Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Security token
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Physical types== {{More citations needed section|date=March 2023}} Tokens can contain [[integrated circuit|chips]] with functions varying from very simple to very complex, including multiple authentication methods. The simplest security tokens do not need any connection to a [[computer]]. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as [[Bluetooth]]. These tokens transfer a key sequence to the local client or to a nearby access point.<ref>{{Cite web |date=2021-01-15 |title=2.3.3: Authentication Methods - Security Tokens |url=https://eng.libretexts.org/Courses/Delta_College/Information_Security/02%3A_Authenticate_and_Identify/2.3%3A_Authentication_Methods_-_Password/2.3.3%3A_Authentication_Methods_-_Security_Tokens |access-date=2023-05-08 |website=Engineering LibreTexts |language=en}}</ref> Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice, [[SMS]], or [[Unstructured Supplementary Service Data|USSD]]). Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, the [[computer]] [[Operating system|OS]] will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.{{Citation needed |date=March 2023 |reason=This claim needs references to reliable sources.}} A related application is the hardware [[dongle]] required by some computer programs to prove ownership of the [[software]]. The dongle is placed in an [[input device]] and the [[software]] accesses the [[I/O device]] in question to [[Authorization|authorize]] the use of the [[software]] in question. Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the [[United States]] as compliant with [[FIPS 140]], a federal security standard.<ref>{{Cite report |url=https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf |title=Security requirements for cryptographic modules |last=National Institute of Standards and Technology |date=April 2019 |publisher=National Institute of Standards and Technology |issue=NIST FIPS 140-3 |doi=10.6028/nist.fips.140-3 |location=Gaithersburg, MD}}</ref> Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.{{citation needed|date=April 2013}} === Disconnected tokens === [[File:CryptoCard two factor.jpg|right|thumb|A disconnected token. The number must be copied into the [[Passcode|PASSCODE]] field by hand.]] Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a [[Computer keyboard|keyboard]] or [[keypad]]. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.<ref>{{cite web|url=http://www.insight.co.uk/files/whitepapers/Two-factor%20authentication%20(White%20paper).pdf|title=Two-factor authentication|last=de Borde|first=Duncan|publisher=Siemens Insight Consulting|access-date=2009-01-14|date=2007-06-28|url-status=dead|archive-url=https://web.archive.org/web/20120112172841/http://www.insight.co.uk/files/whitepapers/Two-factor%20authentication%20(White%20paper).pdf|archive-date=2012-01-12}}</ref> === Connected tokens === Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are [[smart card]]s and USB tokens (also called ''security keys''), which require a smart card reader and a USB port respectively. Increasingly, [[FIDO2 Project|FIDO2]] tokens, supported by the open specification group [[FIDO Alliance]] have become popular for consumers with mainstream browser support beginning in 2015 and supported by popular websites and social media sites.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} Older [[PC card]] tokens are made to work primarily with [[laptop]]s. Type II PC Cards are preferred as a token as they are half as thick as Type III. The audio jack port is a relatively practical method to establish connection between mobile devices, such as [[iPhone]], [[iPad]] and [[Android (operating system)|Android]], and other accessories.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} The most well known device is called [[Square (application)|Square]], a credit card reader for [[iOS]] and Android devices. Some use a special purpose interface (e.g. the [[KSD-64|crypto ignition key]] deployed by the United States [[National Security Agency]]). Tokens can also be used as a photo [[ID card]]. [[Cell phones]] and [[Personal digital assistant|PDAs]] can also serve as security tokens with proper programming. ==== Smart cards ==== {{Main article|Smart card}} Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents){{citation needed|date=September 2013}} and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra-thin form-factor requirements. Smart-card-based [[USB]] tokens which contain a [[smart card]] chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the [[operating system|computer operating system]]'s point of view such a token is a USB-connected smart card reader with one non-removable smart card present.