Information security is now front and centre, thanks to a more disperse workforce - people working from home, remotely accessing important data that help drive businesses. Even before this shift to remote working, organisations were worrying about data security - there's a movement to implement security on a zero-trust basis - this can be implemented by securing devices, networks and internal applications using ongoing authentication and audit on a per request and action basis.
Still some data are located on mobile computers such as laptops or desktops used by remote workers. Implementing security on these devices can be something like adding hardware-rebased storage encryption, location-based management and other actions.
The Gatekeeper Halberd device helps implement another layer of security by allowing companies to use Bluetooth-enabled tokens to enforce proximity-based wireless computer and website login.
I have been using the Gatekeeper Halberd for a couple of months now - both with laptops at work and desktop at home to implement an extra layer of access security to these devices.
Using Bluetooth technology, the Gatekeeper Halberd can easily integrate with different scenarios - eliminate manual logins, proximity-based lock and unlock and password manager. The device can be used as an authentication factor with multiple computers and can be used with local and directory accounts. When used with directory accounts IT can remotely manage options to ensure those follow their specific guidelines.
In my case, I have tested it both with a local Microsoft account (desktop) and a directory account but without central management (laptop).
The Gatekeeper Halberd device itself is a small (keyring-sized) coin battery-operated token. It can easily attach to a lanyard, to a retractable belt-clip or even kept in your pocket (don't lose it!). The only user interface is a small button that can be used to quickly lock your computer with a single press.
The whole setting/configuration is managed from an app - currently available for Windows and Mac OS (High Sierra and Mojave). Once installed the app will install a couple of services that allow the OS to act according to the settings you specify there (or the IT policies).
If you have a Bluetooth-enabled Windows 10 computer then you are set to go - otherwise, you will need to use a small USB Bluetooth adapter provided with the security key.
Pairing the wireless key with the computer is pretty simple and you just need to follow a couple of steps that involve associating the Halberd Gatekeeper with your account. The Token Management screen will show you tokens currently associated with your computer account including address, serial number and battery level. It also works even if you have a shared computer with individual accounts - each user will have their own Gatekeeper Halberd token linked to their accounts.
The credentials management screen allows you to manage the computer account as well as web credentials. These can later be used with a browser add-on to allow you to automatically fill login forms to websites when the Gatekeeper Halberd is present.
The app dashboard shows the current token, battery level and signal quality. You can easily move a slider representing minimum "Lock" and "Unlock" levels, which are related to the distance between the security key and your computer.
This is the basics of it. You can then fine-tune the experience using the Settings page. Here is where things get interesting. For example, you can select what action to take when the token is far enough from the computer (as defined in the dashboard slider). The options are "Disabled" (do nothing), "Lock workstation", "Switch user" and "Logout". You can also set what pressing the button does with the same options available.
The unlock method is where you set how the computer will behave when you come near it while locked. You can select "Automatically login" (the lowest secure level, for obvious reasons), "Press Enter key to login" (where you just push Enter and the Gatekeeper service will automatically login), "Touch login" (for tablets) and "Gatekeeper with PIN" - which is the option I use.
You can also force users to enter their username and password after the Gatekeeper authentication (listed above).
While you can use the "Gatekeeper with PIN" to ensure you have a two-factor authentication going on, using the default settings Windows will still present - and accept - a login list when starting up the computer or unlocking. You could simply click on the username and enter the Windows PIN/password, bypassing the Gatekeeper service.
There are two options here: you could make sure Windows uses a very strong, long password that you would have to keep somewhere else (an external password keeper) or disable the "Windows username/password login" option. This would make impossible to login into your computer without having the Gatekeeper Halberd token and knowing the Gatekeeper PIN. But be warned: if you change this setting and you lose the Gatekeeper Halberd device you also lose access to your computer. Hence the very long Windows password as a backup (which means lowered security in some scenarios).
As mentioned there is a Gatekeeper browser add-on available for Chromium-based browsers. This add-on works together with the application. This means if you add web credentials to the Credentials database these will show up in the browser add-on and vice-versa. You can then easily manage the credentials list from either the browser or the app. This add-on can be enabled to automatically fill login forms, making it a secure repository for your passwords. Unfortunately, while you can export your passwords to a .CSV file you don't have automatic sharing between computers so you need to manually load these credentials on different computers you might be using.
Alternatively, you can use your Android smartphone as an authentication token. The principles are the same but the token is implemented as a mobile app. This can be a good alternative for those businesses that want quick deployment without the need to distribute hardware. The app is not free but cost less than the hardware token itself. Organisations wanting to centrally manage security policies would still have to licence the Gatekeeper Enterprise software though.