generation, such as the better processor to help speed up the lock/unlock process (as well as the encryption/decryption) and it now has an accelerometer which, along with the Bluetooth signal monitor, it can sense when you’re moving away from the computer, so it can automatically log you out of your account. That being said, let’s put the GateKeeper Halberd to the test and see if it’s indeed the ideal security solution for enterprise environments (as well as for home use).
Design and Build Quality
The security token itself is no larger than a USB drive, featuring a rectangular plastic case covered by a soft black matte finish and at the top, the manufacturer has added a metallic loop piece to allow you to easily add it to a keychain. Unlike the previous models, the Halberd has a small button on the side that you can use to unlock your computer instead of relying on the automatic process (you will still need to be in the proximity of the PC) and there’s also a small LED which will light up green after you press the side button (when starting up the device or when you unlock a PC) and it will start flashing red when the battery needs to be replaced (I got two CR2450 batteries in the package). To insert a battery into the token, you simply need to slide down the rear cover – I noticed that if I wanted to replace the battery, it’s very difficult to take the old one out from its dedicated space.
I have tested a few security-oriented storage devices over the years, such as the SecureDrive BT SSD and the iStorage DiskAshur 2 HDD and both drives were built in such a manner as to not allow anyone to take them apart without destroying the internal circuitry. The GateKeeper Halberd has also put some anti-tampering measures in place making the token crush resistant (and it will also survive being submerged under water).
Besides the token, there’s more stuff in the package, such as the aforementioned couple of batteries, two USB dongles, a lanyard and a retractable badge holder (useful for not worrying about losing the token), as well as a couple of USB extension cables and four wire managers, each very useful in an office, where the access to the back of the PC may not be that easy and where the cable management should be extremely important. In case you don’t want to use the USB dongle, you can rely on the computer’s built-in Bluetooth card (Windows 10 OS) to connect to the Halberd, but the manufacturer says that the dedicated USB dongles will simply perform better (meaning faster).
Installation and Software
Before adding the GateKeeper Halberd as a security layer to your computer, there are to options available, one suitable for enterprise users and the other for single users. For now, I chose the GateKeeper Retail (single use) software which needs to be downloaded and installed on a Windows or Mac machine. After running the program, it will start the New User Setup wizard which will ask you to insert the USB dongle in the computer and press the Scan Token button from the interface. Afterwards, click under Select and Next to set up the user profile (you can choose the logged in user credentials). Press Next and choose a secure PIN number (or generate a random one) and that’s about it, you can now use the token to log in and out of your PC (before moving on, you should also install any available firmware updates using the Updater software).
Clicking on the Dashboard, it will show some device statistics and the Signal Quality bar which gets updated every second and it allows you to set the range when the Halberd will lock the account and when it will unlock it (it depends on the Bluetooth signal quality). Further down, you can change the Credentials info, as well as the Tokens and yes, you can use the same key on multiple computers which means that all of them will unlock at the same time when you move near them with the token. Under Settings, you get to change the Proximity Lock Method (the Lock Workstation is going to be suitable if there’s a single account and Disconnect Session when more than one person uses the computer), enable the Button Lock Method (it functions the same as the Proximity Lock, but the trigger will be either the button on the token or on the phone app), set the Inactivity Lock Method (choose after how much time, the computer will be locked) and the Unlock Method.
I know that the manufacturer says that the GateKeeper + PIN is the best option and it’s true since it’s going to be the most secure, but most of you will most likely select the Automatic Login since it’s the option that’s going to save the most amount of time (the process of entering a PIN is similar to the PC password authentication). There are a few Advanced Settings available as well, which include the ability to set the Token Visibility Timeout (if the token doesn’t send data packets for some time, the computer will immediately be locked), the Quick return Timeout (if you set to unlock the PC with a PIN, then you can enable this function, so, in case you return to the computer in a specified time frame, you won’t have to enter the PIN again), force the users to insert the PIN from time to time, set the Motion Detection Sensitivity, update the Firmware, Restore it to the Factory Settings and more.
