664:(NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than 1 foot (0.3 meters). The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.
38:
380:
680:, use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned. Usually most tokens store a cryptographic hash of the password so that if the token is compromised, the password is still protected.
240:
132:
371:, a federal security standard. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.
1349:
566:
730:. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006,
214:, allow the user to re-synchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced – so there is an additional cost. Another type of one-time password uses a complex mathematical algorithm, such as a
190:, it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.
762:
must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof of the user's
408:
Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually
521:
Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular
652:
In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the
Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic
496:
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power
705:
The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using
391:
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a
634:
Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (9.8 meters). When the
Bluetooth link is not properly operable, the token may be inserted into a
630:
Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised
Bluetooth power control algorithm to provide a calibration on minimally required transmission power.
508:
chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the
362:
Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the
965:
226:. Each password is observably unpredictable and independent of previous ones, whereby an adversary would be unable to guess what the next password may be, even with knowledge of all previous passwords.
649:
to store locally larger amounts of identity data and process information as well. Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.
303:. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as
409:
enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are
1017:
104:
or a simple button to start a generation routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces including
1208:
400:. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.
194:
Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between the
1094:"Verfahren zum Steuern der Freigabe einer Einrichtung oder eines Dienstes, als Master ausgebildete Sendeempfangseinrichtung sowie System mit derartiger Einrichtung"
926:
310:
Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice,
143:
The device contains a password that is physically hidden (not visible to the possessor), but is transmitted for each authentication. This type is vulnerable to
1068:
1050:
537:
to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at
218:, to generate a series of one-time passwords from a secret shared key. Each password is unique, even when previous passwords are known. The open-source
315:
328:
will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.
425:
have become popular for consumers with mainstream browser support beginning in 2015 and supported by popular websites and social media sites.
734:
was the victim of an attack when its hardware-token-equipped business users became the victims of a large
Ukrainian-based man-in-the-middle
584:
576:
210:. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as
1238:
750:
cryptographic devices. These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958, and published at CRYPTO 2012.
746:
In 2012, the
Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from several
128:
All tokens contain some secret information used to prove identity. There are four different ways in which this information can be used:
807:
219:
602:
279:
548:
Another downside is that contactless tokens have relatively short battery lives; usually only 5–6 years, which is low compared to
1381:
1386:
1024:
257:
766:
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as
902:
711:
261:
113:
101:
1216:
1093:
778:
scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
1118:
626:
A bidirectional connection for transactional data interchange serves for the most sophisticated authentication procedures.
552:
tokens which may last more than 10 years. Some tokens however do allow the batteries to be changed, thus reducing costs.
817:
1072:
479:
448:
250:
53:
used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a
714:(PIN) must be entered along with the information provided by the token the same time as the output of the token.
707:
677:
1362:
797:
727:
661:
538:
467:
109:
513:'s point of view such a token is a USB-connected smart card reader with one non-removable smart card present.
1047:
439:
The audio jack port is a relatively practical method to establish connection between mobile devices, such as
187:
156:
31:
180:
1353:
623:
The transmission of inherent
Bluetooth identity data is the lowest quality for supporting authentication.
321:
Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, the
1334:
822:
1311:
940:
1180:
689:
636:
616:
549:
452:
1265:
296:
with functions varying from very simple to very complex, including multiple authentication methods.
202:. For disconnected tokens, this time-synchronization is done before the token is distributed to the
802:
883:
293:
203:
199:
195:
920:
875:
775:
767:
759:
393:
168:
93:
81:
77:
50:
991:
61:
used to open locked doors, a banking token used as a digital authenticator for signing in to
1164:
998:
865:
812:
542:
510:
325:
857:
692:(miniOTP). They can be used as mobile app replacement, as well as in parallel as a backup.
1366:
1054:
688:
Programmable tokens are marketed as "drop-in" replacement of mobile applications such as
307:. These tokens transfer a key sequence to the local client or to a nearby access point.
1243:
837:
832:
787:
771:
673:
62:
37:
379:
1375:
887:
792:
523:
422:
418:
364:
352:
144:
66:
870:
1291:
856:
Schink, Marc; Wagner, Alexander; Unterstein, Florian; Heyszl, Johann (2021-07-09).
