A
security token (or sometimes a
hardware token,
hard token,
authentication token,
USB token,
cryptographic token, or
key fobA key fob is a generally decorative and at times useful item many people often carry with their keys, on a ring or a chain, for ease of tactile identification, to provide a better grip, or to make a personal statement. Key fobs are often called "key rings" or "key chains" in colloquial usage...
) may be a physical device that an authorized user of computer services is given to ease
authenticationAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
. The term may also refer to
software tokenA software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone...
s.
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's
keychainA keychain or key chain is a small chain, usually made from metal or plastic, that connects a small item to a keyring. The length of a keychain allows an item to be used more easily than if connected directly to a keyring...
. Some may store cryptographic keys, such as a
digital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
, or biometric data, such as a
fingerprintA fingerprint is an impression of the friction ridges on all parts of the finger. A friction ridge is a raised portion of the epidermis on the palmar or digits or plantar skin, consisting of one or more connected ridge units of friction ridge skin...
minutiae. Some designs feature
tamper resistantTamper resistance is resistance to tampering by either the normal users of a product, package, or system or others with physical access to it. There are many reasons for employing tamper resistance....
packaging, while others may include small keypads to allow entry of a
PINA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or
BluetoothBluetooth is an open wireless protocol for exchanging data over short distances from fixed and mobile devices, creating personal area networks . It was originally conceived as a wireless alternative to RS232 data cables...
wireless interface to enable transfer of a generated key number sequence to a client system.
Token types and usage
There are four types of tokens:
- Static Password
- Synchronous Dynamic Password
- Asynchronous Password
- Challenge Response
This article currently focuses on Synchronous Dynamic password tokens.
The simplest security tokens do not need any connection to a
computerA computer is a machine that manipulates data according to a set of instructions.Although mechanical examples of computers have existed through much of recorded human history, the first electronic computers were developed in the mid-20th century . These were the size of a large room, consuming as...
. The
clientA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
enters the number to a local keyboard as displayed on the token (second security factor), usually along with a
PINA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
(first security factor), when asked to do so.
Other tokens connect to the computer using wireless techniques, such as
BluetoothBluetooth is an open wireless protocol for exchanging data over short distances from fixed and mobile devices, creating personal area networks . It was originally conceived as a wireless alternative to RS232 data cables...
. These tokens transfer a key sequence to the local client or to a nearby access point.
Still other tokens plug into the computer. For these one must:
- Connect the token to the computer using an appropriate input device
An input device is any peripheral used to provide data and control signals to an information processing system...
- Enter the PIN
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
if necessary
Depending on type of the token the
computerA computer is a machine that manipulates data according to a set of instructions.Although mechanical examples of computers have existed through much of recorded human history, the first electronic computers were developed in the mid-20th century . These were the size of a large room, consuming as...
OSAn operating system is an interface between hardware and user which is responsible for the management and coordination of activities and the sharing of the resources of the computer that acts as a host for computing applications run on the machine. As a host, one of the purposes of an operating...
will now either
- read the key from token and perform cryptographic operation on it or
- ask the token's firmware to perform this operation
A related application is the hardware
dongleA dongle is a small piece of hardware that connects to a laptop or desktop computer. It is a portable device and is often close to the appearance of a USB flash drive...
required by some computer programs to prove ownership of the software. The
dongleA dongle is a small piece of hardware that connects to a laptop or desktop computer. It is a portable device and is often close to the appearance of a USB flash drive...
is placed in an
input deviceAn input device is any peripheral used to provide data and control signals to an information processing system...
and the software accesses the I/O device in question to
authorizeAuthorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
the use of the software in question.
Minimum requirement
The minimum requirement of any token is at least an
inherent unique identity in a protected memory that cannot be tampered with and preferably is not openly accessible to applications other than those offered by the token vendor or another trusted organization.
Digital signature
Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user’s identity.
