Security token
Encyclopedia
A security token may be a physical device that an authorized user of computer services is given to ease authentication
. The term may also refer to software token
s.
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Some may store cryptographic keys, such as a digital signature
, or biometric data, such as fingerprint
minutiae. Some designs feature tamper resistant
packaging, while others may include small keypads to allow entry of a PIN
or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth
wireless interface to enable transfer of a generated key number sequence to a client system.
This article currently focuses on synchronous dynamic password tokens.
The simplest security tokens do not need any connection to a computer
. The client
enters the number to a local keyboard as displayed on the token (second security factor), usually along with a PIN
(first security factor), when asked to do so. Being disconnected from the authenticating server, however, renders such tokens vulnerable to man-in-the-middle attacks.
Other tokens connect to the computer using wireless techniques, such as Bluetooth
. These tokens transfer a key sequence to the local client or to a nearby access point.
Alternatively, another form of token that have been widely available for many years are mobile devices which communicate using an out-of-band channel (like voice, SMS, USSD
). Like physically disconnected tokens, out-of-band delivered tokens are also vulnerable to man-in-the-middle attacks.
Still other tokens plug into the computer. For these one must:
Depending on the type of the token, the computer
OS
will now either
Finally, a recent token approach called "virtual tokens" relies on the connection established through normal http/https internet protocols to exchange one-time digitally-signed key and token information with the connected internet device, thus reducing the risks associated with man-in-the-middle attacks while simultaneously reducing support and administration costs typically associated with other token solutions.
A related application is the hardware dongle
required by some computer programs to prove ownership of the software. The dongle
is placed in an input device
and the software accesses the I/O device in question to authorize
the use of the software in question.
2. Option 2: (for out of band tokens): The minimum requirement of this form of token is connectivity from another medium like mobile network for USSD, SMS and voice. All you need is a registered telephone / mobile number.
or body sensor and alarm.
Physically disconnected token approaches, including out-of-band approaches, are also vulnerable to man-in-the-middle attacks. In a man-in-the-middle attack, a fraudster acts as the "go-between" the user and the legitimate system, soliciting the token value from the user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. Citibank made headline news in 2006 when its hardware token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle phishing attack.
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signature
s according to some national laws. Tokens with no on-board keyboard or another user interface
cannot be used in some signing
scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
with functions varying from very simple to very complex, including multiple authentication methods. Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified as FIPS compliant. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by 3rd party agencies.
Speedpass
, which uses RFID to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at Johns Hopkins University
and RSA Laboratories discovered that RFID tags could be easily cracked and cloned.
Another downside is that contactless tokens have relatively short battery lives; usually only 3–5 years, which is low compared to USB
tokens which may last up to 10 years. Though some tokens do allow the batteries to be changed, thus reducing costs.
tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a USB
input device
to function.
In the USB mode of operation sign off required care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with a distance metrics. Respective products are in preparation, following the concepts of electronic leash
.
messaging, instigating an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS
.
Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices. In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.
(SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and password filling
. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.
and multi-factor authentication solutions. Some tokens provide up to three factors of authentication, or allow you to combine different factors to create multifactor authentication
is a password
that changes after each login
, or changes after a set time interval.
, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH
algorithm is standardized; other algorithms are covered by U.S. patent
s. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.
Aladdin Knowledge Systems’ eToken NG-OTP: The Aladdin Knowledge Systems
' eToken NG-OTP is a hybrid USB and one-time password token. It combines the functionality of smart card based authentication tokens with one-time password user authentication technology in detached mode.
Deepnet Security: Deepnet Security's Deepnet Unified Authentication Platform is a multi-factor authentication platform for provisioning, managing and verifying all types of user and host authentication methods, form-factors and user credentials, including OTP tokens, PKI certificates, biometrics and device DNA.
Duo Security: Duo Security's D-100 hardware tokens employ the OATH standard for OTP generation, in addition to its mobile soft tokens, voice callback, SMS, and Duo Push authentication methods.
RCDevs OpenOTP Tokens: The OpenOTP authentication platform developed by RCDevs uses OATH Tokens (Time-based, Event-based and Challenge-Response), YubiKey, mOTP soft Tokens, SMS Tokens and the Google Authenticator (with QRCode user Token provisioning).
Swekey: The Swekey, manufactured by Musbe, Inc. is an USB device that provides secure authentication for web sites using a one-time password
algorithm. The device presence and authentication can be controlled by web sites using JavaScript.
VeriSign: VeriSign
Identity Protection credentials employ the OATH standard. VeriSign
eToken is OEM
from Aladdin Knowledge Systems
.