827:
639:
436:. Type II PC Cards are preferred as a token as they are half as thick as Type III.
340:
207:
172:
120:. Some tokens have audio capabilities designed for those who are vision-impaired.
941:"Time Drift in TOTP Hardware Tokens Explained and Solved - Protectimus Solutions"
1204:
722:
Any system which allows users to authenticate via an untrusted network (such as
475:
417:), which require a smart card reader and a USB port respectively. Increasingly,
239:
211:
131:
89:
1126:
646:
505:
491:
410:
348:
215:
206:. Other token types do the synchronization when the token is inserted into an
879:
770:
according to some national laws. Tokens with no on-board keyboard or another
1002:
997:(Report). Gaithersburg, MD: National Institute of Standards and Technology.
530:
304:
117:
85:
73:
17:
619:
protocols provide long lasting battery lifecycle of wireless transmission.
1348:
1270:
735:
731:
723:
384:
368:
356:
344:
336:
322:
300:
54:
1140:
159:. The token and the authentication server must have synchronized clocks.
747:
471:
429:
264: in this section. Unsourced material may be challenged and removed.
58:
1359:
463:
440:
433:
397:
332:
223:
155:
A timer is used to rotate through various combinations produced by a
97:
527:
378:
130:
36:
862:
534:
444:
1048:
Specification for
Integrated Circuit(s) Cards Interface Devices
559:
545:
discovered that RFID tags could be easily cracked and cloned.
501:
456:
451:, and other accessories. The most well known device is called
311:
233:
222:
algorithm is standardized; other algorithms are covered by US
105:
1239:"Computer Scientists Break Security Token Key in Record Time"
990:
National
Institute of Standards and Technology (April 2019).
335:
required by some computer programs to prove ownership of the
299:
The simplest security tokens do not need any connection to a
482:
can also serve as security tokens with proper programming.
383:
A disconnected token. The number must be copied into the
72:
Security tokens can be used to store information such as
27:
Device used to access electronically restricted resource
171:
is generated without the use of a clock, either from a
903:"Time drift: a major downside of TOTP hardware tokens"
497:
consumption and ultra-thin form-factor requirements.
135:
Asynchronous password token for HSBC online banking.
858:"Security and Trust in Open Source Security Tokens"
421:tokens, supported by the open specification group
966:"2.3.3: Authentication Methods - Security Tokens"
758:Trusted as a regular hand-written signature, the
526:systems and electronic payment solutions such as
1209:"Citibank Phish Spoofs 2-Factor Authentication"
992:Security requirements for cryptographic modules
462:Some use a special purpose interface (e.g. the
57:. Examples of security tokens include wireless
41:A GoldKey security token connected to a laptop
1181:"Phishers rip into two-factor authentication"
8:
1023:. Siemens Insight Consulting. Archived from
925:: CS1 maint: numeric names: authors list (
1266:"Team Prosecco dismantles security tokens"
96:packaging, while others may include small
1069:"Does Your Car Key Pose a Security Risk?"
869:
603:Learn how and when to remove this message
280:Learn how and when to remove this message
710:. Commonly, in order to authenticate, a
1360:OATH Initiative for open authentication
1335:US Personal Identity Verification (PIV)
848:
432:tokens are made to work primarily with
918:
470:). Tokens can also be used as a photo
331:A related application is the hardware
7:
262:adding citations to reliable sources
808:Initiative for Open Authentication
575:tone or style may not reflect the
152:Synchronous dynamic password token
65:, or signing transactions such as
25:
1347:
1141:"Biometric U2F OTP Token - HYPR"
585:guide to writing better articles
564:
238:
198:'s token and the authentication
1292:"Prosecco :: Publications"
1237:Sengupta, Somini (2012-06-25).
1016:de Borde, Duncan (2007-06-28).
871:10.46586/tches.v2021.i3.176-201
249:needs additional citations for
712:personal identification number
668:Single sign-on software tokens
645:Another combination is with a
466:deployed by the United States
114:radio-frequency identification
1:
1312:"Accepted Papers CRYPTO 2012"
1165:Programmable hardware tokens
339:. The dongle is placed in an
413:and USB tokens (also called
92:). Some designs incorporate
1264:Owano, Nancy (2012-06-27).