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as
digital signatureA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
s according to some national laws. Tokens with no on-board keyboard or another
user interfaceThe user interface is the aggregate of means by which people—the users—interact with the system—a particular machine, device, computer program or other complex tool...
cannot be used in some
signingA digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
Embodiments and vendors
Tokens can contain
chipsIn electronics, an integrated circuit is a miniaturized electronic circuit that has been manufactured in the surface of a thin substrate of semiconductor material...
with functions varying from very simple to very complex, including multiple authentication methods. Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified as
FIPS compliant. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by 3rd party agencies.
Disconnected tokens
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.
Connected tokens
Connected tokens are tokens that must be physically connected to the client computer. Tokens in this category will automatically transmit the authentication info to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication info. However, in order to use a connected token the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port respectively.
SmartCards
Many connected tokens use SmartCard technlogy. SmartCards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of SmartCards is often rather limited because of extreme low power consumption and ultra thin form-factor requirements.
Contactless tokens
Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as
MobilMobil was a major American oil company which merged with Exxon in 1999 to form ExxonMobil. Today Mobil continues as a major brand name within the combined company. Its former headquarters in Fairfax, Virginia, are currently used as ExxonMobil's downstream headquarters...
SpeedpassSpeedpass is a keychain RFID device introduced in 1997 by Mobil Oil Corp. for electronic payment. It was originally developed by Verifone. As of 2004, more than seven million people possess Speedpass tags, which can be used at approximately 10,000 Exxon, Mobil and Esso gas stations worldwide...
, which uses RFID to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at
Johns Hopkins UniversityThe Johns Hopkins University, commonly referred to as Johns Hopkins, JHU, or simply Hopkins, is a private research university located in Baltimore, Maryland, United States. Johns Hopkins also maintains full-time campuses elsewhere in Maryland, Washington, D.C., Italy, China, and Singapore...
and RSA Laboratories discovered that RFID tags could be easily cracked and cloned.
Another downside is that contactless tokens have relatively short battery lives; usually only 3-5 years, which is low compared to
USBUSB is a way of setting up communication between a computer and peripheral devices. USB is intended to replace many varieties of serial and parallel ports. USB can connect computer peripherals such as mice, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal...
tokens which may last up to 10 years. Though some tokens do allow the batteries to be changed, thus reducing costs.
Bluetooth tokens
BluetoothBluetooth is an open wireless protocol for exchanging data over short distances from fixed and mobile devices, creating personal area networks . It was originally conceived as a wireless alternative to RS232 data cables...
tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a
USBUSB is a way of setting up communication between a computer and peripheral devices. USB is intended to replace many varieties of serial and parallel ports. USB can connect computer peripherals such as mice, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal...
input deviceAn input device is any peripheral used to provide data and control signals to an information processing system...
to function.
GSM cellular phones
A new category of T-FA tools allows users to utilize their mobile phone as a security token. A Java application installed on the mobile phone performs the functions normally provided by a dedicated token. Other methods of using the cell phone include using
SMS- Companies and organizations :* Sabooj Maroon Swapna , a fan club of Mohun Bagan AC in Kolkata, India* Southdown Motor Services, a former UK bus company* Youth Party of Slovenia, a Slovenian political party...
messaging, instigating an interactive telephone call, or using standard Internet protocols such as HTTP or
HTTPSHypertext Transfer Protocol Secure is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in...
.
Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices. In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.
Single sign-on software tokens
Some types of
Single sign-onSingle sign-on is a property of access control of multiple, related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and
password fillingA form filler is a software program that automatically fills forms in a UI. Form fillers can be part of a larger program, like a password manager or a enterprise single sign-on solution....
. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.
Enterprise single sign-on
Some Enterprise single sign-on (E-SSO) solutions uses
security tokens.
Two-factor authentication (T-FA)
Security tokens provide the "what you have" component in
two-factor authenticationAn authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication or is a system wherein two different factors are used in conjunction to authenticate...
and multi-factor authentication solutions. Some tokens provide up to three factors of authentication
One-time passwords
A
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
is a
passwordA password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password must be kept secret from those not allowed access....
that changes after each
loginLogon may refer to:*The Logone River in Chad, Africa*in computing, the process of login*The Light Opera Group of the Negev based in Beer Sheva, Israel*Logon...