Yubico YubiKey: The YubiKey, manufactured by Yubico, is a device that acts as a USB keyboard
and provides secure authentication by a one-time password
that is encrypted using the AES encryption algorithm with a 128-bit key.The Yubikey has four modes of operation including Standard Yubico 12 character ID + 32 character OTP, OATH 6 or 8 digit OTP for use with third party OATH servers, Static pass code including 1-64 character for legacy login applications, and challenge-response functionality using client software.
's token and the authentication server
. For disconnected tokens this time-synchronization is done before the token is distributed to the client
. Other token types do the synchronization when the token is inserted into an input device
. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as RSA's SecurID
, allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced - so there is additional cost.
Aradiom SolidPass: SolidPass, developed by Aradiom, is a mobile Java phone based security token that provides a time-based one-time password
algorithm for secure authentication, and also offers challenge response based signing including transaction signing and additional security question.
BRToken SafeSIGNATURE: SafeSIGNATURE token, developed by the Brazilian company BRToken, was one of the first to provide support for the TOTP algorithm, defined by the OATH (Initiative For Open Authentication
), an extension of the HOTP
algorithm, but time-based. It also has the capacity of reading transaction data from any type of screen or projection, displaying in the token screen, and generating an Electronic signature
, based on the public OCRA algorithm.
CAT (Cellular Authentication Token): The CAT token, developed by the New Zealand company Mega AS Consulting Ltd, was the first to market a Cellular Java ME based soft token. The CAT uses an Initiative For Open Authentication
(OATH) compliant time-based one-time password
(TOTP) algorithm for strong authentication, and also offers encrypted messaging and encrypted documents delivery system. The CAT is a multi tokens management system. Using a unique process, the CAT is secured on the Cellular device (or PDA, BlackBerry, Windows OS).
Entrust IdentityGuard Mini Token: Entrust
offers two variants of their OTP token — Entrust IdentityGuard Mini Token OT and Mini Token AT. The Entrust IdentityGuard Mini Token OT provides time-based, one-time passwords using the standards-based TOTP algorithm, endorsed by the Initiative for Open Authentication (OATH), providing compatibility with third-party software. The Entrust IdentityGuard Mini Token AT offers time- and event-synchronous, one-time passwords based on the stronger DES/Triple DES algorithm.
Event-based token: An event based token, by its nature, has a longer life span. They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an SMS
message. All CRYPTOCard's tokens are event-based rather than time-based.
Identita Technologies Display OTP Card: Identita's LED or EINK display OTP cards display a number which changes each time the button on the card is pressed. This one-time password
along with a PIN
when authenticating
allows for successful identication of the end user. Since Identita's OTP Display cards are almost always asleep except during activation, the engineering team at Identita designed an algorithm which allowed for accurate OTP generation without requiring the clock on the card and the clock on the authentication server to be matched. Identita's time-based OTP generation is patent pending.
KerPass UST: KerPass provide time synchronous OATH one time passwords on mobile phone. A new password is generated every 30 seconds. KerPass uses an exclusive server side password validation technology that makes possible using a KerPass password in the context of zero knowledge password proof algorithm like SPEKE
or SRP
. This combination renders password authentication insensitive to man in the middle attacks.
NagraID Security Touch Display Card: The NagraID Security 306 Series Touch Display Card is a 6-digit Powered Display Card credential providing strong security with integrated 12-button touch keypad packaged in a familiar and convenient Credit card form factor. The innovative touch keypad supports various onboard applications such as PIN activation, challenge response and access to critical applications. The 306 Series card can function as a One Time Password credential, physical access device, PKI or dotNET Chip card, contactless eWallet and/or payment device. The cards are available with MasterCard
's CAP
, OATH and customer specific algorithms (time-based or event-based).
RSA Security's SecurID: RSA Security
's SecurID
displays a number which changes at a set interval. The client
enters the one-time password
along with a PIN
when authenticating
. US patented technology.
SecureMetric's SecureOTP: SecureMetric's SecureOTP Time offers OATH Compliant Time Based One-Time-Password that where the security cryptography is synchronized base on the token’s real time clock and the server time. Simply press the button and SecureOTP Time will display a secure One-Time-Password which is generated base on the current time and the initiated secret key. The One-Time-Password will be changed after every 60 seconds, such short validity of the One-Time-Password will prevent someone who "steal" the password can perform any harmful activities after the valid interval. SecureMetric's SecureOTP Event offers OATH Compliant Event Based token. This method is where the security cryptography is base on an incremented sequence number when each time a user press the token’s button, as the input value and combine together with the initiated secret key inside the token in order to generate the require One-Time-Password. Event based One-Time-Password will have no expiry which tend to be more convenient to users who prefer great user friendliness.