1179:Leyden, John (2006-07-13).
1018:"Two-factor authentication"
818:Multi-factor authentication
455:, a credit card reader for
175:or cryptographic algorithm.
164:Asynchronous password token
1403:
1071:. PC World. Archived from
489:
29:
1067:Biba, Erin (2005-02-14).
901:RD, Token2 (2019-01-07).
728:man-in-the-middle attacks
708:two factor authentication
678:enterprise single sign-on
511:computer operating system
798:Hardware security module
662:Near-field communication
539:Johns Hopkins University
468:National Security Agency
110:near-field communication
30:Not to be confused with
1382:Computer access control
1003:10.6028/nist.fips.140-3
774:cannot be used in some
579:used on Knowledge (XXG)
504:tokens which contain a
188:public key cryptography
157:cryptographic algorithm
32:Security token offering
1387:Authentication methods
970:Engineering LibreTexts
676:(SSO) solutions, like
583:See Knowledge (XXG)'s
388:
136:
42:
823:Mutual authentication
459:and Android devices.
382:
140:Static password token
134:
40:
1356:at Wikimedia Commons
1119:"cgToken | certgate"
690:Google Authenticator
617:Bluetooth Low Energy
258:improve this article
100:to allow entry of a
1213:The Washington Post
803:Identity management
726:) is vulnerable to
684:Programmable tokens
464:crypto ignition key
375:Disconnected tokens
292:Tokens can contain
1365:2019-04-24 at the
1328:General references
1053:2005-12-29 at the
768:digital signatures
517:Contactless tokens
389:
367:as compliant with
181:Challenge–response
137:
82:digital signatures
78:cryptographic keys
43:
1352:Media related to
1207:(July 10, 2006).
760:digital signature
754:Digital signature
613:
612:
605:
577:encyclopedic tone
500:Smart-card-based
290:
289:
282:
169:one-time password
80:used to generate
51:peripheral device
16:(Redirected from
1394:
1351:
1322:
1321:
1319:
1318:
1308:
1302:
1301:
1299:
1298:
1288:
1282:
1281:
1279:
1278:
1261:
1255:
1254:
1252:
1251:
1234:
1228:
1227:
1225:
1224:
1215:. Archived from
1201:
1195:
1194:
1192:
1191:
1176:
1170:
1162:
1156:
1155:
1153:
1151:
1137:
1131:
1130:
1125:. Archived from
1123:www.certgate.com
1115:
1109:
1108:
1106:
1104:
1090:
1084:
1083:
1081:
1080:
1064:
1058:
1045:
1039:
1038:
1036:
1035:
1029:
1022:
1013:
1007:
1006:
996:
987:
981:
980:
978:
977:
962:
956:
955:
953:
952:
937:
931:
930:
924:
916:
914:
913:
898:
892:
891:
873:
853:
813:Mobile signature
608:
601:
597:
594:
588:
587:for suggestions.
568:
567:
560:
556:Bluetooth tokens
543:RSA Laboratories
404:Connected tokens
285:
278:
274:
271:
265:
242:
234:
94:tamper resistant
21:
1402:
1401:
1397:
1396:
1395:
1393:
1392:
1391:
1372:
1371:
1367:Wayback Machine
1344:
1339:
1325:
1316:
1314:
1310:
1309:
1305:
1296:
1294:
1290:
1289:
1285:
1276:
1274:
1263:
1262:
1258:
1249:
1247:
1236:
1235:
1231:
1222:
1220:
1219:on July 3, 2011
1203:
1202:
1198:
1189:
1187:
1178:
1177:
1173:
1163:
1159:
1149:
1147:
1139:
1138:
1134:
1117:
1116:
1112:
1102:
1100:
1092:
1091:
1087:
1078:
1076:
1066:
1065:
1061:
1055:Wayback Machine
1046:
1042:
1033:
1031:
1027:
1020:
1015:
1014:
1010:
994:
989:
988:
984:
975:
973:
964:
963:
959:
950:
948:
939:
938:
934:
917:
911:
909:
900:
899:
895:
855:
854:
850:
846:
784:
756:
744:
742:Breach of codes
720:
703:
698:
696:Vulnerabilities
686:
670:
659:
609:
598:
592:
589:
582:
573:This section's
569:
565:
558:
519:
494:
488:
406:
377:
355:the use of the
351:in question to
286:
275:
269:
266:
255:
243:
232:
126:
35:
28:
23:
22:
15:
12:
11:
5:
1400:
1398:
1390:
1389:
1384:
1374:
1373:
1370:
1369:
1357:
1343:
1342:External links
1340:
1338:
1337:
1331:
1330:
1329:
1324:
1323:
1303:
1283:
1256:
1244:New York Times
1229:
1196:
1171:
1167:Token2 miniOTP
1157:
1132:
1129:on 2013-10-09.
