Editing Security token (section)

== Password types ==
[[File:Photograph of a vasco keypad.jpg|thumb|Example of keypad issued by a bank.]]
All tokens contain some secret information used to prove identity. There are four different ways in which this information can be used:
; Static password token: The device contains a password that is physically hidden (not visible to the possessor), but is transmitted for each authentication. This type is vulnerable to [[replay attack]]s.

; Synchronous dynamic password token: A timer is used to rotate through various combinations produced by a [[cryptographic algorithm]]. The token and the authentication server must have synchronized clocks.

; Asynchronous password token: A [[one-time password]] is generated without the use of a clock, either from a [[one-time pad]] or cryptographic algorithm.

; [[Challenge–response]] token: Using [[public key cryptography]], it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.

Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between the [[Client (Computing)|client]]'s token and the authentication [[Server (computing)|server]]. For disconnected tokens, this time-synchronization is done before the token is distributed to the [[Client (Computing)|client]]. Other token types do the synchronization when the token is inserted into an [[input device]]. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized.<ref>{{Cite web|last=RD|first=Token2|date=2019-01-07|title=Time drift: a major downside of TOTP hardware tokens|url=https://token2.medium.com/time-drift-a-major-downside-of-totp-hardware-tokens-c164c2ec9252|access-date=2020-11-21|website=Medium|language=en}}</ref> However, some such systems, such as [[RSA SecurID|RSA's SecurID]], allow the user to re-synchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced – so there is an additional cost.<ref>{{Cite web|date=2019-06-03|title=Time Drift in TOTP Hardware Tokens Explained and Solved - Protectimus Solutions|url=https://www.protectimus.com/blog/time-drift-in-totp-hardware-tokens/|access-date=2020-11-21|website=Protectimus|language=en-GB}}</ref>
Another type of one-time password uses a complex mathematical algorithm, such as a [[hash chain]], to generate a series of one-time passwords from a secret shared key. Each password is unique, even when previous passwords are known. The open-source [[Initiative for Open Authentication|OATH]] algorithm is standardized;{{Citation needed |date=March 2023 |reason=This claim needs references to reliable sources.}} other algorithms are covered by US [[patent]]s. Each password is observably unpredictable and independent of previous ones, whereby an adversary would be unable to guess what the next password may be, even with knowledge of all previous passwords.