
Several types of security
tokens.

Identita LED Display Card
A
security token (or sometimes a
hardware
token,
hard token,
authentication token,
USB token,
cryptographic token, or
key fob) may be a physical device that an
authorized user of computer services is given to ease
authentication. The term may also refer to
software tokens.
Security tokens are used to prove one's identity electronically (as
in the case of a customer trying to access their bank account). The
token is used in addition to or in place of a password to prove
that the customer is who they claim to be. The token acts like an
electronic key to access something.
Hardware tokens are typically small enough to be carried in a
pocket or purse and often are designed to attach to the user's
keychain. Some may store
cryptographic keys, such as a
digital signature, or
biometric data, such as a
fingerprint minutiae. Some designs feature
tamper resistant packaging, while
others may include small keypads to allow entry of a
PIN or a simple button to
start a generating routine with some display capability to show a
generated key number. Special designs include a
USB connector,
RFID functions or
Bluetooth wireless interface to enable
transfer of a generated key number sequence to a client
system.
Token types and usage
There are four types of tokens:
- Static Password
- Synchronous Dynamic Password
- Asynchronous Password
- Challenge Response
This article currently focuses on Synchronous Dynamic password
tokens.
The simplest security tokens do not need any connection to a
computer. The
client enters the number to a local
keyboard as displayed on the token (second security factor),
usually along with a
PIN (first security factor),
when asked to do so.
Other tokens connect to the computer using wireless techniques,
such as
Bluetooth. These tokens transfer a
key sequence to the local client or to a nearby access point.
Alternatively the new form of tokens that are coming into main
stream are - mobile device which are communicated with out-of-band
channel (like voice, SMS, USSD) that also make the authentication
and identity protection much strong as compared to conventional
simple Synchronous Dynamic Password tokens.
Still other tokens plug into the computer. For these one
must:
- Connect the token to the computer using an appropriate input device
- Enter the PIN if
necessary
Depending on type of the token the
computer
OS will now either
- read the key from token and perform cryptographic operation on
it or
- ask the token's firmware to perform this operation
A related application is the hardware
dongle
required by some computer programs to prove ownership of the
software. The
dongle
is placed in an
input device and the
software accesses the
I/O device in question to
authorize the use of the
software in question.
Minimum requirement
1. Option 1: (for zero installation and excluded tokens): The
minimum requirement of any token is at least an
inherent
unique identity in a protected memory that cannot be
tampered with and preferably is not openly accessible to
applications other than those offered by the token vendor or
another trusted organization.
2. Option 2: (for out of band tokens): The minimum requirement of
these form of token is connectivity from another medium like mobile
network for USSD, SMS and voice. All you need a registered
telephone / mobile number.
Digital signature
Trusted as a regular hand-written signature, the digital signature
must be made with a private key known only to the person authorized
to make the signature. Tokens that allow secure on-board generation
and storage of private keys enable secure digital signatures, and
can also be used for user authentication, as the private key also
serves as a proof for the user’s identity.
For tokens to identify the user, all tokens must have some kind of
number that is unique. Not all approaches fully qualify as
digital signatures according to some
national laws. Tokens with no on-board keyboard or another
user interface cannot be used in some
signing scenarios, such as
confirming a bank transaction based on the bank account number that
the funds are to be transferred to.
Embodiments and vendors
Tokens can contain
chips with
functions varying from very simple to very complex, including
multiple authentication methods. Commercial solutions are provided
by a variety of vendors, each with their own proprietary (and often
patented) implementation of variously used security features. Token
designs meeting certain security standards are certified as
FIPS compliant. Tokens without any kind of
certification are sometimes viewed as suspect, as they often do not
meet accepted government or industry security standards, have not
been put through rigorous testing, and likely cannot provide the
same level of cryptographic security as token solutions which have
had their designs independently audited by 3rd party
agencies.
Disconnected tokens
Disconnected tokens have neither a physical nor logical connection
to the client computer. They typically do not require a special
input device, and instead use a built-in screen to display the
generated authentication data, which the user enters manually
themselves via a keyboard or keypad. Disconnected tokens are the
most common type of security token used (usually in combination
with a password) in two-factor authentication for online
identification.
