A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user of computer services is given to ease authentication. The term may also refer to software tokens.
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.
Password types 
All tokens contain some secret information that are used to prove identity. There are four different ways in which this information can be used:
- Static password token. The device contains a password which is physically hidden (not visible to the possessor), but which is transmitted for each authentication. This type is vulnerable to replay attacks.
- Synchronous dynamic password token. A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks.
- Asynchronous password token. A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm.
- Challenge response token. Using public key cryptography, it is possible to prove possession of a private key without revealing that key. The server sends a challenge to which it knows the correct response because it possesses a copy of the private key; the device proves it possesses a copy of the same key by providing the same response.
Time-synchronized one-time passwords 
Time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the client's token and the authentication server. For disconnected tokens this time-synchronization is done before the token is distributed to the client. Other token types do the synchronization when the token is inserted into an input device. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as RSA's SecurID, allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced - so there is additional cost.
Mathematical-algorithm-based one-time passwords 
Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH algorithm is standardized; other algorithms are covered by U.S. patents. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.
Physical types 
Tokens can contain chips with functions varying from very simple to very complex, including multiple authentication methods.
The simplest security tokens do not need any connection to a computer. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as Bluetooth. These tokens transfer a key sequence to the local client or to a nearby access point.
Still other tokens plug into the computer, and may require a PIN. Depending on the type of the token, the computer OS will then either read the key from token and perform cryptographic operation on it, or ask the token's firmware to perform this operation
A related application is the hardware dongle required by some computer programs to prove ownership of the software. The dongle is placed in an input device and the software accesses the I/O device in question to authorize the use of the software in question.
Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the United States as compliant with FIPS 140, a federal security standard. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.
Disconnected tokens 
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.
Connected tokens 
Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port respectively.
The audio jack port is a relatively practical method to establish connection between mobile devices, such as iPhone, iPad and Android, and other accessories. The most well known device is called Square, a credit card reader for iPhone and Android.
Some use a special purpose interface (e.g. the crypto ignition key deployed by the United States National Security Agency). Tokens can also be used as a photo ID card. Cell phones and PDAs can also serve as security tokens with proper programming.
Smart cards 
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra thin form-factor requirements.
Smart-card-based USB tokens which contain a smart card chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the computer operating system's point of view such a token is a USB-connected smart card reader with one non-removable smart card present.
Virtual tokens 
Virtual tokens are similar to a connected token, but with significant differences. Like connected tokens, virtual tokens are a physical device connected to the authenticating server, however, the connected device is the client computer or mobile device, not a traditional hardware token. No hardware or software must be distributed to the end user. Virtual tokens uses the user's existing device as the possession factor, reducing the costs normally associated with implementation and maintenance of security tokens. Processing occurs "server-side" and facilitates the retrieval of one-time-use digitally-signed keys and other information from a connected device using Internet-standard HTTP/HTTPS delivery methods. The retrieved key is then authenticated against the connecting device's digital fingerprint, the user's account details, and other data. Since the authenticating server is communicating directly with the connected device, the method is not as prone to man-in-the-middle attacks as other methods.
Contactless tokens 
Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as Mobil Speedpass, which uses RFID to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA Laboratories discovered that RFID tags could be easily cracked and cloned. Another downside is that contactless tokens have relatively short battery lives; usually only 3–5 years, which is low compared to USB tokens which may last more than 10 years. Though some tokens do allow the batteries to be changed, thus reducing costs.
Bluetooth tokens 
Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a USB input device to function.
In the USB mode of operation sign off required care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with a distance metrics. Respective products are in preparation, following the concepts of electronic leash.
GSM cellular phones 
A new category of T-FA tools allows users to utilize their mobile phone as a security token. A Java application installed on the mobile phone performs the functions normally provided by a dedicated token. Other methods of using the cell phone include using SMS messaging, instigating an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS.
Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices. In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.
