653:(NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than 1 foot (0.3 meters). The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.
27:
369:
121:
229:
1338:
669:, use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned. Usually most tokens store a cryptographic hash of the password so that if the token is compromised, the password is still protected.
555:
360:, a federal security standard. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.
719:. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006,
203:, allow the user to re-synchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced – so there is an additional cost. Another type of one-time password uses a complex mathematical algorithm, such as a
179:, it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.
751:
must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof of the user's
397:
Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually
510:
Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular
641:
In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the
Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic
485:
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power
694:
The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using
380:
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a
623:
Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (9.8 meters). When the
Bluetooth link is not properly operable, the token may be inserted into a
619:
Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised
Bluetooth power control algorithm to provide a calibration on minimally required transmission power.
497:
chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the
351:
Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the
954:
215:. Each password is observably unpredictable and independent of previous ones, whereby an adversary would be unable to guess what the next password may be, even with knowledge of all previous passwords.
638:
to store locally larger amounts of identity data and process information as well. Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.
292:. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as
398:
enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are
1006:
93:
or a simple button to start a generation routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces including
1197:
389:. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.
183:
Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between the
1083:"Verfahren zum Steuern der Freigabe einer Einrichtung oder eines Dienstes, als Master ausgebildete Sendeempfangseinrichtung sowie System mit derartiger Einrichtung"
299:
Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice,
132:
The device contains a password that is physically hidden (not visible to the possessor), but is transmitted for each authentication. This type is vulnerable to
1057:
1039:
526:
to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at
207:, to generate a series of one-time passwords from a secret shared key. Each password is unique, even when previous passwords are known. The open-source
915:
317:
will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.
414:
have become popular for consumers with mainstream browser support beginning in 2015 and supported by popular websites and social media sites.
723:
was the victim of an attack when its hardware-token-equipped business users became the victims of a large
Ukrainian-based man-in-the-middle
199:. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as
1227:
739:
cryptographic devices. These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958, and published at CRYPTO 2012.
735:
In 2012, the
Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from several
117:
All tokens contain some secret information used to prove identity. There are four different ways in which this information can be used:
537:
Another downside is that contactless tokens have relatively short battery lives; usually only 5–6 years, which is low compared to
304:
1013:
755:
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as
891:
1205:
1082:
767:
scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
1107:
615:
A bidirectional connection for transactional data interchange serves for the most sophisticated authentication procedures.
573:
565:
541:
tokens which may last more than 10 years. Some tokens however do allow the batteries to be changed, thus reducing costs.
796:
208:
591:
268:
1061:
1370:
42:
used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a
1375:
703:(PIN) must be entered along with the information provided by the token the same time as the output of the token.
246:
1351:
700:
250:
102:
90:
502:'s point of view such a token is a USB-connected smart card reader with one non-removable smart card present.
1036:
428:
The audio jack port is a relatively practical method to establish connection between mobile devices, such as
1342:
806:
612:
The transmission of inherent
Bluetooth identity data is the lowest quality for supporting authentication.
310:
Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, the
1323:
1300:
929:
468:
437:
1169:
696:
666:
1254:
285:
with functions varying from very simple to very complex, including multiple authentication methods.
191:. For disconnected tokens, this time-synchronization is done before the token is distributed to the
786:
716:
650:
527:
456:
98:
239:
176:
145:
20:
169:
980:
811:
50:
used to open locked doors, a banking token used as a digital authenticator for signing in to
1153:
846:
681:(miniOTP). They can be used as mobile app replacement, as well as in parallel as a backup.
678:
625:
605:
538:
441:
8:
791:
677:
Programmable tokens are marketed as "drop-in" replacement of mobile applications such as
296:. These tokens transfer a key sequence to the local client or to a nearby access point.
872:
282:
192:
188:
184:
909:
876:
864:
764:
756:
748:
382:
157:
82:
70:
66:
39:
859:
1280:
987:
854:
845:
Schink, Marc; Wagner, Alexander; Unterstein, Florian; Heyszl, Johann (2021-07-09).