Secure Computing's Safeword: Secure Computing
's Safeword is a hardware device that will display a passcode when pressing a button on the device. A barcode and serial number on the back of the device are used by administrators to synchronize the devices with the authentication system. The Safeword system can be event-based or time-based. Each press of the button will display a new passcode and once a passcode is used for authentication, combined with the user's PIN, it and all the passcodes generated before it can not be reused again. Time-based tokens display different tokens every 20 seconds or less depending on the configuration.
SecuTech UniOTP Tokens: The UniOTP, manufactured by SecuTech,compliant with OATH standard for OTP generation. UniOTP series has 3 diffenent models, which support different one-time-password generation mechanism, including time-based, event-based and challenge/response-based to provide two-factor authentication. The time-based OTP token has a real-time clock inside which is synchromized to the authentication server, the one-time-password will be changed every 60 seconds. The succesfully authenticated users must provide the right password and the one-time-password generated by UniOTP device.
Smart DisplayCard: The Smart DisplayCard by ActivIdentity is a combination security token and smart card
. A single button on the card displays a one time password on a small liquid crystal display
when pressed. This device uses an OATH compliant event-based algorithm to generate OTPs. The embedded smart chip provides standard smart card PKI
capabilities; typically email encryption and digital signatures. The display card portion of the product is produced by NagraID.
Vasco's DigiPass: VASCO
's Digipass
series have either a small keyboard where the user can enter a PIN
or either a single button, in addition it generates a new one-time password
after a pre-set time and some features are patented.
tokens are made to only work with laptop
s. Type II PC Cards are preferred as a token as they are half as thick as Type III.
Mykotronx Corp.: Mykotronx Corp. (a division of SafeNet) makes the Fortezza
card token for laptops with a PC card.
s are relatively inexpensive compared to other tokens. There are also significant wear-and-tear on the smart card
s themselves because of the friction on the electronic contacts the card is inserted. This has the potential to reduce the lifespan of a smart card token.
has become a standard in computer
s today, USB tokens are therefore often a cheaper alternative than other tokens needing a special input device
.
offers several different token types, from security cards to voice passcodes, as part of their Unified Authentication services. A custom-branded version of their One-Time Password (OTP) Token is used by PayPal and eBay as an extra layer of authentication for consumers when logging in to their websites.
chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the computer operating system
's point of view such a token is a USB-connected smart card reader with one non-removable smart card present. Some these tokens are also made to support the NIST standard for Personal Identity Verification (PIV).
deployed by the United States
National Security Agency
). Tokens can also be used as a photo ID card. Cell phones and PDAs
can also serve as security tokens with proper programming.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
. The term may also refer to software token
Software token
A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone...
s.
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Some may store cryptographic keys, such as a digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
, or biometric data, such as fingerprint
Fingerprint
A fingerprint in its narrow sense is an impression left by the friction ridges of a human finger. In a wider use of the term, fingerprints are the traces of an impression from the friction ridges of any part of a human hand. A print from the foot can also leave an impression of friction ridges...
minutiae. Some designs feature tamper resistant
Tamper resistance
Tamper resistance is resistance to tampering by either the normal users of a product, package, or system or others with physical access to it. There are many reasons for employing tamper resistance....
packaging, while others may include small keypads to allow entry of a PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth
Bluetooth
Bluetooth is a proprietary open wireless technology standard for exchanging data over short distances from fixed and mobile devices, creating personal area networks with high levels of security...
wireless interface to enable transfer of a generated key number sequence to a client system.
Token types and usage
There are five types of tokens:- Static password.
- Synchronous dynamic password
- Asynchronous password
- Challenge response
This article currently focuses on synchronous dynamic password tokens.
The simplest security tokens do not need any connection to a computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
. The client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
enters the number to a local keyboard as displayed on the token (second security factor), usually along with a PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
(first security factor), when asked to do so. Being disconnected from the authenticating server, however, renders such tokens vulnerable to man-in-the-middle attacks.
Other tokens connect to the computer using wireless techniques, such as Bluetooth
Bluetooth
Bluetooth is a proprietary open wireless technology standard for exchanging data over short distances from fixed and mobile devices, creating personal area networks with high levels of security...
. These tokens transfer a key sequence to the local client or to a nearby access point.