Connected tokens
Connected tokens are tokens that must be physically connected to
the client computer. Tokens in this category will automatically
transmit the authentication info to the client computer once a
physical connection is made, eliminating the need for the user to
manually enter the authentication info. However, in order to use a
connected token the appropriate input device must be installed. The
most common types of physical tokens are
smart cards and USB tokens, which require a
smart card reader and a USB port respectively.
SmartCards
Many connected tokens use SmartCard technlogy. SmartCards can be
very cheap (around ten cents) and contain proven security
mechanisms (as used by financial institutions, like cash cards).
However, computational performance of SmartCards is often rather
limited because of extreme low power consumption and ultra thin
form-factor requirements.
Contactless tokens
Contactless tokens are the third main type of physical tokens.
Unlike connected tokens, they form a logical connection to the
client computer but do not require a physical connection. The
absence of the need for physical contact makes them more convenient
than both connected and disconnected tokens. As a result
contactless tokens are a popular choice for
keyless entry systems and electronic payment
solutions such as
Mobil Speedpass, which uses
RFID to
transmit authentication info from a keychain token. However, there
have been various security concerns raised about RFID tokens after
researchers at
Johns Hopkins
University and
RSA Laboratories
discovered that RFID tags could be easily cracked and
cloned.Another downside is that contactless tokens have relatively
short battery lives; usually only 3–5 years, which is low compared
to
USB tokens which may last up
to 10 years. Though some tokens do allow the batteries to be
changed, thus reducing costs.
Bluetooth tokens
Bluetooth tokens are often combined with a
USB token, thus working in both a connected and a disconnected
state. Bluetooth authentication works when closer than 32 feet (10
meters). If the Bluetooth is not available, the token must be
inserted into a
USB input device to function.
GSM cellular phones
A new category of T-FA tools allows users to utilize their mobile
phone as a security token. A Java application installed on the
mobile phone performs the functions normally provided by a
dedicated token. Other methods of using the cell phone include
using
SMS messaging, instigating an interactive
telephone call, or using standard Internet protocols such as
HTTP or
HTTPS.
Such a method can simplify deployment, reduce logistical costs and
remove the need for separate token devices. In the case of SMS
options, there are trade-offs: users may incur fees for text
messages or for WAP/HTTP services.
Single sign-on software tokens
Some types of
Single sign-on (SSO)
solutions, like
enterprise
single sign-on, use the token to store software that allows for
seamless authentication and
password
filling. As the passwords are stored on the token, users need
not remember their passwords and therefore can select more secure
passwords, or have more secure passwords assigned.
Related authentication technologies
Enterprise single sign-on
Some
Enterprise single
sign-on (E-SSO) solutions uses
security
tokens.
Two-factor authentication (T-FA)
Security tokens provide the "what you have" component in
two-factor authentication and
multi-factor authentication solutions. Some tokens provide up to
three factors of authentication
One-time passwords
A
one-time password is a
password that changes after each
login, or changes after a set time interval.
Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical
algorithm, such a
hash chain, to generate
a series of one-time passwords from a secret shared key. Each
password is unguessable, even when previous passwords are known.
The open source
OATH algorithm is
standardized, other algorithms are covered by U.S.
patents.
VeriSign
VeriSign Unified Authentication uses the
OATH standard.
VeriSign Unified
Authentication
OEM
is
Aladdin Knowledge
Systems.
Deepnet Security
Deepnet Security's Deepnet Unified
Authentication Platform is a multi-factor authentication platform
for provisioning, managing and verifying all types of user and host
authentication methods, form-factors and user credentials,
including OTP tokens, PKI certificates, biometrics and device
DNA..
Aladdin Knowledge Systems’ eToken NG-OTP
The
Aladdin Knowledge
Systems'
eToken NG-OTP is a hybrid USB
and one-time password token. It combines the functionality of smart
card based authentication tokens with one-time password user
authentication technology in detached mode.
