The GateKeeper client software is only really available for Windows 7+. A macOS version is available for High Sierra and Mojave, but this has been borked by changes made by Catalina, and no plans for an update have been announced, yet. There is also currently no Linux support.
The GateKeeper Trident app is available on Google Play and runs on Android 7+ phones. The android device must support Bluetooth Low Energy (BLE) advertising, which most do these days. The app is not available for iOS, but iPhone users can always use a Halberd Proximity Token instead.
The GateKeeper client software is free for personal use, but it requires a physical access token and a Bluetooth proximity detector.
The access token can be the Gatekeeper Trident app, which is available from the Google Play Store for $19.99 USD (or local equivalent).
If your computer features an internal BLE transmitter, then you can use this as the Bluetooth proximity detector. In most cases, though, you’ll need to purchase a USB proximity sensor dongle, which cost $20 each.
Alternatively, you can purchase a Bluetooth Low Energy “Halberd Proximity Token” for $60 each, which includes 2 USB proximity sensor dongles. Multipack discounts are available for organizations.
The Halberd Proximity Token came bundled with 2x USB proximity sensor dongles, 2x USB extension cables with cable management clips for easy mounting, a spare battery, a neck cord, and a corded belt fob. Which all seems pretty good value to us.
Gatekeeper Enterprise is not the focus of this review, but we’ll note that it starts at $3 per user, per month, for the 'Core' plan, $5 per user, per month, for the Advanced plan, and $8 per user, per month, on the 'Ultimate' plan. These plans give potential subscribers a number of different options depending on their business requirements.
In addition to the subscriptions, enterprise customers can elect to use a selection of supported fingerprint readers as hardware authenticators. And, the option is there to purchase a variety of proximity sensors and tokens depending on what the company needs.
- Automated hands-free proximity-based Lock and unlock
- 2FA Lock and unlock (required entering PIN)
- HIPAA, GDPR, NIST, and CJIS compliant
- Password manager
- Centralized access management dashboard (Enterprise only)
Centralized access management dashboard
This web-based dashboard is designed for Enterprise use only and provides advanced monitoring and management functionality.
Managers can examine lots of useful metrics, such as which team members logged in to which computers, and for how long. Team members and computers can be organized into groups (e.g. by department), managers can set up alerts based on a variety of triggers (such as a login failure or a specific computer being unlocked), and much more.
Privacy and Security
GateKeeper is developed by the US-based Untethered Labs, Inc. Edward Snowden showed the world that the US is subject to high levels of mass government surveillance, but since no passwords or other data is sent back to GateKeeper, this will not be an issue in practice.
The only fly in the ointment is that, since all GateKeeper software is a closed source, there is no way to know for sure it isn’t doing anything sneaky. It probably isn’t, but who knows?
Passwords are not stored on the physical tokens (either phone or on the Halberd token). They are only stored locally (so no multi-device syncing) on your PC, where they are secured using AES-256 encryption. This is FIPS 140 compliant, making GateKeeper suitable for use inside the US government.
GateKeeper uses Bluetooth 4 LE, so they have a maximum range of 100m. A read-only device firmware prevents cryptographic key readback if an attacker gains physical access to the token.
In order to prevent the duplication of tokens, a secret key can (optionally) be written to a token that can be used to generate one time passcodes which are advertised as part of the Bluetooth advertisement packets and scanned by the client software. These codes are changed every few seconds and ensure your token is cryptographically unique.
At least, that’s the theory. We are not sure if this feature is fully implemented in the desktop software yet. It was promised for January 2019, but the option was grayed out for us in the app’s settings.
The biggest danger is that tokens are quite easily lost or stolen. This can be mitigated against by also requiring a PIN to login (for 2FA, which is the default setting), but this loses the convenience and wow factor of contactless login.
Centralized access management dashboard
The centralized access management dashboard for enterprise users is designed to be self-hosted on your company server, so no data is sent back to GateKeeper. All personal data collected by the server software is also encrypted using AES-256.
So from a management perspective, the GateKeeper server software is secure and private. Employees, however, should be aware that the access management dashboard provides managers with a great deal of information about when, how long, how many times, etc., they are logged into their computers.
