blogg‎ > ‎

What is a license key?

posted Apr 10, 2015, 7:09 AM by Björn Spåra   [ updated Apr 15, 2015, 3:14 AM ]


A common misconception about software license keys is that the key is the license. Strictly speaking, the license is the rights granted to the user of the software and the license key simply the token that enables the copy protection scheme to verify the user as a legitimate paying customer. The basic idea is that only users that have acquired the appropriate license will be issued a license key enabling them to install or use the software.

The key itself can be a string of characters entered into the installer or the software itself which by some method of computational comparison verifies the entered key and subsequently continues the installation process or the execution of the software. The key can also be a hardware dongle that physically connects with the computer making the key less vulnerable to copying. Generally speaking, circumventing copy protection schemes based on either software license keys or hardware dongles through reverse engineering of the verification code is not complicated unless rigorous code protection mechanisms are put in place to obfuscate the copy protection itself. Bear in mind that all protection systems can (and will, given enough time and resources) be broken.

In recent years, the copy protection schemes have evolved and on-line verification is used to verify the validity of the license key. Microsoft use software license keys to activate each instance if its software. There are two types of activation mechanisms, one where each instance of the software is activated directly with Microsoft (or through an activation proxy) independently of each other using a single MAK (Multiple Activation Key). The other activation method deploys an activation server within the organisation to allow individual software instances to activate internally using KMS (Key Management Service) without communicating directly with Microsoft. Upon activation, the key is checked online with Microsoft to determine its validity, and keys used by unauthorised users are subsequently withdrawn and further activation requests using the compromised key are rejected.

There are copy protection schemes that rely on a license file which is typically some form of digitally signed certificate. There are copy protection schemes that do not rely on a license key at all but rather the authorization users authenticating to the software publisher through online or federated corporate identities. Of course, there are software publishers that do not rely on copy protection at all and simply make their software available for download.

Some people would argue that the management of software license keys is the responsibility of the ITAM/SAM department. And they would be right from a certain perspective. License keys must be managed and if the ITAM/SAM department manages the license, why not the license key? Issuing a license key for each software installation sounds like a pretty good control, right? Wrong!

The majority of software license non-compliance issues are the result of over deploying prepackaged software where the license key is already entered, or due to the change of hardware configuration or user authorization where the license key does little to help. When installing software requiring a license key, 9/10 IT professional will save the key for another time. In fact, the license key is completely useless from a control perspective and should be eradicated entirely. Software publishers wishing to combat non-compliance in the enterprise space would be better off making tools to report license usage directly to the offending customer, embedded in their software products.

So who should manage the license key?

The people who perform software packaging/installations of course..