1110:
1085:
1059:
1040:
1008:
982:
957:
932:
893:
847:
845:
842:
841:
840:
838:Software token
835:
833:Single sign-on
830:
825:
820:
815:
810:
805:
800:
795:
790:
788:Authentication
783:
780:
772:user interface
755:
752:
743:
740:
719:
716:
702:
701:Loss and theft
699:
697:
694:
685:
682:
674:single sign-on
672:Some types of
669:
666:
658:
655:
628:
627:
624:
611:
610:
593:September 2016
572:
570:
563:
557:
554:
518:
515:
490:Main article:
487:
484:
405:
402:
387:field by hand.
376:
373:
288:
287:
246:
244:
237:
231:
230:Physical types
228:
192:
191:
184:
177:
176:
165:
161:
160:
153:
149:
148:
145:replay attacks
141:
125:
124:Password types
122:
88:data (such as
67:wire transfers
63:online banking
47:security token
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
1399:
1388:
1385:
1383:
1380:
1379:
1377:
1368:
1364:
1361:
1358:
1355:
1350:
1346:
1345:
1341:
1336:
1333:
1332:
1327:
1326:
1313:
1307:
1304:
1293:
1287:
1284:
1273:
1272:
1267:
1260:
1257:
1246:
1245:
1240:
1233:
1230:
1218:
1214:
1210:
1206:
1200:
1197:
1186:
1182:
1175:
1172:
1169:
1168:
1161:
1158:
1146:
1142:
1136:
1133:
1128:
1124:
1120:
1114:
1111:
1099:
1095:
1089:
1086:
1075:on 2011-06-05
1074:
1070:
1063:
1060:
1056:
1052:
1049:
1044:
1041:
1030:on 2012-01-12
1026:
1019:
1012:
1009:
1004:
1000:
993:
986:
983:
971:
967:
961:
958:
946:
942:
936:
933:
928:
922:
908:
904:
897:
894:
889:
885:
881:
877:
872:
867:
863:
859:
852:
849:
843:
839:
836:
834:
831:
829:
826:
824:
821:
819:
816:
814:
811:
809:
806:
804:
801:
799:
796:
794:
793:Authenticator
791:
789:
786:
785:
781:
779:
777:
773:
769:
764:
761:
753:
751:
749:
741:
739:
737:
733:
729:
725:
717:
715:
713:
709:
700:
695:
693:
691:
683:
681:
679:
675:
667:
665:
663:
656:
654:
650:
648:
643:
642:to function.
641:
638:
632:
625:
622:
621:
620:
618:
607:
604:
596:
586:
580:
578:
571:
562:
561:
555:
553:
551:
546:
544:
540:
536:
533:, which uses
532:
529:
525:
524:keyless entry
516:
514:
512:
507:
503:
498:
493:
485:
483:
481:
477:
473:
469:
465:
460:
458:
454:
450:
446:
442:
437:
435:
431:
426:
424:
423:FIDO Alliance
420:
416:
415:security keys
412:
403:
401:
399:
395:
386:
381:
374:
372:
370:
366:
365:United States
360:
359:in question.