801:
531:
499:
425:. Type II PC Cards are preferred as a token as they are half as thick as Type III.
314:
109:. Some tokens have audio capabilities designed for those who are vision-impaired.
1355:
1043:
930:"Time Drift in TOTP Hardware Tokens Explained and Solved - Protectimus Solutions"
711:
Any system which allows users to authenticate via an untrusted network (such as
406:), which require a smart card reader and a USB port respectively. Increasingly,
1232:
1115:
826:
821:
776:
760:
662:
51:
978:
195:. Other token types do the synchronization when the token is inserted into an
1364:
868:
781:
759:
according to some national laws. Tokens with no on-board keyboard or another
512:
411:
407:
353:
341:
133:
55:
991:
986:(Report). Gaithersburg, MD: National Institute of Standards and Technology.
816:
628:
608:
protocols provide long lasting battery lifecycle of wireless transmission.
329:
196:
161:
1193:
464:
200:
78:
26:
1129:
368:
148:. The token and the authentication server must have synchronized clocks.
635:
494:
480:
399:
337:
253: in this section. Unsourced material may be challenged and removed.
204:
1348:
519:
293:
144:
A timer is used to rotate through various combinations produced by a
106:
74:
62:
228:
120:
1259:
724:
720:
712:
373:
357:
345:
333:
325:
311:
289:
43:
736:
460:
418:
47:
851:
1337:
1037:
Specification for
Integrated Circuit(s) Cards Interface Devices
452:
429:
422:
386:
321:
212:
86:
534:
discovered that RFID tags could be easily cracked and cloned.
440:, and other accessories. The most well known device is called
211:
algorithm is standardized; other algorithms are covered by US
1228:"Computer Scientists Break Security Token Key in Record Time"
979:
National
Institute of Standards and Technology (April 2019).
516:
324:
required by some computer programs to prove ownership of the
288:
The simplest security tokens do not need any connection to a
844:
523:
471:
can also serve as security tokens with proper programming.
433:
490:
445:
372:
A disconnected token. The number must be copied into the
300:
94:
61:
Security tokens can be used to store information such as
16:
Device used to access electronically restricted resource
160:
is generated without the use of a clock, either from a
892:"Time drift: a major downside of TOTP hardware tokens"
486:
consumption and ultra-thin form-factor requirements.
124:
Asynchronous password token for HSBC online banking.
847:"Security and Trust in Open Source Security Tokens"
410:tokens, supported by the open specification group
955:"2.3.3: Authentication Methods - Security Tokens"
747:Trusted as a regular hand-written signature, the
656:
515:systems and electronic payment solutions such as
1362:
1198:"Citibank Phish Spoofs 2-Factor Authentication"
981:Security requirements for cryptographic modules
451:Some use a special purpose interface (e.g. the
46:. Examples of security tokens include wireless
30:A GoldKey security token connected to a laptop
1170:"Phishers rip into two-factor authentication"
1012:. Siemens Insight Consulting. Archived from
914:: CS1 maint: numeric names: authors list (
1255:"Team Prosecco dismantles security tokens"
1030:
85:packaging, while others may include small
1058:"Does Your Car Key Pose a Security Risk?"
858:
592:Learn how and when to remove this message
269:Learn how and when to remove this message
1225:
1004:
699:. Commonly, in order to authenticate, a
367:
119:
25:
1349:OATH Initiative for open authentication
1324:US Personal Identity Verification (PIV)
421:tokens are made to work primarily with
1363:
1167:
672:
459:). Tokens can also be used as a photo
363:
320:A related application is the hardware
1252:
1192:
505:
1055:
742:
548:
251:adding citations to reliable sources
222:
544:
392:
13:
889:
797:Initiative for Open Authentication
730:
684:
564:tone or style may not reflect the
141:Synchronous dynamic password token
54:, or signing transactions such as
14:
1387:
1330:
689:
218:
112:
1336:
1130:"Biometric U2F OTP Token - HYPR"
574:guide to writing better articles
553:
227:
187:'s token and the authentication
1293:
1281:"Prosecco :: Publications"
1273:
1246:
1226:Sengupta, Somini (2012-06-25).
