GateKeeper Halberd

Our articles on portable encrypted storage, including this multi-product overview and a follow-up quick look on another, garnered more attention than we originally anticipated, with multiple other companies wanting to get covered on TechPowerUp. Yours truly happened to be, and still is at the time of this article, in Taiwan, riding out COVID-19 when we were approached by Untethered Labs, Inc. via their GateKeeper brand. They just so happened to make a hardware security key that utilizes their experience in proximity enterprise identity for us PC users, and it fit in well with the encrypted prosumer theme. More importantly, it gave me something to do while away from all my other testing equipment, so here we are.


GateKeeper is predominantly an enterprise solution with case studies and partners around the world offering hardware-based wireless two-factor authentication, password/access management, and even simple login credentials all stored via a key. This key, the Halberd, is the subject of this article, although the company has a software solution for smart phones via the integrated Bluetooth module there. It tells us already, thus, that the built-in wireless technology for connectivity is Bluetooth, with the Halberd employing Bluetooth LE for longer battery life. Excuse the photo quality due to the travel limitations.


The company sent along a retail package of their Halberd proximity token, which costs $60 and comes with all you need to set up an individual client. This includes the key fob itself, two low-profile USB proximity sensors, a CR2450 3 V battery with a rated 6-month battery life in the Halberd key, and a lanyard. Enterprise customers also get USB extension cables, wire managers with taped sides to enable a cleaner installation, and a retractable steel badge holder as part of a workstation kit. The company intends for clients to have the Halberd fob (also referred to as a token) on the lanyard itself for direct line-of-sight communication with the USB sensor.


Installing everything is quite simple, and indeed, the accompanying software walks you through it. Simply open the back of the Halberd key to access the battery compartment and install the provided battery with the positive side up. Close it and hit the button on the side for audio-visual confirmation of power (and connectivity status). Once the program is installed, get the key in proximity and physically touch the USB sensor plugged into your PC to register the token as seen above. One-time pass codes are generated every few seconds to maintain the connection, which also prevents duplication of the key for nefarious reasons.


Once the token is paired, you will be prompted to add a user, which can be done via filling out the form or simply choosing the currently logged-in user for single-user applications as was the case here. A pin to go with the Halberd itself is then added for two-factor authentication, and you will see the user and token both registered in the program, with the ability to add more users as needed (for enterprises, not single-user licenses). Indeed, as the company representatives confirmed, the same key "can be registered to multiple computers and used to unlock each computer at the same time if they're in range. But the primary reason for the additional receiver is for use on a single computer to improve signal quality between the client software and token. The software supports multiple USB receivers."


The dashboard tab now displays the user and token information, confirming the Halberd is connected, as well as quick status indicators about battery life, the current lock/unlock decision taken, and the last time the key was connected. The USB sensor logs in contact every 0.4–0.5 seconds based on my tests, which helps with the timed lockout options as we will see soon. Underneath is also the connection signal strength bar, which updates in real time with each connection ping, if you will. You can easily set the lock/unlock decisions to the strength of signal quality, which will on its own suffice for many users, I suspect. The token management tab allows you to add multiple tokens, be it the hardware-based Halberd or the software mobile app itself, as well as change the pin. Note that the program is effectively the same for both single-users and enterprise, with the latter just having more options enabled.


The credentials tab allows users to go beyond just PC login/logout use, with password management for various applications done locally (yes, no cloud management here) via the same AES-256 encryption used with the login credential manager. The only cloud/over-the-air involvement comes via company-signed firmware updates to the Halberd only, which otherwise is in read-only mode. Chrome/Firefox users will also see a browser extension for similar online password management, and a test done to log me automatically on TPU worked as expected. Sometimes, the browser extension does try too hard, however, with any fillable form considered a potential login form. This includes the very draft I am writing now, with the GateKeeper icon displaying next to the draft title as a reminder of another entry I can save if needed.


At the bottom are the various settings allowed for GateKeeper as of version 3.8.11, with some options grayed out for the single-user license. One of these options I would have liked included is the motion detection sensitivity option for the key, which allows the time for the lockout to be adjusted if the connection is not as stable as you would like or the lock/unlock decision is too quick/slow. The available settings are still much appreciated as users are able to choose the actual decision, whether or not the provided pin is involved for a true 2FA experience, and also whether using the button on the side of the Halberd initiates a decision as well. I found a combination of moving away/button to lock my laptop and proximity login + pin the best in an unfamiliar or security-stringent environment. Simple proximity based login/logout were used while I was in a more private (think hotel room, in my case) environment. There is a 15-day license for enterprise options should you want to try it out, but most readers here will likely not want or need more than the free single-user experience. For those who want to try it out, the enterprise version enables GateKeeper Hub—a central management console allowing multiple users per PC as well as other features, including a directory of all users and additional computers, controlling access over all client computers, active directory sync, and even generating usage audit reports. You can read more about the hub here to see if this is something you or your IT team may be interested in.

For $60, the user experience with the hardware Halberd key and the software is quite appealing to those who would benefit from something like this. It is GDPR-compliant, which has been a real boon for many hardware encryption companies, in addition to other standards, compliance is listed here. The software version (Gatekeeper Trident, Android only for now) costs $19.99 for a one-time fee, and the company is checking the possibility of doing a timed trial option at my request. They did say that they are also considering a price reduction since the user experience with a phone Bluetooth chip may be influenced by other factors, and paying $20 without having tested it first may be a harder sell compared to the Halberd hardware token that has been tested successfully on an enterprise level.