Yubico YubiKey
The YubiKey, manufactured by Yubico, is a device that acts as a
USB keyboard
and provides secure authentification by a
one-time password algorithm.
Virtual Tokens
Virtual Tokens are a new concept in multi-factor authentication
first introduced in 2005 by security company Sestus. Virtual tokens
work by sharing the token generation process between the internet
website and the user's computer and have the advantage of not
requiring the distribution of additional hardware or software. In
addition, since the user's device is communicating directly with
the authenticating website, the solution is resistant to
man-in-the-middle attacks and similar forms of online fraud.
Time-synchronized one-time passwords
A time-synchronized one-time passwords change constantly at a set
time interval, e.g. once per minute. To do this some sort of
synchronization must exist between the
client's token and the authentication
server. For disconnected tokens
this time-synchronization is done before the token is distributed
to the
client, other token types
do the synchronization when the token is inserted into an
input device. The main problem with
time-synchronized tokens is that they can, over time, become
unsynchronized. However, some such systems, such as RSA's
SecurID, allow the user to resynchronize the server
with the token, sometimes by entering several consecutive
passcodes. Most also cannot have replaceable batteries and only
last up to 3 years before having to be replaced - so there is
additional cost.
Event-based Token
An event based token, by its nature, has a longer life span. They
work on the one-time password principle and so once used, the next
password is generated. Often the user has a button to press to
receive this new code via either a token or via an
SMS message. All CRYPTOCard's tokens
are event-based rather than time-based.
Booleansoft
Booleansoft tokens synchronize with the
authentication server when inserted into an
input device like a
USB input
device or a
CD-ROM drive.
US patent pending technology.
Aradiom SolidPass
SolidPass, developed by Aradiom, is a mobile java phone based
security token that provides a time-based
one-time password algorithm for secure
authentication, and also offers challenge response based signing
including transaction signing and additional security
question.
BRToken SafeSIGNATURE
SafeSIGNATURE token, developed by the Brazilian company BRToken,
was one of the first to provide support for the TOTP algorithm,
defined by the OATH (
Initiative For Open
Authentication), an extension of the
HOTP
algorithm, but time-based. It also has the capacity of reading
transaction data from any type of screen or projection, displaying
in the token screen, and generating an
Electronic signature, based on the
public OCRA algorithm.
CAT (Cellular Authentication Token)
The CAT token, developed by the New Zealand company Mega AS
Consulting Ltd, was the first to market a Cellular J2ME based soft
token. The CAT uses an
OATH compliant
time-based
one-time password
(TOTP) algorithm for strong authentication, and also offers
encrypted messaging and encrypted documents delivery system. The
CAT is a multi tokens management system. Using a unique process,
the CAT is secured on the Cellular device (or PDA, Blackberry,
Windows OS).
Entrust IdentityGuard Mini Token
Entrust offers two variants of their OTP
token — Entrust IdentityGuard Mini Token OE and Entrust
IdentityGuard Mini Token AT. The Entrust IdentityGuard Mini Token
OE provides event-based, one-time passwords using the
standards-based HOTP algorithm endorsedby the Initiative for Open
Authentication (OATH), providing compatibility with third-party
software. The Entrust IdentityGuard Mini Token AT offers time- and
event-synchronous, one-time passwords based on the stronger
DES/3DES algorithm.
Identita Technologies Display OTP Card
Identita's LED or EINK display OTP cards display a number which
changes each time the button on the card is pressed. This
one-time password along with a
PIN when
authenticating allows for successful
identication of the end user. Since Identita's OTP Display cards
are almost always asleep except during activation, the engineering
team at Identita designed an algorithm which allowed for accurate
OTP generation without requiring the clock on the card and the
clock on the authentication server to be matched. Identita's
time-based OTP generation is patent pending.
RSA Security's SecurID
RSA Security's
SecurID displays a number which changes at a set
interval. The
client enters the
one-time password along with a
PIN when
authenticating. US patented technology.