1219:
1186:
1161:
1147:
1122:
1100:
1005:de Borde, Duncan (2007-06-28).
860:10.46586/tches.v2021.i3.176-201
238:needs additional citations for
1075:
1049:
998:
972:
947:
922:
883:
838:
701:personal identification number
657:Single sign-on software tokens
634:Another combination is with a
474:
455:deployed by the United States
103:radio-frequency identification
1:
1301:"Accepted Papers CRYPTO 2012"
1154:Programmable hardware tokens
832:
645:
328:. The dongle is placed in an
706:
402:and USB tokens (also called
81:). Some designs incorporate
7:
1253:Owano, Nancy (2012-06-27).
1168:Leyden, John (2006-07-13).
1007:"Two-factor authentication"
807:Multi-factor authentication
770:
444:, a credit card reader for
164:or cryptographic algorithm.
153:Asynchronous password token
10:
1392:
1060:. PC World. Archived from
478:
18:
1056:Biba, Erin (2005-02-14).
890:RD, Token2 (2019-01-07).
717:man-in-the-middle attacks
697:two factor authentication
667:enterprise single sign-on
500:computer operating system
787:Hardware security module
651:Near-field communication
528:Johns Hopkins University
457:National Security Agency
99:near-field communication
19:Not to be confused with
1371:Computer access control
992:10.6028/nist.fips.140-3
763:cannot be used in some
493:tokens which contain a
177:public key cryptography
146:cryptographic algorithm
21:Security token offering
1376:Authentication methods
959:Engineering LibreTexts
665:(SSO) solutions, like
377:
125:
31:
812:Mutual authentication
448:and Android devices.
371:
129:Static password token
123:
29:
1345:at Wikimedia Commons
1108:"cgToken | certgate"
679:Google Authenticator
606:Bluetooth Low Energy
247:improve this article
89:to allow entry of a
1202:The Washington Post
792:Identity management
715:) is vulnerable to
673:Programmable tokens
453:crypto ignition key
364:Disconnected tokens
281:Tokens can contain
1354:2019-04-24 at the
1317:General references
1042:2005-12-29 at the
757:digital signatures
506:Contactless tokens
378:
356:as compliant with
170:Challenge–response
126:
71:digital signatures
67:cryptographic keys
32:
1341:Media related to
1196:(July 10, 2006).
749:digital signature
743:Digital signature
602:
601:
594:
568:used on Knowledge
566:encyclopedic tone
489:Smart-card-based
279:
278:
271:
158:one-time password
69:used to generate
40:peripheral device
1383:
1340:
1311:
1310:
1308:
1307:
1297:
1291:
1290:
1288:
1287:
1277:
1271:
1270:
1268:
1267:
1250:
1244:
1243:
1241:
1240:
1223:
1217:
1216:
1214:
1213:
1204:. Archived from
1190:
1184:
1183:
1181:
1180:
1165:
1159:
1151:
1145:
1144:
1142:
1140:
1126:
1120:
1119:
1114:. Archived from
1112:www.certgate.com
1104:
1098:
1097:
1095:
1093:
1079:
1073:
1072:
1070:
1069:
1053:
1047:
1034:
1028:
1027:
1025:
1024:
1018:
1011:
1002:
996:
995:
985:
976:
970:
969:
967:
966:
951:
945:
944:
942:
941:
926:
920:
919:
913:
905:
903:
902:
887:
881:
880:
862:
842:
802:Mobile signature
597:
590:
586:
583:
577:
576:for suggestions.