Alternatively, another form of token that have been widely available for many years are mobile devices which communicate using an out-of-band channel (like voice, SMS, USSD
Unstructured Supplementary Service Data
Unstructured Supplementary Service Data is a protocol used by GSM cellular telephones to communicate with the service provider's computers...
). Like physically disconnected tokens, out-of-band delivered tokens are also vulnerable to man-in-the-middle attacks.
Still other tokens plug into the computer. For these one must:
- Connect the token to the computer using an appropriate input deviceInput deviceIn computing, an input device is any peripheral used to provide data and control signals to an information processing system such as a computer or other information appliance...
- Enter the PINPersonal identification numberA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
if necessary
Depending on the type of the token, the computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
OS
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
will now either
- read the key from token and perform cryptographic operation on it or
- ask the token's firmware to perform this operation
Finally, a recent token approach called "virtual tokens" relies on the connection established through normal http/https internet protocols to exchange one-time digitally-signed key and token information with the connected internet device, thus reducing the risks associated with man-in-the-middle attacks while simultaneously reducing support and administration costs typically associated with other token solutions.
A related application is the hardware dongle
Dongle
A software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
required by some computer programs to prove ownership of the software. The dongle
Dongle
A software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
is placed in an input device
Input device
In computing, an input device is any peripheral used to provide data and control signals to an information processing system such as a computer or other information appliance...
and the software accesses the I/O device in question to authorize
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
the use of the software in question.
Minimum requirement
1. Option 1: (for zero installation and excluded tokens): The minimum requirement of any token is at least an inherent unique identity in a protected memory that cannot be tampered with and preferably is not openly accessible to applications other than those offered by the token vendor or another trusted organization.2. Option 2: (for out of band tokens): The minimum requirement of this form of token is connectivity from another medium like mobile network for USSD, SMS and voice. All you need is a registered telephone / mobile number.
Vulnerabilities
The simplest vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the pre-set time span of activation. All further consideration presumes performance loss prevention, e.g. by additional electronic leashElectronic leash
Electronic leash is a concept offered from various vendors in various functional shapes and physical designs. It is usually a miniature wireless appliance that extends the concept of a key pager, adding the feature of adjustable distance sensitivity and an option of a multiplicity of identity codes...
or body sensor and alarm.
Physically disconnected token approaches, including out-of-band approaches, are also vulnerable to man-in-the-middle attacks. In a man-in-the-middle attack, a fraudster acts as the "go-between" the user and the legitimate system, soliciting the token value from the user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. Citibank made headline news in 2006 when its hardware token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle phishing attack.
Digital signature
Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user’s identity.For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
s according to some national laws. Tokens with no on-board keyboard or another user interface
User interface
The user interface, in the industrial design field of human–machine interaction, is the space where interaction between humans and machines occurs. The goal of interaction between a human and a machine at the user interface is effective operation and control of the machine, and feedback from the...
cannot be used in some signing
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
Embodiments and vendors
Tokens can contain chipsIntegrated circuit
An integrated circuit or monolithic integrated circuit is an electronic circuit manufactured by the patterned diffusion of trace elements into the surface of a thin substrate of semiconductor material...
with functions varying from very simple to very complex, including multiple authentication methods. Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified as FIPS compliant. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by 3rd party agencies.
Disconnected tokens
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.Connected tokens
Connected tokens are tokens that must be physically connected to the client computer. Tokens in this category will automatically transmit the authentication info to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication info. However, in order to use a connected token the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port respectively.SmartCards
Many connected tokens use SmartCard technlogy. SmartCards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of SmartCards is often rather limited because of extreme low power consumption and ultra thin form-factor requirements.Contactless tokens
Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as MobilMobil
Mobil, previously known as the Socony-Vacuum Oil Company, was a major American oil company which merged with Exxon in 1999 to form ExxonMobil. Today Mobil continues as a major brand name within the combined company, as well as still being a gas station sometimes paired with their own store or On...
Speedpass
Speedpass
Speedpass is a keychain RFID device introduced in 1997 by Mobil Oil Corp. for electronic payment. It was originally developed by Verifone. As of 2004, more than seven million people possess Speedpass tags, which can be used at approximately 10,000 Exxon, Mobil and Esso gas stations worldwide...
, which uses RFID to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at Johns Hopkins University
Johns Hopkins University
The Johns Hopkins University, commonly referred to as Johns Hopkins, JHU, or simply Hopkins, is a private research university based in Baltimore, Maryland, United States...
and RSA Laboratories discovered that RFID tags could be easily cracked and cloned.