, or changes after a set time interval.
Mathematical-algorithm-based one-time passwords
Another type of one-time password uses a complex mathematical algorithm, such a
hash chainIn computer security, a hash chain is a method to produce many one-time keys from a single key or password.- Definition :A hash chain is a successive application of a cryptographic hash function to a string.For example,...
, to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source
OATHInitiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of...
algorithm is standardized, other algorithms are covered by U.S.
patentA patent is a set of exclusive rights granted by a state to an inventor or their assignee for a limited period of time in exchange for a public disclosure of an invention....
s.
VeriSign
VeriSignVeriSign, Inc. is an American company based in Mountain View, California that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the generic top-level domains for .com and .net, one of the largest SS7 signaling networks in North America,...
Unified Authentication uses the OATH standard.
VeriSignVeriSign, Inc. is an American company based in Mountain View, California that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the generic top-level domains for .com and .net, one of the largest SS7 signaling networks in North America,...
Unified Authentication
OEMAn original equipment manufacturer, or OEM, manufactures products or components which are purchased by a second company and retailed under the second company's brand name...
is
Aladdin Knowledge SystemsAladdin Knowledge Systems is a company that provides solutions for software digital rights management and Internet security since 1985. Its corporate headquarters are located in Tel Aviv, Israel....
.
Deepnet Security
Deepnet Security's Deepnet Unified Authentication Platform is a multi-factor authentication platform for provisioning, managing and verifying all types of user and host authentication methods, form-factors and user credentials, including OTP tokens, PKI certificates, biometrics and device DNA.
.
Aladdin Knowledge Systems’ eToken NG-OTP
The
Aladdin Knowledge SystemsAladdin Knowledge Systems is a company that provides solutions for software digital rights management and Internet security since 1985. Its corporate headquarters are located in Tel Aviv, Israel....
' eToken NG-OTP is a hybrid USB and one-time password token. It combines the functionality of smart card based authentication tokens with one-time password user authentication technology in detached mode.
Yubico YubiKey
The YubiKey, manufactured by Yubico, is a device that acts as a USB
keyboardIn computing, a keyboard is an input device, partially modeled after the typewriter keyboard, which uses an arrangement of buttons or keys, to act as mechanical levers or electronic switches. A keyboard typically has characters engraved or printed on the keys and each press of a key typically...
and provides secure authentification by a
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
algorithm.
Virtual Tokens
Virtual Tokens are a new concept in multi-factor authentication first introduced in 2005 by security company Sestus. Virtual tokens work by sharing the token generation process between the internet website and the user's computer and have the advantage of not requiring the distribution of additional hardware or software. In addition, since the user's device is communicating directly with the authenticating website, the solution is resistant to man-in-the-middle attacks and similar forms of online fraud.
Time-synchronized one-time passwords
A time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the
clientA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
's token and the authentication
serverA server is an application running on a computer that delivers a service. For example, a web server will deliver web pages when requested by a browser . The way a server and a client dialogs is called a protocol...
. For disconnected tokens this time-synchronization is done before the token is distributed to the
clientA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
, other token types do the synchronization when the token is inserted into an
input deviceAn input device is any peripheral used to provide data and control signals to an information processing system...
. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as RSA's
SecurIDRSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication for a user to a network resource.- Overview :...
, allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 3 years before having to be replaced - so there is additional cost.
Event-based Token
An event based token, by its nature, has a longer life span. They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an
SMSShort Message Service or Silent Messaging Service is a communication service standardized in the GSM mobile communication system, using standardized communications protocols allowing the interchange of short text messages between mobile telephone devices...
message. All CRYPTOCard's tokens are event-based rather than time-based.
Booleansoft
Booleansoft tokens synchronize with the authentication server when inserted into an
input deviceAn input device is any peripheral used to provide data and control signals to an information processing system...
like a
USBUSB is a way of setting up communication between a computer and peripheral devices. USB is intended to replace many varieties of serial and parallel ports. USB can connect computer peripherals such as mice, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal...
input deviceAn input device is any peripheral used to provide data and control signals to an information processing system...
or a CD-ROM drive.
