+1

I purchased the mobile security key.

Sorry I am a ******, but how do you download the application to your phone?

I have an iPhone

You can either use safari on your iPhone and go to the link provided in the email, or you can simply go the app store and search "digipass". You will however need to use the link in safari to download a specific FTP patch for the digipass application.

I did a bit of research into the VASCO digipass tokens, and after a bit of experimenting I think I've figured out how it works. I'm actually a little disappointed TBH. Unlike the Stars RSA token, this one doesn't work on a synchronized-time system. Both types of token generate codes in a sequence, based on an algorithm which only the token itself (or mobile app) and poker sites know. However I'm not sure why full tilt says the codes 'expire' after 30 seconds, other than to sound similar to the RSA synchronized-time tokens. Sure the codes are removed from the screen of the token/mobile app after ~30 seconds, but they don't actually expire until you submit either that code (log into FTP) or any code succeeding it. Here's an example of what I did to explain more clearly:

(WARNING: don't try this if you don't understand what's going on, because you can actually throw things out of order and screw yourself :P )

In about a minute, I generated 100 unique codes on my iPod. They were all 6-digit numbers obviously, but I'll refer to them as [code-1, code-2... code-55.... code-100]. As I did so I wrote down code-1, code-20, code-40, code-60, and code-100. Because my iPod only will generate codes in order according to the algorithm, no matter what I do or when I do it, the next code it generates will be a specific code (code-101) which both my iPod and FTP knows in advance already.

Because the FTP servers remember that the last code I used to log in (in this case code-0, sequentially right before code-1), they are "expecting" me to enter code-1. To allow for mistakes however, the FTP servers will actually accept several codes further down the sequence. So after I logged in using code-1, I logged off and tried to use code-100. It didn't work, so I then tried code-60 which did work. What this means is that the FTP servers will accept somewhere between 60 and 100 codes at any given time. So for example when your token reaches code-500 in the algorithm and you enter it at log-in, FTP will know where your token is in the sequence and will now accept code-501, 502, 505, 520, 540, etc. If you happen to generate fourty codes and in fact submit code-540 next, then all the codes between code-501 and 539 (which were previously acceptable) will no longer work.

As far as I can tell, time is not a factor in the process at all. You could generate fifty codes, writing them all down in order on a piece of paper, and as long as you also entered them in order you could go for fifty logins (throughout a month) without your token. Now it's not like the system used by the FTP tokens isn't securte (although I guess there's a higher chance a hacker could simply "guess" a code when ~80 out of 1,000,000 are acceptable rather than the ~3 which RSA will accept at any given time). Yet the fact that you (or someone else) could potentially generate too many codes just messing around, and subsequently lock yourself out is a bit of a nuisance. Also, if a hacker somehow had access to your token, they could generate a code and write it down without your knowing. That code would remain valid until the next time you generated a new code and logged-in. Essentially they could "steal" your token without you realizing it. With RSA anytime you have physical possession of your token you know nobody else knows the currently valid codes.

None of this is a HUGE deal, and I'd still consider the FTP tokens to be a large improvement in security and should cut down on the hackings by a ton. But I would consider them slightly less secure than the stars RSA.

Here is an explanation/test a friend of mine posted on another forum regarding this. It looks like the mobile key stores somewhere between 60 and 100 keys:

The thing is, this doesn't make sense because the application isn't a "remote" (it's not communicating with FTP when I generate new pw's). So when I quickly generate 30, the FTP servers have no idea I did this, so if the 30th works then so does the 1st.

I did a bit of research into the VASCO digipass tokens, and after a bit of experimenting I think I've figured out how it works. I'm actually a little disappointed TBH. Unlike the Stars RSA token, this one doesn't work on a synchronized-time system. Both types of token generate codes in a sequence, based on an algorithm which only the token itself (or mobile app) and poker sites know. However I'm not sure why full tilt says the codes 'expire' after 30 seconds, other than to sound similar to the RSA synchronized-time tokens. Sure the codes are removed from the screen of the token/mobile app after ~30 seconds, but they don't actually expire until you submit either that code (log into FTP) or any code succeeding it. Here's an example of what I did to explain more clearly:

(WARNING: don't try this if you don't understand what's going on, because you can actually throw things out of order and screw yourself tongue.gif )

In about a minute, I generated 100 unique codes on my iPod. They were all 6-digit numbers obviously, but I'll refer to them as [code-1, code-2... code-55.... code-100]. As I did so I wrote down code-1, code-20, code-40, code-60, and code-100. Because my iPod only will generate codes in order according to the algorithm, no matter what I do or when I do it, the next code it generates will be a specific code (code-101) which both my iPod and FTP knows in advance already.