Another downside is that contactless tokens have relatively short battery lives; usually only 3–5 years, which is low compared to USB
Universal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
tokens which may last up to 10 years. Though some tokens do allow the batteries to be changed, thus reducing costs.
Bluetooth tokens
BluetoothBluetooth
Bluetooth is a proprietary open wireless technology standard for exchanging data over short distances from fixed and mobile devices, creating personal area networks with high levels of security...
tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a USB
Universal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
input device
Input device
In computing, an input device is any peripheral used to provide data and control signals to an information processing system such as a computer or other information appliance...
to function.
In the USB mode of operation sign off required care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with a distance metrics. Respective products are in preparation, following the concepts of electronic leash
Electronic leash
Electronic leash is a concept offered from various vendors in various functional shapes and physical designs. It is usually a miniature wireless appliance that extends the concept of a key pager, adding the feature of adjustable distance sensitivity and an option of a multiplicity of identity codes...
.
GSM cellular phones
A new category of T-FA tools allows users to utilize their mobile phone as a security token. A Java application installed on the mobile phone performs the functions normally provided by a dedicated token. Other methods of using the cell phone include using SMSSMS
SMS is a form of text messaging communication on phones and mobile phones. The terms SMS or sms may also refer to:- Computer hardware :...
messaging, instigating an interactive telephone call, or using standard Internet protocols such as HTTP or HTTPS
Https
Hypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with SSL/TLS protocol to provide encrypted communication and secure identification of a network web server...
.
Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices. In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.
Single sign-on software tokens
Some types of Single sign-onSingle sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and password filling
Form filler
A form filler is a software program that automatically fills forms in a UI. Form fillers can be part of a larger program, like a password manager or a enterprise single sign-on solution....
. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.
Virtual Tokens
Virtual tokens are a new concept in multi-factor authentication first introduced in 2005 by the security company Sestus. Virtual tokens transmit one-time-use digitally-signed key and token information using internet-standard http/https delivery methods, reducing the costs normally associated with implementation and maintenance of multi-factor solutions. Virtual tokens utilize the user's existing internet device as the "something the user has" factor. Since the user's internet device is communicating directly with the authenticating website, the solution does not suffer from man-in-the-middle attacks and other forms of online fraud. Virtual tokens are fundamentally different than 'soft (software) tokens'. Unlike soft tokens, virtual tokens deploy no software to the user, thus reducing support requirements and interoperability issues.Two-factor authentication (T-FA or 2FA)
Security tokens provide the "what you have" component in two-factor authenticationTwo-factor authentication
Two-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...
and multi-factor authentication solutions. Some tokens provide up to three factors of authentication, or allow you to combine different factors to create multifactor authentication
One-time passwords
A one-time passwordOne-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
is a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
that changes after each login
Login
Login is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
, or changes after a set time interval.
Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical algorithm, such as a hash chainHash chain
A hash chain is the successive application of a cryptographic hash function to a piece of data. In computer security, a hash chain is a method to produce many one-time keys from a single key or password...
, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source OATH
Initiative For Open Authentication
Initiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
algorithm is standardized; other algorithms are covered by U.S. patent
Patent
A patent is a form of intellectual property. It consists of a set of exclusive rights granted by a sovereign state to an inventor or their assignee for a limited period of time in exchange for the public disclosure of an invention....
s. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.
Aladdin Knowledge Systems’ eToken NG-OTP: The Aladdin Knowledge Systems
Aladdin Knowledge Systems
Aladdin Knowledge Systems was a company that produced software for digital rights management and Internet security. The company was by SafeNet Inc, in 2009. Its corporate headquarters are located in Belcamp...
' eToken NG-OTP is a hybrid USB and one-time password token. It combines the functionality of smart card based authentication tokens with one-time password user authentication technology in detached mode.
Deepnet Security: Deepnet Security's Deepnet Unified Authentication Platform is a multi-factor authentication platform for provisioning, managing and verifying all types of user and host authentication methods, form-factors and user credentials, including OTP tokens, PKI certificates, biometrics and device DNA.
Duo Security: Duo Security's D-100 hardware tokens employ the OATH standard for OTP generation, in addition to its mobile soft tokens, voice callback, SMS, and Duo Push authentication methods.
RCDevs OpenOTP Tokens: The OpenOTP authentication platform developed by RCDevs uses OATH Tokens (Time-based, Event-based and Challenge-Response), YubiKey, mOTP soft Tokens, SMS Tokens and the Google Authenticator (with QRCode user Token provisioning).
