~drscream

How one time password prevent me from work

One of my customers switched from the regular OpenVPN solution to some closed source alternative from Juniper. With this change they also decided it would be an good idea to use and hardware token for authenticate on the VPN. Which is basically a good idea to improve the security, maybe?!

Now for using the VPN it requires my username, password and the one time password from the token.

I thought it couldn’t be so complicated. In the past I was connected to the OpenVPN all time during the day also on weekends. The OpenVPN auto connects without asking me for my credentials because they are stored in keychain. The SSL certificate was stored on my computer as well so no user input required from my side. From the security point of view maybe not ideal, but if someone steal my laptop it still requires to hack into my account.

Time changed, with the new VPN solution. If my computer went to sleep mode, the password and one time password is required to reconnect. After some hours (i think 8 or 12) it disconnects automatically and require a new one time password for reconnecting. As well I need to carry the hardware token with me all the time.

This really changed my working hours during weekends or randomly at night. I didn’t check emails anymore during that time, because it’s taking me to much effort to reconnect to the VPN after an disconnect.

From a security perspective of view I’m also not sure if that solution creates more security for the company. The only difference is that if someone steal my notebook they also need to steal the token. If my accounts get’s hacked they need the hardware token, in the past they still needed the SSL certificates which are stored on the computer. I also need to carry the hardware token and my notebook all time with me to be able to connect, so it’s also possible to steal both.

From my point of view it’s only more effort required to use the VPN and preventing me from work outside of the regular business hours.


Send your comment by mail.