A security token is a physical or digital device that provides two-factor authentication for a user to prove their identity in a login process. It is typically used as a form of identification for physical access or as a method of computer system access. The token can be an item or a card that displays or contains security information about a user and can be verified by the system.
Security tokens can be used in place of, or in addition to, traditional passwords. They are most commonly used to access computer networks but also can secure physical access to buildings and act as electronic signatures for documents.
How it Works:
A security token provides authentication for accessing a system through any device that generates a password. This can include a smart card, a Universal Serial Bus key, a mobile device or a radio frequency identification card. The device generates a new password every time it is used, so a security token can be used to log in to a computer or virtual private network by typing the password generated by the token into the prompt.
Security token technology is based on the use of a device that generates a random number, encrypts it and sends it to a server with user authentication information. The server then sends back an encrypted response that can only be decrypted by the device. The device is reused for every authentication, so the server does not have to store any username or password information, with the intent of making the system less vulnerable to hacking.
Types of security tokens
Multiple types of security tokens are used to secure a variety of assets and applications. These include the following:
One-time passwords (OTPs). A form of digital security token, OTPs are valid for only one login session, meaning they are used once and never again. After the initial use, the authentication server is notified that the OTP should not be reused. OTPs are typically generated using a cryptographic algorithm from a shared secret key composed of two unique and random data elements. One element is a random session identifier, and the other is a secret key.
Disconnected tokens. This is a form of digital security token that does not connect physically or logically to a computer. The device may generate an OTP or other credentials. A desktop application that sends a text message to a cellphone, which the user must input in the login, is using a disconnected token.
Connected tokens. A connected token is a physical object that connects directly to a computer or sensor. The device reads the connected token and grants or denies access. YubiKey is an example of a connected token.
Contactless tokens. Contactless tokens form a logical connection with a computer without requiring a physical connection. These tokens connect to the system wirelessly and grant or deny access through that connection. For example, Bluetooth is often used as a method for establishing a connection with a contactless token.
Single sign-on (SSO) software tokens. SSO software tokens store digital information, such as a username or password. They enable people who use multiple computer systems and multiple network services to log in to each system without having to remember multiple usernames and passwords.
Programmable tokens. A programmable security token repeatedly generates a unique code valid for a specified time frame, often 30 seconds, to provide user access. For example, Amazon Web Services Security Token Service is an application that generates 2FA codes required for information technology administrators to access some AWS cloud resources.
1. Security tokens are more secure option for protecting networks and digital systems
2. Security tokens use physical or digital identifier unique to the user. Most forms are relatively easy to use and convenient.
1. Physical Security Tokens are subject to loss or theft.
2. If security Token is lost or stolen, it must be deactivated or replaced.
3. If not, an unauthorized user in possession of the token may be able to access privileged information and systems.
The Tech Platform