 | This article'sfactual accuracy isdisputed. Review the definitions of "Security Token" and "Security Token Generator". Relevant discussion may be found on thetalk page. Please help to ensure that disputed statements arereliably sourced.(November 2024) (Learn how and when to remove this message) |
Asecurity token is aperipheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, apassword.[1] Examples of security tokens include wirelesskey cards used to open locked doors, a banking token used as a digital authenticator for signing in toonline banking, or signing transactions such aswire transfers.
Security tokens can be used to store information such aspasswords,cryptographic keys used to generatedigital signatures, orbiometric data (such asfingerprints). Some designs incorporatetamper resistant packaging, while others may include smallkeypads to allow entry of aPIN or a simple button to start a generation routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces includingUSB,near-field communication (NFC),radio-frequency identification (RFID), orBluetooth. Some tokens have audio capabilities designed for those who are vision-impaired.
All tokens contain some secret information used to prove identity. There are four different ways in which this information can be used:
Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between theclient's token and the authenticationserver. For disconnected tokens, this time-synchronization is done before the token is distributed to theclient. Other token types do the synchronization when the token is inserted into aninput device. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized.[2] However, some such systems, such asRSA's SecurID, allow the user to re-synchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced – so there is an additional cost.[3]Another type of one-time password uses a complex mathematical algorithm, such as ahash chain, to generate a series of one-time passwords from a secret shared key. Each password is unique, even when previous passwords are known. The open-sourceOATH algorithm is standardized;[citation needed] other algorithms are covered by USpatents. Each password is observably unpredictable and independent of previous ones, whereby an adversary would be unable to guess what the next password may be, even with knowledge of all previous passwords.
 | This sectionneeds additional citations forverification. Please helpimprove this article byadding citations to reliable sources in this section. Unsourced material may be challenged and removed.(March 2023) (Learn how and when to remove this message) |
Tokens can containchips with functions varying from very simple to very complex, including multiple authentication methods.
The simplest security tokens do not need any connection to acomputer. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such asBluetooth. These tokens transfer a key sequence to the local client or to a nearby access point.[4]
Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice,SMS, orUSSD).
Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, thecomputerOS will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.[citation needed]
A related application is the hardwaredongle required by some computer programs to prove ownership of thesoftware. The dongle is placed in aninput device and thesoftware accesses theI/O device in question toauthorize the use of thesoftware in question.
Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in theUnited States as compliant withFIPS 140, a federal security standard.[5] Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.[citation needed]
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via akeyboard orkeypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.[6]
Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens aresmart cards and USB tokens (also calledsecurity keys), which require a smart card reader and a USB port respectively. Increasingly,FIDO2 tokens, supported by the open specification groupFIDO Alliance have become popular for consumers with mainstream browser support beginning in 2015 and supported by popular websites and social media sites.[citation needed]
OlderPC card tokens are made to work primarily withlaptops. Type II PC Cards are preferred as a token as they are half as thick as Type III.
The audio jack port is a relatively practical method to establish connection between mobile devices, such asiPhone,iPad andAndroid, and other accessories.[citation needed] The most well known device is calledSquare, a credit card reader foriOS and Android devices.
Some use a special purpose interface (e.g. thecrypto ignition key deployed by the United StatesNational Security Agency). Tokens can also be used as a photoID card.Cell phones andPDAs can also serve as security tokens with proper programming.
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents)[citation needed] and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra-thin form-factor requirements.
Smart-card-basedUSB tokens which contain asmart card chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From thecomputer operating system's point of view such a token is a USB-connected smart card reader with one non-removable smart card present.[7]
Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular choice forkeyless entry systems and electronic payment solutions such asMobilSpeedpass, which usesRFID to transmit authentication info from a keychain token.[citation needed] However, there have been various security concerns raised about RFID tokens after researchers atJohns Hopkins University andRSA Laboratories discovered that RFID tags could be easily cracked and cloned.[8]
Another downside is that contactless tokens have relatively short battery lives; usually only 5–6 years, which is low compared toUSB tokens which may last more than 10 years.[citation needed] Some tokens however do allow the batteries to be changed, thus reducing costs.
 | This section'stone or style may not reflect theencyclopedic tone used on Wikipedia. See Wikipedia'sguide to writing better articles for suggestions.(September 2016) (Learn how and when to remove this message) |
TheBluetooth Low Energy protocols provide long lasting battery lifecycle of wireless transmission.
Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised Bluetooth power control algorithm to provide a calibration on minimally required transmission power.[9]
Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (9.8 meters). When the Bluetooth link is not properly operable, the token may be inserted into aUSBinput device to function.
Another combination is with asmart card to store locally larger amounts of identity data and process information as well.[10] Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.[11]
In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic leash.
Near-field communication (NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than 1 foot (0.3 meters).[citation needed] The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.[citation needed]
Some types ofsingle sign-on (SSO) solutions, likeenterprise single sign-on, use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned. Usually most tokens store a cryptographic hash of the password so that if the token is compromised, the password is still protected.[12]
Programmable tokens are marketed as "drop-in" replacement of mobile applications such asGoogle Authenticator (miniOTP[13]). They can be used as mobile app replacement, as well as in parallel as a backup.
The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by usingtwo factor authentication. Commonly, in order to authenticate, apersonal identification number (PIN) must be entered along with the information provided by the token the same time as the output of the token.
Any system which allows users to authenticate via an untrusted network (such asthe Internet) is vulnerable toman-in-the-middle attacks. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006,Citibank was the victim of an attack when its hardware-token-equipped business users became the victims of a large Ukrainian-based man-in-the-middlephishing operation.[14][15]
In 2012, the Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from severalPKCS #11 cryptographic devices.[16][17] These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958,[18] and published at CRYPTO 2012.[19]
Trusted as a regular hand-written signature, thedigital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof of the user's identity.
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify asdigital signatures according to some national laws.[citation needed] Tokens with no on-board keyboard or anotheruser interface cannot be used in somesigning scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
{{cite web}}: CS1 maint: numeric names: authors list (link)
Media related toOTP tokens at Wikimedia Commons