Vasco's DigiPass
VASCO's
Digipass
series have either a small keyboard where the user can enter a
PIN or either a
single button, in addition it generates a new
one-time password after a pre-set time. US
patent: 4599489 and 4609777.
KerPass UST
KerPass provide time synchronous OATH one time passwords on mobile
phone. A new password is generated every 30 seconds. KerPass uses
an exclusive server side password validation technology that makes
possible using a KerPass password in the context of zero knowledge
password proof algorithm like
SPEKE or
SRP. This
combination renders password authentication insensitive to man in
the middle attacks.
Secure Computing's Safeword
Secure Computing's Safeword is a
hardware device that will display a passcode when pressing a button
on the device. A barcode and serial number on the back of the
device are used by administrators to synchronize the devices with
the authentication system. The Safeword system can be event-based
or time-based. Each press of the button will display a new passcode
and once a passcode is used for authentication, combined with the
user's PIN, it and all the passcodes generated before it can not be
reused again. Time-based tokens display different tokens every 20
seconds or less depending on how the user wants it.
Smart DisplayCard
The Smart DisplayCard by ActivIdentity is a combination security
token and
smart card. A single button on
the card displays a
one time
password on a small
liquid
crystal display when pressed. This device uses an OATH
compliant event-based algorithm to generate OTPs. The embedded
smart chip provides standard smart card
PKI capabilities; typically email
encryption and
digital
signatures. The display card portion of the product is produced
by NagraID.
PC cards
The
PC card tokens are made to only work
with
laptops. Type II PC Cards are preferred
as a token as they are half as thick as Type III.
Mykotronx Corp.
Mykotronx Corp. (a division of SafeNet) makes the
Fortezza card token for laptops with a PC
card.
Smart cards
Smart cards are relatively inexpensive
compared to other tokens. There are also significant wear-and-tear
on the
smart cards themselves because of
the friction on the electronic contacts the card is inserted. This
has the potential to reduce the lifespan of a smart card
token.
Universal Serial Bus (USB)
The
Universal Serial Bus has
become a standard in
computers today, USB
tokens are therefore often a cheaper alternative than other tokens
needing a special
input device.
Booleansoft
Booleansoft has several types of
USB tokens, some including
fingerprint
biometrics. Each
client that requires secure
authentication is supplied with a personal
security
token. When the USB token is inserted into an
PC's USB port, a
software program stored on the token (called the
'token software') is then automatically started. The token software
lets the user generate new one-time passwords and digital
signatures to access a remote resource for authentication
purposes.
VeriSign
VeriSign offers several different token
types, from security cards to voice passcodes, as part of their
Unified Authentication services. A custom-branded version of their
One-Time Password (OTP) Token is used by PayPal and eBay as an
extra layer of authentication for consumers when logging in to
their websites.
Smart Card Based USB tokens
Smart-card-based
USB tokens which contain a
smart card chip inside provide the
functionality of both USB tokens and smart cards. They enable a
broad range of security solutions and provide the abilities and
security of a traditional smart card without requiring a unique
input device. From the
computer
operating system's point of view such a token is a
USB-connected smart card reader with one non-removable smart card
present. Some these tokens are also made to support the
NIST standard for
Personal Identity
Verification (PIV).
Other token types
Some use a
special purpose interface (e.g. the crypto
ignition key deployed by the United States
National Security Agency
). Tokens can also be used as a photo
ID card.
Cell
phones and
PDAs can
also serve as security tokens with proper programming.
Booleansoft provides
CD
tokens, some the size of a standard credit cards.
See also
References
- PKCS -- The RSA standards
PKCS#11 and PKCS #15
define software interfaces.
- Photos of Verisign Tokens, hitrust.com.hk (retrieved
15 Aug 2008)
- Two Factor Authentication Credentials,
verisign.com (retrieved 15 Aug 2008)
- PayPal Security Key, paypal.com (retrieved 15 Aug
2008)
- Specification for Integrated Circuit(s) Cards
Interface Devices, usb.org
- PIV
Smart Card Token, GoldKey
- General references
External links