358:
354:
350:
347:accesses the
346:
342:
338:
334:
329:
327:
324:
319:
317:
313:
308:
306:
302:
297:
295:
284:
281:
273:
263:
259:
253:
252:
247:This section
245:
241:
236:
235:
229:
227:
225:
221:
217:
213:
212:RSA's SecurID
209:
205:
201:
197:
189:
185:
182:
179:
178:
174:
170:
166:
163:
162:
158:
154:
151:
150:
146:
142:
139:
138:
133:
129:
123:
121:
119:
115:
111:
107:
103:
99:
95:
91:
87:
83:
79:
75:
70:
68:
64:
60:
56:
52:
48:
39:
33:
19:
1315:. Retrieved
1306:
1295:. Retrieved
1286:
1275:. Retrieved
1269:
1259:
1248:. Retrieved
1242:
1232:
1221:. Retrieved
1217:the original
1212:
1205:Krebs, Brian
1199:
1188:. Retrieved
1185:The Register
1184:
1174:
1166:
1160:
1148:. Retrieved
1144:
1135:
1127:the original
1122:
1113:
1101:. Retrieved
1097:
1088:
1077:. Retrieved
1073:the original
1062:
1043:
1032:. Retrieved
1025:the original
1011:
985:
974:. Retrieved
972:. 2021-01-15
969:
960:
949:. Retrieved
947:. 2019-06-03
944:
935:
910:. Retrieved
906:
896:
861:
851:
828:One-time pad
765:
757:
745:
724:the Internet
721:
704:
687:
671:
660:
651:
644:
640:input device
633:
629:
614:
599:
590:
574:
547:
520:
499:
495:
461:
438:
427:
414:
407:
390:
361:
341:input device
330:
320:
309:
298:
291:
276:
267:
256:Please help
251:verification
248:
208:input device
193:
173:one-time pad
127:
90:fingerprints
71:
46:
44:
18:Security key
945:Protectimus
864:: 176–201.
738:operation.
522:choice for
486:Smart cards
476:Cell phones
411:smart cards
116:(RFID), or
1376:Categories
1354:OTP tokens
1317:2014-03-29
1297:2014-03-29
1277:2014-03-29
1250:2012-06-25
1223:2018-09-25
1190:2018-09-25
1079:2009-01-14
1034:2009-01-14
976:2023-05-08
951:2020-11-21
912:2020-11-21
844:References
763:identity.
657:NFC tokens
647:smart card
506:smart card
492:Smart card
349:I/O device
270:March 2023
216:hash chain
1145:HYPR Corp
1057:, usb.org
888:235349083
880:2569-2925
718:Attacking
531:Speedpass
353:authorize
305:Bluetooth
118:Bluetooth
86:biometric
74:passwords
59:key cards
1363:Archived
1271:Phys.org
1150:16 April
1103:16 April
1051:Archived
921:cite web
782:See also
748:PKCS #11
736:phishing
732:Citibank
394:keyboard
385:PASSCODE
369:FIPS 140
357:software
345:software
343:and the
337:software
323:computer
301:computer
55:password
1098:dpma.de
776:signing
653:leash.
472:ID card
449:Android
434:laptops
430:PC card
224:patents
112:(NFC),
98:keypads
907:Medium
886:
878:
453:Square
441:iPhone
428:Older
398:keypad
333:dongle
204:client
200:server
196:client
186:Using
1028:(PDF)
1021:(PDF)
995:(PDF)
884:S2CID
528:Mobil
419:FIDO2
314:, or
294:chips
183:token
84:, or
49:is a
1152:2018
1105:2018
927:link
876:ISSN
615:The
541:and
535:RFID
480:PDAs
478:and
447:and
445:iPad
316:USSD
220:OATH
999:doi
866:doi
637:USB
550:USB
502:USB
457:iOS
396:or
318:).
312:SMS
260:by
106:USB
102:PIN
1378::
1268:.
1241:.
1211:.
1183:.
1143:.
1121:.
1096:.
968:.
943:.
923:}}
919:{{
905:.
882:.
874:.
860:.
474:.
443:,
326:OS
167:A
108:,
76:,
69:.
45:A
1320:.
1300:.
1280:.
1253:.
1226:.
1193:.
1154:.
1107:.
1082:.
1037:.
1005:.
1001::
979:.
954:.
929:)
915:.
890:.
868::
606:)
600:(
595:)
591:(
581:.
283:)
277:(
272:)
268:(
254:.
147:.
34:.
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.