In case you want to use the enterprise version of the software, then you need to go to https://gkchain.com/portal, create a new account and download the software to your PC. The interface is pretty much identical to the single user utility, but you will now be able to add more than one account. Under Settings, there are a few additional options, such as the Off-Hours Unlock Method (you can set how the PC can be unlocked during off-hours) and the Server Settings. In case you want to use the ability to log in and out of certain applications or websites, you will have to use the GateKeeper Client (Enterprise) to get access to the Custom Apps section and you will also have to be connected to the GateKeeper Hub server, otherwise, you won’t be able to save any old or new credentials for your websites.
The GateKeeper Hub is a bit more complex than the software that you need to run on a PC, with the Dashboard showing far more info (including the number of registered computers, the users, the no. of locks/unlocks done using GateKeeper), some Audits and more. Furthermore, you get to configure the Groups (which are basically different organizations or offices, each grouped by the number of computers and users), you can also manage the Computers that are registered using a GateKeeper token, the Users (you can check the credentials of each user and assign it a specific Department), set what happens when a specific Alert is triggered, view the Reports, the Logs and check where each token is currently positioned (near the PC or farther away).
Functionality and Security
We had a look at the software experience and the installation (which is simple and intuitive), so how does the GateKeeper Halberd actually perform? I set the authentication method to not require any PIN when I get in the proximity of my computer and indeed, as I got closer, the PC logged into my account. I also monitored the Bluetooth signal strength and, as soon as it was in the ‘unlock’ zone, it took a second for the token to log me in. It’s also worth mentioning that as the signal got weaker, it again took about a second to lock the computer. The Bluetooth technology that is currently used by Halberd is Bluetooth 4.0 BLE, so it requires only a very small amount of energy which, thankfully, it will extend the battery life expectancy past the advertised 6 months. The Bluetooth 4.0 signal strength ranges up to 30 feet and that’s how far you will also have to go if you set it to maximum range until the Halberd will completely lose the connection with the USB dongle.
As I said in the previous section, you can easily change the distance at which the token will lock or unlock the PC. The data that is being sent is the battery life, the accelerometer response and the signal strength, so using the latter, it can be set to whichever value you want. This also takes us to a very important aspect of the GateKeeper Halberd and that’s security. When I tested the SecureDrive BT SSD, I said that the Bluetooth technology is quite secure when it comes to data transfer, but it can still be vulnerable to the relay attack, where the attacker impersonates both ends of the connection (the claimant and the verifier). The good news is that Halberd doesn’t send any sensitive data between it and the computer, so a third party would have nothing to gain. Furthermore, any firmware update can only be made wirelessly when the software is signed by Unthethered Labs, preventing any attempt at inserting malicious content into the token.
Since it is technically possible to duplicate the GateKeeper tokens, it is advisable that during the registration process to generate a random Secret Key which will be unique for each device. This key will generate random one-time-passcodes which will then be scanned by the client software and will prevent duplication.
Conclusion
The GateKeeper Halberd proves that a simple device can indeed perform a complicated task and that adding a new layer of security doesn’t always have to add extra steps. So, while before, the users had to log into the account several times a day, the Halberd cuts down that time to zero and moves the manual login process to a proximity sensing authentication and it doesn’t stop at PC accounts since the token can also help the users to securely log into various apps and websites. It’s been proven over the years that using a security token is always the best option at removing any phishing attacks (Google claims that this method virtually removed most of the common attacks), so a business will definitely get the most out of the functions of the GateKeeper Halberd. Of course, the device can also be used with a single account (at home) and it’s good practice to ensure that your data is always secure even when you’re not working in an office.
GateKeeper Halberd
-Pros
- Simplifies the authentication process on a computer, app or service
- The software allows for a healthy degree of customization
- The Bluetooth connection is secure
- Offers useful accessories for the work in the office
Cons
- The single user software is limited to only to locking/unlocking your PC