US patentUnited States patent law was established "to promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries;" as provided in the United States Constitution. Congress implemented these...
pendingThe expressions "patent pending" or "patent applied for" refer to a warning that inventors are entitled to use in reference to their product or process once a patent application has been filed, but prior to the patent being issued or the application abandoned...
technology.
Aradiom SolidPass
SolidPass, developed by Aradiom, is a mobile java phone based security token that provides a time-based
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
algorithm for secure authentication, and also offers challenge response based signing including transaction signing and additional security question.
BRToken SafeSIGNATURE
SafeSIGNATURE token, developed by the Brazilian company BRToken, was one of the first to provide support for the TOTP algorithm, defined by the OATH (
Initiative For Open AuthenticationInitiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of...
), an extension of the
HOTPHOTP is an HMAC-based One Time Password algorithm. It is a cornerstone of Initiative For Open Authentication .HOTP was published as an Information IETF RFC in December 2005, documenting the algorithm along with a Java implementation.- External links :...
algorithm, but time-based. It also has the capacity of reading transaction data from any type of screen or projection, displaying in the token screen, and generating an
Electronic signatureA signature is a stylized script associated with a person. It is comparable to a seal. In commerce and the law, a signature on a document is an indication that the person adopts the intentions recorded in the document. An electronic signature is any legally recognised electronic means that...
, based on the public OCRA algorithm.
CAT (Cellular Authentication Token)
The CAT token, developed by the New Zealand company Mega AS Consulting Ltd, was the first to market a Cellular J2ME based soft token. The CAT uses an
OATHObject-oriented Abstract Type Hierarchy is a class library for C++ from Texas Instruments....
compliant time-based
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
(TOTP) algorithm for strong authentication, and also offers encrypted messaging and encrypted documents delivery system. The CAT is a multi tokens management system. Using a unique process, the CAT is secured on the Cellular device (or PDA, Blackberry, Windows OS).
Entrust IdentityGuard Mini Token
EntrustHeadquartered in the Dallas-Fort Worth Metroplex, Entrust, Inc., specializes in security solutions such as public key infrastructure, multifactor authentication, SSL, fraud detection and e-mail security....
offers two variants of their OTP token — Entrust IdentityGuard Mini Token OE and Entrust IdentityGuard Mini Token AT. The Entrust IdentityGuard Mini Token OE provides event-based, one-time passwords using the standards-based HOTP algorithm endorsed
by the Initiative for Open Authentication (OATH), providing compatibility with third-party software. The Entrust IdentityGuard Mini Token AT offers time- and event-synchronous, one-time passwords based on the stronger DES/3DES algorithm.
Identita Technologies Display OTP Card
Identita's LED or EINK display OTP cards display a number which changes each time the button on the card is pressed. This
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
along with a
PINA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
when
authenticatingAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
allows for successful identication of the end user. Since Identita's OTP Display cards are almost always asleep except during activation, the engineering team at Identita designed an algorithm which allowed for accurate OTP generation without requring the clock on the card and the clock on the authentication server to be matched. Identita's time-based OTP generation is patent pending.
RSA Security's SecurID
RSA SecurityRSA, The Security Division of EMC Corporation, is headquartered in Bedford, Massachusetts, United States, and maintains offices in Australia, Ireland, Israel, the United Kingdom, Singapore, India, China, Hong Kong and Japan....
's
SecurIDRSA SecurID is a mechanism developed by RSA Security for performing two-factor authentication for a user to a network resource.- Overview :...
displays a number which changes at a set interval. The
clientA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
enters the
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
along with a
PINA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
when
authenticatingAuthentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
. US patented technology.
Vasco's DigiPass
VASCOThe name Vasco, from the medieval Spanish name Velasco, which came from the Spanish surname Velázquez, which possibly meant "crow" in BasqueVasco may refer to:People:* Vasco da Gama, a Portuguese explorer...