<ref name="noteusbSpec">[http://www.usb.org/developers/devclass_docs/DWG_Smart-Card_CCID_Rev110.pdf Specification for Integrated Circuit(s) Cards Interface Devices] {{webarchive|url=https://web.archive.org/web/20051229033623/http://www.usb.org/developers/devclass_docs/DWG_Smart-Card_CCID_Rev110.pdf |date=2005-12-29 }}, usb.org</ref> === Contactless tokens === Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular choice for [[keyless entry]] systems and electronic payment solutions such as [[Mobil]] [[Speedpass]], which uses [[RFID]] to transmit authentication info from a keychain token.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} However, there have been various security concerns raised about RFID tokens after researchers at [[Johns Hopkins University]] and [[RSA Laboratories]] discovered that RFID tags could be easily cracked and cloned.<ref>{{cite web|url=http://www.pcworld.com/article/119661/does_your_car_key_pose_a_security_risk.html|title=Does Your Car Key Pose a Security Risk?|first=Erin|last=Biba|date=2005-02-14|access-date=2009-01-14|publisher=PC World|archive-date=2011-06-05|archive-url=https://web.archive.org/web/20110605231530/http://www.pcworld.com/article/119661/does_your_car_key_pose_a_security_risk.html|url-status=dead}}</ref> Another downside is that contactless tokens have relatively short battery lives; usually only 5β6 years, which is low compared to [[Universal Serial Bus|USB]] tokens which may last more than 10 years.{{Citation needed|date=June 2008}} Some tokens however do allow the batteries to be changed, thus reducing costs. ==== Bluetooth tokens ==== {{tone|section|date=September 2016}} The [[Bluetooth Low Energy]] protocols provide long lasting battery lifecycle of wireless transmission. * The transmission of inherent Bluetooth identity data is the lowest quality for supporting authentication. * A bidirectional connection for transactional data interchange serves for the most sophisticated authentication procedures. Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised Bluetooth power control algorithm to provide a calibration on minimally required transmission power.<ref>{{cite web|url=http://depatisnet.dpma.de/DepatisNet/depatisnet?action=bibdat&docid=DE102009039879B9|title=Verfahren zum Steuern der Freigabe einer Einrichtung oder eines Dienstes, als Master ausgebildete Sendeempfangseinrichtung sowie System mit derartiger Einrichtung|website=dpma.de|access-date=16 April 2018}}</ref> Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than {{convert|32|ft|m|abbr=off|sp=us}}. When the Bluetooth link is not properly operable, the token may be inserted into a [[Universal Serial Bus|USB]] [[input device]] to function. Another combination is with a [[smart card]] to store locally larger amounts of identity data and process information as well.<ref>{{cite web |url=https://www.certgate.com/de/produkte/cgtoken |title=cgToken {{!}} certgate |website=www.certgate.com |url-status=dead |archive-url=https://web.archive.org/web/20131009094610/http://www.certgate.com/de/produkte/cgtoken/ |archive-date=2013-10-09}}</ref> Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.<ref>{{cite web|url=https://www.hypr.com/biometric-token/|title=Biometric U2F OTP Token - HYPR|website=HYPR Corp|access-date=16 April 2018}}</ref> In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic leash. ==== NFC tokens ==== [[Near-field communication]] (NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than {{convert|1|ft|m|1|abbr=off|sp=us}}.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.{{citation needed|date=October 2016}} === Single sign-on software tokens === Some types of [[single sign-on]] (SSO) solutions, like [[enterprise single sign-on]], use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned. Usually most tokens store a cryptographic hash of the password so that if the token is compromised, the password is still protected.<ref>{{Cite web |date=2021-01-15 |title=2.3.3: Authentication Methods - Security Tokens |url=https://eng.libretexts.org/Courses/Delta_College/Information_Security/02:_Authenticate_and_Identify/2.3:_Authentication_Methods_-_Password/2.3.3:_Authentication_Methods_-_Security_Tokens |access-date=2024-11-21 |website=Engineering LibreTexts |language=en}}</ref> === Programmable tokens === Programmable tokens are marketed as "drop-in" replacement of mobile applications such as [[Google Authenticator]] (miniOTP<ref>[https://www.token2.com/shop/product/token2-miniotp-1-card Programmable hardware tokens '' Token2 miniOTP'']</ref>). They can be used as mobile app replacement, as well as in parallel as a backup.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)