Gatekeeper Two-Factor Authentication review: Needs a consumer-grade overhaul
- 16 October, 2020 02:00
Securing your PC with more than just a PIN or password is easy with Windows Hello’s biometric logins; however, not every PC has the hardware to use it and some users just don’t want to store their fingerprint or have their iris scanned by Windows 10, no matter what the privacy promises are.
Enter the Gatekeeper Wireless Security Key from Untethered Labs. This Bluetooth system works as a one-touch login for your PCs, as well as a password manager that also stores your one-time password codes for two-factor authentication.
It sounds great, but in my opinion this product just isn’t ready for consumers. It was originally designed for enterprises, and instead of modifying it for the consumer market Untethered is offering the same product to the lanyard-less masses. The end result is that Gatekeeper has some trade-offs for home users and just isn’t a practical tool for most people.
First, don’t mistake Gatekeeper as an alternative to devices like the Yubikey. Gatekeeper is more limited as a two-factor authentication device since it does not support FIDO2 one-touch logins for websites. That may never change as Gatekeeper doesn’t store information the way something like Yubikey does. All critical information remains secured on the PC instead.
Gatekeeper has three primary components: the Bluetooth key fob called the Halberd, a low-profile USB Bluetooth sensor, and the Gatekeeper client software. There’s also a password manager browser extension for Chrome and Firefox.
The Halberd runs on a CR2450, 3-volt battery, while the Bluetooth sensor is powered by the PC.
Gatekeeper manages logins via the desktop software, and setup is a relative snap. The one issue I have is that the desktop software uses enterprise language that may be hard for some people to understand. You have to choose between a local or domain account, for example. Either will work based on our tests, but local is the easiest choice for most users.
The rest of the setup is a simple case of choosing a PIN and connecting the Halberd to the desktop software. The Halberd can be used on multiple PCs, though each will need a Bluetooth sensor.
Once that’s taken care of you’re off to the races. Gatekeeper controls logins by creating what appears to be its own user account on the Window 10 login screen. I say “appears” because you won’t find a user account in the Settings app. Regardless, the end result is visually the same.
Gatekeeper allows for several different ways to log in, including proximity detection with PIN, an automatic login via proximity detection, and a touch login where you must touch the Halberd to the Bluetooth sensor.
By default, the system uses the proximity detection with PIN. The proximity is quite limited, which avoids accidental unlocks if you have automatic logins enabled. Once you get about 12 to 15 feet from the PC Gatekeeper locks down the machine.
Gatekeeper is a fun way to log in that is more Mission Impossible than Microsoft Windows, which is why it may appeal to some. The idea with the Halberd is to keep the fob on you at all times, thus preventing others from logging in to the PC without the key fob.
The problem is that Gatekeeper doesn’t stop anyone from logging in the regular way via your usual Windows account. There is a setting to disable Windows accounts in the Gatekeeper desktop app, or to require the Halberd in addition to the regular Windows login; however, these features are available only to enterprise customers. Perhaps that’s a good thing, because if you ever lost the Halberd, or it became unusable, then you wouldn’t be able to get into your PC. We asked Untethered Labs about this and a spokesperson said, “The consumer version of the Gatekeeper application is meant to present the key features of the enterprise solution. Towards this end, we have decided to keep the various configurations to a minimum that is most effective to showcase the Gatekeeper advantages.”
Overall, the system worked very well. There were the occasional oddities where the proximity lock wouldn’t kick in while a full-screen game was running and I walked away from the PC. I also wouldn’t see the Gatekeeper login option sometimes after a full PC shutdown, which makes this product better suited to those who leave their computers on all the time.
As a security device, however, Gatekeeper falls short since you need an enterprise account to actually stop someone from logging in to your PC without the Halberd. This form of login, then, is little more than a convenience for home users.
The password manager
Gatekeeper’s password manager works in two ways. The login information is stored on the desktop client, as well as in the browser extension for Chrome and Firefox. All data is encrypted using AES-256 and you cannot access it without the key fob present.
The password manager works simply enough. The browser extension offers to capture usernames and passwords as you log in to sites, and it autofills your login credentials as you need them. It doesn’t contain extra features that dedicated password managers do, such as document storage or notes. The password manager saves web logins and nothing else.
It also doesn’t have the ability to extract logins from the browser, but it does have an option to export logins to a CSV file via the “Recover Credentials” option at the bottom of the Credentials menu pictured above.
There were some quirks with the password manager’s autofill feature. It would behave oddly in Proton Mail, for example, autofilling the username in the “To:” field of a new mail message. It would also throw in the username for PCWorld’s CMS login when managing articles in the web interface. Some bank sites would also hang with Gatekeeper active in the browser.
Gatekeeper also wouldn’t reliably offer to save a new login the way 1Password or Dashlane would. It would do this sometimes, but not every time, meaning you’d have to enter some new logins manually.
One nice convenience with Gatekeeper’s password manager is that it also saves one-time password (OTP) secrets. This makes it possible to autofill passwords and two-factor authentication codes at the same time. You need the Halberd nearby to use the password manager, so it doesn’t provide easy access to your accounts unless an attacker has access to both the Halberd and your PC with the Gatekeeper application installed.
The big issue with the Gatekeeper password manager for consumers is that there’s no cloud component, meaning your logins and OTP codes aren’t transferred between PCs. It also means you can’t access your passwords on a mobile device. We asked Untethered Labs about this and the company said, “Not at this time but it may be considered in the near future. We are concentrating on the enterprise customers because our goal is to provide a comprehensive access management solution for organizations.”
Pricing and the verdict
The Gatekeeper Halberd system costs $60 for the key fob, USB Bluetooth sensor, software, and a lanyard.
The Gatekeeper system is not for everyone, because it’s not really a consumer device. It lacks many of the conveniences that consumers have come to expect such as secure cloud storage for passwords in order to have their data available on multiple devices. The Halberd doesn’t use Windows Hello, meaning you must rely on the Gatekeeper client for logging in to Windows. The company tells me the reason for this is that its features including the automatic PC lock are not supported by Windows Hello.
It would also be good if Gatekeeper worked with FIDO2 as other Bluetooth and NFC devices do, but that may not be possible since the Gatekeeper key doesn’t store data.
In the end, I’m wondering who would find this device truly usable that’s not part of an enterprise deployment. It would have to be someone who is primarily or exclusively a PC user (there’s also a Mac client), someone who wants a one-touch login convenience for Windows, and a limited password manager built in to their two-factor authentication device. That, to me, seems like a very slim niche.
If, however, Untethered created a consumer-grade Halberd that offered a more full-featured password manager (or at least one with cloud storage for multi-device access), FIDO2 support, and integration with Windows Hello (even if it means losing auto-lock), then we’d having something well worth considering. Right now, it’s a slim audience that would be interested in this as a consumer device.