's
DigipassDigipass is a security product from VASCO Data Security International, providing strong user authentication and digital signatures via small security tokens carried by users, or in software on mobile telephones, portable devices or PCs...
series have either a small keyboard where the user can enter a
PINA personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
or either a single button, in addition it generates a new
one-time passwordA one-time password is a password that is only valid for a single login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not...
after a pre-set time. US patent: 4599489 and 4609777.
KerPass UST
KerPass provide time synchronous OATH one time passwords on mobile phone. A new password is generated every 30 seconds. KerPass uses an exclusive server side password validation technology that makes possible using a KerPass password in the context of zero knowledge password proof algorithm like
SPEKESpeke is an area of Liverpool, Merseyside, England, close to the boundaries of the Metropolitan Borough of Knowsley. It is south east of the city centre and to the west of the town of Widnes...
or
SRPThe Secure Remote Password Protocol is a password-authenticated key agreement protocol.-Overview:The SRP protocol has a number of desirable properties: it allows a user to authenticate himself to a server, it is resistant to dictionary attacks mounted by an eavesdropper, and it does not require a...
. This combination renders password authentication insensitive to man in the middle attacks.
Secure Computing's Safeword
Secure ComputingSecure Computing Corporation, or SCC, was a public company that developed and sold computer security appliances and hosted services to protect users and data...
's Safeword is a hardware device that will display a passcode when pressing a button on the device. A barcode and serial number on the back of the device are used by administrators to synchronize the devices with the authentication system. The Safeword system can be event-based or time-based. Each press of the button will display a new passcode and once a passcode is used for authentication, combined with the user's PIN, it and all the passcodes generated before it can not be reused again. Time-based tokens display different tokens every 20 seconds or less depending on how the user wants it.
Smart DisplayCard
The Smart DisplayCard by ActivIdentity is a combination security token and
smart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits which can process data. This implies that it can receive input which is processed — by way of the ICC applications — and delivered as an output. There are two broad...
. A single button on the card displays a one time password on a small
liquid crystal displayA liquid crystal display is a thin, flat panel used for electronically displaying information such as text, images, and moving pictures...
when pressed. This device uses an OATH compliant event-based algorithm to generate OTPs. The embedded smart chip provides standard smart card
PKIPKI can refer to any of several things:* Public key infrastructure* Partai Komunis Indonesia * Kings Island, an amusement park formerly known as Paramount's Kings Island...
capabilities; typically email encryption and digital signatures. The display card portion of the product is produced by NagraID.
PC cards
The
PC cardIn computing, PC Card is the form factor of a peripheral interface designed for laptop computers. The PC Card standard was defined and developed by a group of industry-leading companies called the Personal Computer Memory Card International Association...
tokens are made to only work with
laptopA laptop is a personal computer designed for mobile use and small and light enough to sit on one's lap while in use. A laptop integrates most of the typical components of a desktop computer, including a display, a keyboard, a pointing device , speakers, and often including a battery, into a single...
s. Type II PC Cards are preferred as a token as they are half as thick as Type III.
Mykotronx Corp.
Mykotronx Corp. (a division of SafeNet) makes the
FortezzaFortezza is an information security system based on a PC Card security token. Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access...
card token for laptops with a PC card.
Smart cards
Smart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits which can process data. This implies that it can receive input which is processed — by way of the ICC applications — and delivered as an output. There are two broad...
s are relatively inexpensive compared to other tokens. There are also significant wear-and-tear on the
smart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits which can process data. This implies that it can receive input which is processed — by way of the ICC applications — and delivered as an output. There are two broad...
s themselves because of the friction on the electronic contacts the card is inserted. This has the potential to reduce the lifespan of a smart card token.
Universal Serial Bus (USB)
The
Universal Serial BusUSB is a way of setting up communication between a computer and peripheral devices. USB is intended to replace many varieties of serial and parallel ports. USB can connect computer peripherals such as mice, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal...
has become a standard in
computerA computer is a machine that manipulates data according to a set of instructions.Although mechanical examples of computers have existed through much of recorded human history, the first electronic computers were developed in the mid-20th century . These were the size of a large room, consuming as...
s today, USB tokens are therefore often a cheaper alternative than other tokens needing a special
input deviceAn input device is any peripheral used to provide data and control signals to an information processing system...
