134:
instead of with the token client, making a stolen software token no good unless the PIN is known as well. However, in the case of a virus infection, the cryptographic material can be duplicated and then the PIN can be captured (via keylogging or similar) the next time the user authenticates. If there
118:
or laptop, set the clock forward, and generate codes that will be valid in the future. Any software token that uses shared secrets and stores the PIN alongside the shared secret in a software client can be stolen and subjected to offline attacks. Shared secret tokens can be difficult to distribute,
135:
are attempts made to guess the PIN, it can be detected and logged on the authentication server, which can disable the token. Using asymmetric cryptography also simplifies implementation, since the token client can generate its own key pair and exchange public keys with the server.
113:
The shared secret architecture is potentially vulnerable in a number of areas. The configuration file can be compromised if it is stolen and the token is copied. With time-based software tokens, it is possible to borrow an individual's
71:
provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have benefits: there is no physical token to carry, they do not contain
51:
Because software tokens are something one does not physically possess, they are exposed to unique threats based on duplication of the underlying cryptographic material - for example,
130:
eliminates some of the traditional weaknesses of software tokens, but does not affect their primary weakness (ability to duplicate). A PIN can be stored on a remote authentication
28:
security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a
119:
since each token is essentially a different piece of software. Each user must receive a copy of the secret, which can create time constraints.
48:, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated — absent physical invasion of the device)
184:
Chung, Joaquin; Jung, Eun-Sung; Kettimuthu, Rajkumar; Rao, Nageswara S.V.; Foster, Ian T.; Clark, Russ; Owen, Henry (2018-02-01).
266:
103:
159:
25:
115:
37:
149:
246:
60:
123:
88:
261:
127:
95:
72:
154:
185:
131:
99:
207:
68:
56:
241:
197:
29:
164:
144:
52:
45:
255:
107:
84:
41:
202:
186:"Advance reservation access control using software-defined networking and tokens"
225:
64:
59:
attacks. Both hardware and software tokens are vulnerable to bot-based
211:
33:
75:
that will run out, and they are cheaper than hardware tokens.
83:
There are two primary architectures for software tokens:
102:
for each end-user. The file will contain a username, a
247:
110:. This configuration file is given to the user.
8:
201:
176:
7:
126:, or asymmetric cryptography. This
122:Some newer software tokens rely on
190:Future Generation Computer Systems
14:
44:and can be duplicated. (Contrast
242:Microsoft to abandon passwords
104:personal identification number
1:
203:10.1016/j.future.2017.03.010
228:Retrieved on April 3, 2007.
160:Multi-factor authentication
283:
98:will typically generate a
150:Electronic authentication
61:man-in-the-middle attacks
26:two-factor authentication
94:For a shared secret, an
267:Computer access control
124:public-key cryptography
89:public-key cryptography
226:Strong Authentication
79:Security architecture
67:attacks in which the
155:Google Authenticator
100:configuration file
24:) is a piece of a
224:SecurityPro News
69:one-time password
274:
229:
222:
216:
215:
205:
181:
53:computer viruses
30:desktop computer
282:
281:
277:
276:
275:
273:
272:
271:
252:
251:
238:
233:
232:
223:
219:
183:
182:
178:
173:
141:
81:
63:, or to simple
46:hardware tokens
12:
11:
5:
280:
278:
270:
269:
264:
254:
253:
250:
249:
244:
237:
236:External links
234:
231:
230:
217:
175:
174:
172:
169:
168:
167:
165:Security token
162:
157:
152:
147:
145:Authentication
140:
137:
80:
77:
18:software token
13:
10:
9:
6:
4:
3:
2:
279:
268:
265:
263:
260:
259:
257:
248:
245:
243:
240:
239:
235:
227:
221:
218:
213:
209:
204:
199:
195:
191:
187:
180:
177:
170:
166:
163:
161:
158:
156:
153:
151:
148:
146:
143:
142:
138:
136:
133:
129:
125:
120:
117:
111:
109:
105:
101:
97:
96:administrator
92:
90:
86:
85:shared secret
78:
76:
74:
70:
66:
62:
58:
54:
49:
47:
43:
39:
35:
31:
27:
23:
19:
262:Cryptography
220:
193:
189:
179:
128:architecture
121:
112:
93:
82:
50:
42:mobile phone
21:
17:
15:
196:: 225–234.
256:Categories
171:References
106:, and the
22:soft token
73:batteries
139:See also
65:phishing
57:software
20:(a.k.a.
212:1394409
210:
132:server
108:secret
34:laptop
40:, or
208:OSTI
91:.
87:and
55:and
198:doi
116:PDA
38:PDA
258::
206:.
194:79
192:.
188:.
36:,
32:,
16:A
214:.
200::
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.