Because the FTP servers remember that the last code I used to log in (in this case code-0, sequentially right before code-1), they are "expecting" me to enter code-1. To allow for mistakes however, the FTP servers will actually accept several codes further down the sequence. So after I logged in using code-1, I logged off and tried to use code-100. It didn't work, so I then tried code-60 which did work. What this means is that the FTP servers will accept somewhere between 60 and 100 codes at any given time. So for example when your token reaches code-500 in the algorithm and you enter it at log-in, FTP will know where your token is in the sequence and will now accept code-501, 502, 505, 520, 540, etc. If you happen to generate fourty codes and in fact submit code-540 next, then all the codes between code-501 and 539 (which were previously acceptable) will no longer work.

As far as I can tell, time is not a factor in the process at all. You could generate fifty codes, writing them all down in order on a piece of paper, and as long as you also entered them in order you could go for fifty logins (throughout a month) without your token. Now it's not like the system used by the FTP tokens isn't securte (although I guess there's a higher chance a hacker could simply "guess" a code when ~80 out of 1,000,000 are acceptable rather than the ~3 which RSA will accept at any given time). Yet the fact that you (or someone else) could potentially generate too many codes just messing around, and subsequently lock yourself out is a bit of a nuisance. Also, if a hacker somehow had access to your token, they could generate a code and write it down without your knowing. That code would remain valid until the next time you generated a new code and logged-in. Essentially they could "steal" your token without you realizing it. With RSA anytime you have physical possession of your token you know nobody else knows the currently valid codes.

None of this is a HUGE deal, and I'd still consider the FTP tokens to be a large improvement in security and should cut down on the hackings by a ton. But I would consider them slightly less secure than the stars RSA fwiw... which seems about on par.

Mark

Thanks for your response.

However, I only received an order confirmation email. There was no link provided.

I received an email with a link, but safari don't want to open the provided link.
If i try to open the DIGIPASS link, it tells me the adress has to many redirections and if try to open the FTP programm link it tells me the adress is invalid, i really don't know what to do.
Can someone help me out please?

I received my RSA token, and I can't log into FTP. I can get into FTP academy, but not the FTP client.

Can I have both the hard token and the cell phone app one?

Yes

Got my FTP security token today. Easy setup, impressively small size.

I also setup the mobile version on my iPhone, slightly more difficult setup, but it's also working perfectly.

I was waiting until the physical token arrived before I downloaded and setup the mobile one, so there was no chance of getting locked out if the mobile one flaked out on me (which has apparently happened to some people). And now I have a backup in case I lose either my phone or the token.

Overall very happy w/ the system, better late than never I guess.

im locked out of ftp due to my mobile app and support isnt exactly helping

pretty mad that this hasnt been fixed and im probbly gonna switch sites if its not fixed by tomorrow

Has anyone in the USA received their RSA token yet? I ordered mine an hour after it became available in the store, and still no-show.

Yes. Several of us have received it (except the security token is not RSA--it's made by someone else). Anyhow, you should receive yours any day.

Anyone?

why are ppl having trouble w/ the mobile? is it hella hard to set up or something? i wanna get it + real version but dont really feel like getting locked out for 4 weeks while FTPtards do nothing about it.

I have the motorola droid. Really want the app.

UPS, no signature required (was dropped off at my door step while I was sleeping).

Thank you.

still couldn't make the mobilephone key work, safari just can't open these links and ftp support is completly useless...

FTP keep telling me to download and install netmite then download and install the security token, but it doesn't work on my motorola droid, has anyone had success with this?

Ordered my hard token 11/3 and still haven't gotten it.

same. i don't think netmite works on android 2.0 OS which the droid uses. i can't get it to work either.. it just force closes every time i try to run it.

80 out of a million is very safe. You'd need at least 500 tries to have a slight chance of hitting it. I'm assuming FT has some security process built-in that stops people from one address whiffing more than 10 times; particularly because you only get to that stage after entering the regular username (/email) and password. So we can be pretty sure it's a hacker by then.

But I would assume that the software would lock you and your IP out for at least 24 hrs.

Well, they probably don't have this but they should. Well, maybe they have something like it.

In any case, this token stops people who don't have (or ever had) the physical token from getting into your account, 99.9% of the time, and 99.99999% (or whatever) of the time if they only allow 10 tries.

So my second point is that the RSA token may be more secure but not any better in the real world and possibly more expensive, and more error-prone.

If you're capable of reading directions and following them it's not the least bit hard.

You download a free application from the App Store. Following the link provided when you purchase the security application. Sync the new app with Full Tilt. Done.