572:See Knowledge's
557:
556:
549:
545:Bluetooth tokens
532:RSA Laboratories
393:Connected tokens
274:
267:
263:
260:
254:
231:
223:
83:tamper resistant
1391:
1390:
1386:
1385:
1384:
1382:
1381:
1380:
1361:
1360:
1356:Wayback Machine
1333:
1328:
1314:
1305:
1303:
1299:
1298:
1294:
1285:
1283:
1279:
1278:
1274:
1265:
1263:
1251:
1247:
1238:
1236:
1224:
1220:
1211:
1209:
1208:on July 3, 2011
1191:
1187:
1178:
1176:
1166:
1162:
1152:
1148:
1138:
1136:
1128:
1127:
1123:
1106:
1105:
1101:
1091:
1089:
1081:
1080:
1076:
1067:
1065:
1054:
1050:
1044:Wayback Machine
1035:
1031:
1022:
1020:
1016:
1009:
1003:
999:
983:
977:
973:
964:
962:
953:
952:
948:
939:
937:
928:
927:
923:
907:
906:
900:
898:
888:
884:
843:
839:
835:
773:
745:
733:
731:Breach of codes
709:
692:
687:
685:Vulnerabilities
675:
659:
648:
598:
587:
581:
578:
571:
562:This section's
558:
554:
547:
508:
483:
477:
395:
366:
344:the use of the
340:in question to
275:
264:
258:
255:
244:
232:
221:
115:
24:
17:
12:
11:
5:
1389:
1379:
1378:
1373:
1359:
1358:
1346:
1332:
1331:External links
1329:
1327:
1326:
1320:
1319:
1318:
1313:
1312:
1292:
1272:
1245:
1233:New York Times
1218:
1185:
1160:
1156:Token2 miniOTP
1146:
1121:
1118:on 2013-10-09.
1099:
1074:
1048:
1029:
997:
971:
946:
921:
882:
836:
834:
831:
830:
829:
827:Software token
824:
822:Single sign-on
819:
814:
809:
804:
799:
794:
789:
784:
779:
777:Authentication
772:
769:
761:user interface
744:
741:
732:
729:
708:
705:
691:
690:Loss and theft
688:
686:
683:
674:
671:
663:single sign-on
661:Some types of
658:
655:
647:
644:
617:
616:
613:
600:
599:
582:September 2016
561:
559:
552:
546:
543:
507:
504:
479:Main article:
476:
473:
394:
391:
376:field by hand.
365:
362:
277:
276:
235:
233:
226:
220:
219:Physical types
217:
181:
180:
173:
166:
165:
154:
150:
149:
142:
138:
137:
134:replay attacks
130:
114:
113:Password types
111:
77:data (such as
56:wire transfers
52:online banking
36:security token
15:
9:
6:
4:
3:
2:
1388:
1377:
1374:
1372:
1369:
1368:
1366:
1357:
1353:
1350:
1347:
1344:
1339:
1335:
1334:
1325:
1322:
1321:
1316:
1315:
1302:
1296:
1282:
1276:
1262:
1261:
1256:
1249:
1235:
1234:
1229:
1222:
1207:
1203:
1199:
1195:
1189:
1175:
1171:
1164:
1158:
1157:
1150:
1135:
1131:
1125:
1117:
1113:
1109:
1103:
1088:
1084:
1078:
1064:on 2011-06-05
1063:
1059:
1052:
1045:
1041:
1038:
1033:
1019:on 2012-01-12
1015:
1008:
1001:
993:
989:
982:
975:
960:
956:
950:
935:
931:
925:
917:
911:
897:
893:
886:
878:
874:
870:
866:
861:
856:
852:
848:
841:
837:
828:
825:
823:
820:
818:
815:
813:
810:
808:
805:
803:
800:
798:
795:
793:
790:
788:
785:
783:
782:Authenticator
780:
778:
775:
774:
768:
766:
762:
758:
753:
750:
740:
738:
728:
726:
722:
718:
714:
704:
702:
698:
682:
680:
670:
668:
664:
654:
652:
643:
639:
637:
632:
631:to function.
630:
627:
621:
614:
611:
610:
609:
607:
596:
593:
585:
575:
569:
567:
560:
551:
550:
542:
540:
535:
533:
529:
525:
522:, which uses
521:
518:
514:
513:keyless entry
503:
501:
496:
492:
487:
482:
472:
470:
466:
462:
458:
454:
449:
447:
443:
439:
435:
431:
426:
424:
420:
415:
413:
412:FIDO Alliance
409:
405:
404:security keys
401:
390:
388:
384:
375:
370:
361:
359:
355:
354:United States
349:
348:in question.