Quite extensive documentation is available on the website, including a number of detailed reference documents. If you have further questions, you can contact Untethered Labs via ticketed email form, phone (US Maryland number), or Live Chat.
The Live Chat is not 24/7, though a response is promised within 24-hours. When we posted a query, the response arrived the next day and answered our questions clearly.
Ease of use
Halberd Proximity Token
Setup using the Halberd Proximity Token is very easy. Just insert the provided battery into the token and place it close to the USB proximity sensor dongle, which is inserted into any USB port of your PC.
The Token is well made, with a sturdy plastic shell. USB extension cables and cable clips are provided for convenient placement of the sensor dongle, but given that you can opt to unlock your PC from a user-definable distance away (see below), we didn’t find such careful placement necessary.
Then just install the Windows app and run through the pairing process. This involves choosing a PIN, but is very straightforward.
You can add and manage as many tokens as you like.
The Dashboard allows you to customize how the token works by specifying the signal strength required to Lock or unlock your PC. Since signal strength is directly related to the distance between the token and receiver, this setting basically decides how close you need to be to your PC for the token to Lock or unlock it.
The Halberd Proximity Token contains an accelerometer, which helps the software identify and Lock the PC when you move away from it.
There are plenty of more advanced settings to play with, arguably the most important of which is whether to use the GateKeeper token as a 2FA device backed-up by a PIN number, or as an automatic hands-free unlocking device. Many of the Advanced settings, however, were grayed out for us, for reasons unknown.
In use, we found the whole setup worked very well, although we would have liked to fine-tune the timeout settings, which we were unable to do because they were grayed out.
It is worth noting that you can still unlock your PC using your Windows password, so it is important to ensure this is highly secure if you are to benefit from using GateKeeper as a 2FA device. Fortunately, you won’t need to enter it all the time once GateKeeper is in place.
GateKeeper Trident app
Instead of the Halberd Proximity Token, you can use your Android phone as the physical token needed for GateKeeper to work. This requires you to install the GateKeeper Trident app from the Play Store.
Setup is performed in the Windows app and is identical to setting up a Halberd token. In all other ways, your phone now behaves just like a Halberd token.
We found the app to be stable and it Locked and unlocked our computer reliably. With a rating of 4.4/5 on the Play Store, it seems most users are also happy with it.
The desktop client includes a password manager with an associated Chrome browser extension (a Firefox extension is mentioned on the website but doesn’t seem to actually exist at the time of writing this review).
It has to be said that, as a password manager, GateKeeper is quite basic. It remembers and auto-fills passwords, and that’s about it. There is no password import feature or syncing across devices,
Annoyingly, it remembers passwords when you log into a website, but not when you first register for one. This may be a mild inconvenience by itself; but it also ruins the extension’s most interesting feature: built-in TOTP authentication.
In theory, the GateKeeper Chrome extension will capture and authenticate TOTP 2-Factor Authentication QR codes, removing the need for an app such as Google Authenticator.
But since GateKeeper doesn’t save passwords when you first sign-up for a service, there is no entry to attach the TOTP code to. There might be workarounds for this, but we found the whole thing rather frustrating.
Fortunately, the GateKeeper password manager is not central to the GateKeeper product and can be easily ignored in favor of much better password managers (many of which are free, so there’s no real loss here).
There is a lot to like here. The magic of watching your PC unlock as you walk towards it is tangible, although contactless unlocking is not really recommended in any environment where there is a risk that the physical token may be stolen.
GateKeeper is probably therefore most useful as a 2FA system, placing it in competition with the likes of YubiKey. As such, it has some distinct advantages. Contactless 2FA authentication is undoubtedly easier and quicker than having to plug in a USB device and is also likely to save considerable wear and tear on your PC’s USB ports.
Although this may change, the current lack of support for macOS Catalina (let alone Linux) is likely to be a sticking point for many. But if you (or your company) are heavily Windows-focused, then GateKeeper provides a very convenient way to improve login security.
The system, therefore, provides 2-factor authentication for logging into a PC if used in conjunction with a PIN number, or automatic touchless login if used on its own. The latter option is definitely less secure, but is pretty neat all the same. Overall, it's a handy device that offers faster, and more effective security as a 2FA tool.