Swekey: The Swekey, manufactured by Musbe, Inc. is an USB device that provides secure authentication for web sites using a one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
algorithm. The device presence and authentication can be controlled by web sites using JavaScript.
VeriSign: VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
Identity Protection credentials employ the OATH standard. VeriSign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
eToken is OEM
Original Equipment Manufacturer
An original equipment manufacturer, or OEM, manufactures products or components that are purchased by a company and retailed under that purchasing company's brand name. OEM refers to the company that originally manufactured the product. When referring to automotive parts, OEM designates a...
from Aladdin Knowledge Systems
Aladdin Knowledge Systems
Aladdin Knowledge Systems was a company that produced software for digital rights management and Internet security. The company was by SafeNet Inc, in 2009. Its corporate headquarters are located in Belcamp...
.
Yubico YubiKey: The YubiKey, manufactured by Yubico, is a device that acts as a USB keyboard
Keyboard (computing)
In computing, a keyboard is a typewriter-style keyboard, which uses an arrangement of buttons or keys, to act as mechanical levers or electronic switches...
and provides secure authentication by a one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
that is encrypted using the AES encryption algorithm with a 128-bit key.The Yubikey has four modes of operation including Standard Yubico 12 character ID + 32 character OTP, OATH 6 or 8 digit OTP for use with third party OATH servers, Static pass code including 1-64 character for legacy login applications, and challenge-response functionality using client software.
Time-synchronized one-time passwords
Time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the clientClient (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
's token and the authentication server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
. For disconnected tokens this time-synchronization is done before the token is distributed to the client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
. Other token types do the synchronization when the token is inserted into an input device
Input device
In computing, an input device is any peripheral used to provide data and control signals to an information processing system such as a computer or other information appliance...
. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as RSA's SecurID
SecurID
SecurID, now known as RSA SecurID, is a mechanism developed by Security Dynamics for performing two-factor authentication for a user to a network resource.- Description :...
, allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced - so there is additional cost.
Aradiom SolidPass: SolidPass, developed by Aradiom, is a mobile Java phone based security token that provides a time-based one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
algorithm for secure authentication, and also offers challenge response based signing including transaction signing and additional security question.
BRToken SafeSIGNATURE: SafeSIGNATURE token, developed by the Brazilian company BRToken, was one of the first to provide support for the TOTP algorithm, defined by the OATH (Initiative For Open Authentication
Initiative For Open Authentication
Initiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
), an extension of the HOTP
HOTP
HOTP is an HMAC-based One Time Password algorithm. It is a cornerstone of Initiative For Open Authentication .HOTP was published as an informational IETF RFC 4226 in December 2005, documenting the algorithm along with a Java implementation...
algorithm, but time-based. It also has the capacity of reading transaction data from any type of screen or projection, displaying in the token screen, and generating an Electronic signature
Electronic signature
An electronic signature, or e-signature, is any electronic means that indicates either that a person adopts the contents of an electronic message, or more broadly that the person who claims to have written a message is the one who wrote it . By comparison, a signature is a stylized script...
, based on the public OCRA algorithm.
CAT (Cellular Authentication Token): The CAT token, developed by the New Zealand company Mega AS Consulting Ltd, was the first to market a Cellular Java ME based soft token. The CAT uses an Initiative For Open Authentication
Initiative For Open Authentication
Initiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
(OATH) compliant time-based one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
(TOTP) algorithm for strong authentication, and also offers encrypted messaging and encrypted documents delivery system. The CAT is a multi tokens management system. Using a unique process, the CAT is secured on the Cellular device (or PDA, BlackBerry, Windows OS).
Entrust IdentityGuard Mini Token: Entrust
Entrust
Entrust Inc. is a $100 million privately-owned software company with 350 employees. It provides identity-based security software and services in the areas of public key infrastructure , multifactor authentication, Secure Socket Layer certificates, fraud detection, digital certificates and mobile...
offers two variants of their OTP token — Entrust IdentityGuard Mini Token OT and Mini Token AT. The Entrust IdentityGuard Mini Token OT provides time-based, one-time passwords using the standards-based TOTP algorithm, endorsed by the Initiative for Open Authentication (OATH), providing compatibility with third-party software. The Entrust IdentityGuard Mini Token AT offers time- and event-synchronous, one-time passwords based on the stronger DES/Triple DES algorithm.
Event-based token: An event based token, by its nature, has a longer life span. They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an SMS
Short message service
Short Message Service is a text messaging service component of phone, web, or mobile communication systems, using standardized communications protocols that allow the exchange of short text messages between fixed line or mobile phone devices...
message. All CRYPTOCard's tokens are event-based rather than time-based.