Single sign-on software tokens 
Some types of Single sign-on (SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.
Mobile device tokens 
Mobile devices tokens use a mobile computing device such as a smart phone or tablet computer as the authentication device. This provides secure two-factor authentication that does not require the user to carry around an additional physical device. Some vendors offer a mobile device authentication solution that uses a cryptographic key for user authentication. This provides a high level of security protection including protection from a Man-in-the-middle attack, which can occur from a rogue Hotspot (Wi-Fi).
The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unawares, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using two factor authentication. Commonly, in order to authenticate, a personal identification number (PIN) must be entered along with the information provided by the token the same time as the output of the token.
Any system which allows users to authenticate via an untrusted network (such as the Internet) is vulnerable to man-in-the-middle attacks. In this type of attack, a fraudster acts as the "go-between" the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. Citibank made headline news in 2006 when its hardware-token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle phishing attack.
In June, 2012, a team of computer scientists claimed to have developed a method of quickly extracting the secret key generated by several RSA dongles including the SecurID 800. Calling themselves "Team Prosecco," the group published a research paper documenting their findings which they planned to present at a cryptography conference in August, 2012. [needs update]
Digital signature 
Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user’s identity.
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signatures according to some national laws. Tokens with no on-board keyboard or another user interface cannot be used in some signing scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
Notable vendors and models 
- VASCO Data Security International - Digipass
- RSA - SecurID
- ArrayShield Technologies - ArrayShield displays a grid of changing characters; instead of a PIN, the user remembers a pattern of squares, from which they selectively read the characters.
- YubiCo - YubiKey
- Aladdin Knowledge Systems - eToken, some branded for Verisign
- KeyVault - USB tokens and mobile device products
- DeepNet Security
- Duo Security
- Musbe, Inc. - Swekey
- Aradiom - SolidPass
- BRToken - SafeSIGNATURE
- Entrust - IdentityGuard Mini Token
- Identita Technologies - Display OTP Card
- JF Secure - Digital Display FLN Token
- KerPass UST
- NagraID Security - Touch Display Card
- Secure Computing - Safeword
- SecuTech - UniOTP Tokens - audio jack for mobile devices
- ActivIdentity - Smart DisplayCard
- Feitian Technologies - cSeries OTP hardware tokens
- Mykotronx - Fortezza
- Kobil - mIDentity
See also 
|Wikimedia Commons has media related to: OTP tokens|
- Hardware Security Module
- Identity management
- Initiative For Open Authentication
- Mobile signature
- Multi-factor authentication
- Mutual authentication
- One-time pad
- Single sign-on
- Software token
- de Borde, Duncan (2007-06-28). "Two-factor authentication". Siemens Insight Consulting. Retrieved 2009-01-14.
- Specification for Integrated Circuit(s) Cards Interface Devices, usb.org
- Kenyon, Henry S. Virtual Token Leaves No Footprint. AFCEA International, 2002, p. 1.
- Maraes, Ricardo. VTP-CSMA: A Virtual Token Passing Approach for Real-Time Communication in IEEE 802.11 Wireless Networks . IEEE Transactions on Industrial Informatics, 2007 Aug, p. 1.
- Jeong, Youn-Kwae Kwae. A virtual token dual bus protocol for the interconnection network in CDMA mobile communication system. Third IEEE Symposium on Computers and Communications, 30 June 1998, p. 1.
- J Iturralde, Mauricio. Performance Study of Multimedia Services Using Virtual Token Mechanism for Resource Allocation in LTE Networks. Fall 2011 Vehicular Technology Conference. ISCC, 5 Sept 2011, p. 1.
- Biba, Erin (2005-02-14). "Does Your Car Key Pose a Security Risk?". PC World. Retrieved 2009-01-14.
- Somini Sengupta (2012-06-25). "Computer Scientists Break Security Token Key in Record Time". New York Times. Retrieved 2012-06-25.
- General references