.
Booleansoft
Booleansoft has several types of
USBUSB is a way of setting up communication between a computer and peripheral devices. USB is intended to replace many varieties of serial and parallel ports. USB can connect computer peripherals such as mice, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal...
tokens, some including fingerprint biometrics. Each
clientA client is an application or system that accesses a remote service on another computer system, known as a server, by way of a network. The term was first applied to devices that were not capable of running their own stand-alone programs, but could interact with remote computers via a network...
that requires secure authentication is supplied with a personal
security token. When the USB token is inserted into an
PCIBM PC compatible computers are those generally similar to the original IBM PC, XT, and AT. Such computers used to be referred to as PC clones, or IBM clones since they almost exactly duplicated all the significant features of the PC architecture, facilitated by various manufacturers' ability to...
's USB port, a software program stored on the token (called the 'token software') is then automatically started. The token software lets the user generate new one-time passwords and digital signatures to access a remote resource for authentication purposes.
VeriSign
VeriSignVeriSign, Inc. is an American company based in Mountain View, California that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the generic top-level domains for .com and .net, one of the largest SS7 signaling networks in North America,...
offers several different token types, from security cards to voice passcodes, as part of their Unified Authentication services. A custom-branded version of their One-Time Password (OTP) Token is used by PayPal and eBay as an extra layer of authentication for consumers when logging in to their websites.
Smart Card Based USB tokens
Smart-card-based USB tokens which contain a
smart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits which can process data. This implies that it can receive input which is processed — by way of the ICC applications — and delivered as an output. There are two broad...
chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the
computer operating systemAn operating system is an interface between hardware and user which is responsible for the management and coordination of activities and the sharing of the resources of the computer that acts as a host for computing applications run on the machine. As a host, one of the purposes of an operating...
's point of view such a token is a USB-connected smart card reader with one non-removable smart card present. Some these tokens are also made to support the NIST standard for Personal Identity Verification (PIV).
Other token types
Some use a special purpose interface (e.g. the
crypto ignition keyThe KSD-64[A] Crypto Ignition Key is an NSA-developed EEPROM chip packed in a plastic case that looks like a toy key. The model number is due to its storage capacity — 64 Kb , enough to store multiple encryption keys...
deployed by the
United StatesThe United States of America is a federal constitutional republic comprising fifty states and a federal district...
National Security AgencyThe National Security Agency/Central Security Service is a cryptologic intelligence agency of the United States government, administered as part of the United States Department of Defense. Created on November 4, 1952 by President Harry S...
). Tokens can also be used as a photo ID card. Cell phones and
PDAsA personal digital assistant is a handheld computer, also known as a palmtop computer. Newer PDAs commonly have color screens and audio capabilities, enabling them to be used as mobile phones , web browsers, or portable media players. Many PDAs can access the Internet, intranets or extranets...
can also serve as security tokens with proper programming. Booleansoft provides CD tokens, some the size of a standard credit cards.
See also =
- Authentication
Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true...
- Dongle
A dongle is a small piece of hardware that connects to a laptop or desktop computer. It is a portable device and is often close to the appearance of a USB flash drive...
- Hardware Security Module
A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
- Identity management
Identity management or ID management is a broad administrative area that deals with identifying individuals in a system and controlling the access to the resources in that system by placing restrictions on the established identities.Identity management is multidisciplinary and covers many...
- Initiative For Open Authentication
Initiative for Open Authentication is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of...
- Mobile Signature
A mobile signature is a digital signature generated either on a mobile phone or on a SIM card.-Origins of the term:mSignThe term first appeared in articles introducing mSign . It was founded in 1999 and comprised 35 member companies. In Oct...
s
- Multi-factor authentication
Multi-factor authentication is an extension to two-factor authentication. The common demand for protection of physical or functional access is not fulfilled, when simple procedures allow for transfer of authenticity between members of staff or users or an authenticated access to a room or a work...
- Mutual authentication
Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...
- Software token
A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone...
- Two-factor authentication
An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication or is a system wherein two different factors are used in conjunction to authenticate...
External links