Identita Technologies Display OTP Card: Identita's LED or EINK display OTP cards display a number which changes each time the button on the card is pressed. This one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
along with a PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
when authenticating
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
allows for successful identication of the end user. Since Identita's OTP Display cards are almost always asleep except during activation, the engineering team at Identita designed an algorithm which allowed for accurate OTP generation without requiring the clock on the card and the clock on the authentication server to be matched. Identita's time-based OTP generation is patent pending.
KerPass UST: KerPass provide time synchronous OATH one time passwords on mobile phone. A new password is generated every 30 seconds. KerPass uses an exclusive server side password validation technology that makes possible using a KerPass password in the context of zero knowledge password proof algorithm like SPEKE
Speke
Speke is an area of Liverpool, Merseyside, England, close to the boundaries of the Metropolitan Borough of Knowsley. It is south east of the city centre and to the west of the town of Widnes....
or SRP
Secure remote password protocol
The Secure Remote Password protocol is a password-authenticated key agreement protocol.- Overview :The SRP protocol has a number of desirable properties: it allows a user to authenticate themselves to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not...
. This combination renders password authentication insensitive to man in the middle attacks.
NagraID Security Touch Display Card: The NagraID Security 306 Series Touch Display Card is a 6-digit Powered Display Card credential providing strong security with integrated 12-button touch keypad packaged in a familiar and convenient Credit card form factor. The innovative touch keypad supports various onboard applications such as PIN activation, challenge response and access to critical applications. The 306 Series card can function as a One Time Password credential, physical access device, PKI or dotNET Chip card, contactless eWallet and/or payment device. The cards are available with MasterCard
MasterCard
Mastercard Incorporated or MasterCard Worldwide is an American multinational financial services corporation with its headquarters in the MasterCard International Global Headquarters, Purchase, Harrison, New York, United States...
's CAP
Chip Authentication Program
thumb|right|250px|A GemAlto EZIO CAP Device Whitelabeled as Barclays PINSentryThe Chip Authentication Program is a MasterCard initiative and technical specification for using EMV banking smartcards for authenticating users and transactions in online and telephone banking. It was also adopted by...
, OATH and customer specific algorithms (time-based or event-based).
RSA Security's SecurID: RSA Security
RSA Security
RSA, the security division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
's SecurID
SecurID
SecurID, now known as RSA SecurID, is a mechanism developed by Security Dynamics for performing two-factor authentication for a user to a network resource.- Description :...
displays a number which changes at a set interval. The client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
enters the one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
along with a PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
when authenticating
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
. US patented technology.
SecureMetric's SecureOTP: SecureMetric's SecureOTP Time offers OATH Compliant Time Based One-Time-Password that where the security cryptography is synchronized base on the token’s real time clock and the server time. Simply press the button and SecureOTP Time will display a secure One-Time-Password which is generated base on the current time and the initiated secret key. The One-Time-Password will be changed after every 60 seconds, such short validity of the One-Time-Password will prevent someone who "steal" the password can perform any harmful activities after the valid interval. SecureMetric's SecureOTP Event offers OATH Compliant Event Based token. This method is where the security cryptography is base on an incremented sequence number when each time a user press the token’s button, as the input value and combine together with the initiated secret key inside the token in order to generate the require One-Time-Password. Event based One-Time-Password will have no expiry which tend to be more convenient to users who prefer great user friendliness.
Secure Computing's Safeword: Secure Computing
Secure Computing
Secure Computing Corporation, or SCC, was a public company that developed and sold computer security appliances and hosted services to protect users and data...
's Safeword is a hardware device that will display a passcode when pressing a button on the device. A barcode and serial number on the back of the device are used by administrators to synchronize the devices with the authentication system. The Safeword system can be event-based or time-based. Each press of the button will display a new passcode and once a passcode is used for authentication, combined with the user's PIN, it and all the passcodes generated before it can not be reused again. Time-based tokens display different tokens every 20 seconds or less depending on the configuration.
SecuTech UniOTP Tokens: The UniOTP, manufactured by SecuTech,compliant with OATH standard for OTP generation. UniOTP series has 3 diffenent models, which support different one-time-password generation mechanism, including time-based, event-based and challenge/response-based to provide two-factor authentication. The time-based OTP token has a real-time clock inside which is synchromized to the authentication server, the one-time-password will be changed every 60 seconds. The succesfully authenticated users must provide the right password and the one-time-password generated by UniOTP device.
Smart DisplayCard: The Smart DisplayCard by ActivIdentity is a combination security token and smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
. A single button on the card displays a one time password on a small liquid crystal display
Liquid crystal display
A liquid crystal display is a flat panel display, electronic visual display, or video display that uses the light modulating properties of liquid crystals . LCs do not emit light directly....
when pressed. This device uses an OATH compliant event-based algorithm to generate OTPs. The embedded smart chip provides standard smart card PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
capabilities; typically email encryption and digital signatures. The display card portion of the product is produced by NagraID.
Vasco's DigiPass: VASCO
VASCO Data Security International
VASCO Data Security International, Inc., is a US based company. The company's operational headquarters are located in Zurich , Switzerland....
's Digipass
Digipass
Digipass is a security product from VASCO Data Security International, providing strong user authentication and digital signatures via small security tokens carried by users, or in software on mobile telephones, portable devices or PCs...
series have either a small keyboard where the user can enter a PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
or either a single button, in addition it generates a new one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
after a pre-set time and some features are patented.
PC cards
The PC cardPC card
In computing, PC Card is the form factor of a peripheral interface designed for laptop computers. The PC Card standard was defined and developed by the Personal Computer Memory Card International Association which itself was created by a number of computer industry companies in the United States...
tokens are made to only work with laptop
Laptop
A laptop, also called a notebook, is a personal computer for mobile use. A laptop integrates most of the typical components of a desktop computer, including a display, a keyboard, a pointing device and speakers into a single unit...
s. Type II PC Cards are preferred as a token as they are half as thick as Type III.
Mykotronx Corp.: Mykotronx Corp. (a division of SafeNet) makes the Fortezza
Fortezza
Fortezza is an information security system based on a PC Card security token. Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access...
card token for laptops with a PC card.
Smart cards
Smart cardSmart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s are relatively inexpensive compared to other tokens. There are also significant wear-and-tear on the smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s themselves because of the friction on the electronic contacts the card is inserted. This has the potential to reduce the lifespan of a smart card token.
Universal Serial Bus (USB)
The Universal Serial BusUniversal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
has become a standard in computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
s today, USB tokens are therefore often a cheaper alternative than other tokens needing a special input device
Input device
In computing, an input device is any peripheral used to provide data and control signals to an information processing system such as a computer or other information appliance...
.
VeriSign
VeriSignVeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
offers several different token types, from security cards to voice passcodes, as part of their Unified Authentication services. A custom-branded version of their One-Time Password (OTP) Token is used by PayPal and eBay as an extra layer of authentication for consumers when logging in to their websites.
Smart-card-based USB tokens
Smart-card-based USB tokens which contain a smart cardSmart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the computer operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
's point of view such a token is a USB-connected smart card reader with one non-removable smart card present. Some these tokens are also made to support the NIST standard for Personal Identity Verification (PIV).
Other token types
Some use a special purpose interface (e.g. the crypto ignition keyKSD-64
The KSD-64[A] Crypto Ignition Key is an NSA-developed EEPROM chip packed in a plastic case that looks like a toy key. The model number is due to its storage capacity — 64 kB , enough to store multiple encryption keys...
deployed by the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
National Security Agency
National Security Agency
The National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States Department of Defense responsible for the collection and analysis of foreign communications and foreign signals intelligence, as well as protecting U.S...
). Tokens can also be used as a photo ID card. Cell phones and PDAs
Personal digital assistant
A personal digital assistant , also known as a palmtop computer, or personal data assistant, is a mobile device that functions as a personal information manager. Current PDAs often have the ability to connect to the Internet...
can also serve as security tokens with proper programming.
See also
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- DongleDongleA software protection dongle is a small piece of hardware that plugs into an electrical connector on a computer and serves as an electronic "key" for a piece of software; the program will only run when the dongle is plugged in...
- Hardware Security ModuleHardware Security ModuleA hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
- Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
- Initiative For Open AuthenticationInitiative For Open AuthenticationInitiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication...
- Mobile SignatureMobile signatureA mobile signature is a digital signature generated either on a mobile phone or on a SIM card.-Origins of the term:mSignThe term first appeared in articles introducing mSign . It was founded in 1999 and comprised 35 member companies...
s - Multi-factor authenticationMulti-factor authenticationMulti-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor...
- Mutual authenticationMutual authenticationMutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...
- Software tokenSoftware tokenA software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone...
- Two-factor authenticationTwo-factor authenticationTwo-factor authentication is an approach to authentication which requires the presentation of two different kinds of evidence that someone is who they say they are. It is a part of the broader family of multi-factor authentication, which is a defense in depth approach to security...