347:
343:
339:
336:accesses the
335:
331:
327:
323:
318:
316:
313:
308:
306:
302:
297:
295:
291:
286:
284:
273:
270:
262:
252:
248:
242:
241:
236:This section
234:
230:
225:
224:
216:
214:
210:
206:
202:
201:RSA's SecurID
198:
194:
190:
186:
178:
174:
171:
168:
167:
163:
159:
155:
152:
151:
147:
143:
140:
139:
135:
131:
128:
127:
122:
118:
110:
108:
104:
100:
96:
92:
88:
84:
80:
76:
72:
68:
64:
59:
57:
53:
49:
45:
41:
37:
28:
22:
1304:. Retrieved
1295:
1284:. Retrieved
1275:
1264:. Retrieved
1258:
1248:
1237:. Retrieved
1231:
1221:
1210:. Retrieved
1206:the original
1201:
1194:Krebs, Brian
1188:
1177:. Retrieved
1174:The Register
1173:
1163:
1155:
1149:
1137:. Retrieved
1133:
1124:
1116:the original
1111:
1102:
1090:. Retrieved
1086:
1077:
1066:. Retrieved
1062:the original
1051:
1032:
1021:. Retrieved
1014:the original
1000:
974:
963:. Retrieved
961:. 2021-01-15
958:
949:
938:. Retrieved
936:. 2019-06-03
933:
924:
899:. Retrieved
895:
885:
850:
840:
817:One-time pad
754:
746:
734:
713:the Internet
710:
693:
676:
660:
649:
640:
633:
629:input device
622:
618:
603:
588:
579:
563:
536:
509:
488:
484:
450:
427:
416:
403:
396:
379:
350:
330:input device
319:
309:
298:
287:
280:
265:
256:
245:Please help
240:verification
237:
197:input device
182:
162:one-time pad
116:
79:fingerprints
60:
35:
33:
934:Protectimus
853:: 176–201.
727:operation.
511:choice for
475:Smart cards
465:Cell phones
400:smart cards
105:(RFID), or
1365:Categories
1343:OTP tokens
1306:2014-03-29
1286:2014-03-29
1266:2014-03-29
1239:2012-06-25
1212:2018-09-25
1179:2018-09-25
1068:2009-01-14
1023:2009-01-14
965:2023-05-08
940:2020-11-21
901:2020-11-21
833:References
752:identity.
646:NFC tokens
636:smart card
495:smart card
481:Smart card
338:I/O device
259:March 2023
205:hash chain
1134:HYPR Corp
1046:, usb.org
877:235349083
869:2569-2925
707:Attacking
520:Speedpass
342:authorize
294:Bluetooth
107:Bluetooth
75:biometric
63:passwords
48:key cards
1352:Archived
1260:Phys.org
1139:16 April
1092:16 April
1040:Archived
910:cite web
771:See also
737:PKCS #11
725:phishing
721:Citibank
383:keyboard
374:PASSCODE
358:FIPS 140
346:software
334:software
332:and the
326:software
312:computer
290:computer
44:password
1087:dpma.de
765:signing
642:leash.
461:ID card
438:Android
423:laptops
419:PC card
213:patents
101:(NFC),
87:keypads
896:Medium
875:
867:
442:Square
430:iPhone
417:Older
387:keypad
322:dongle
193:client
189:server
185:client
175:Using
1017:(PDF)
1010:(PDF)
984:(PDF)
873:S2CID
517:Mobil
408:FIDO2
303:, or
283:chips
172:token
73:, or
38:is a
1141:2018
1094:2018
916:link
865:ISSN
604:The
530:and
524:RFID
469:PDAs
467:and
436:and
434:iPad
305:USSD
209:OATH
988:doi
855:doi
626:USB
539:USB
491:USB
446:iOS
385:or
307:).
301:SMS
249:by
95:USB
91:PIN
1367::
1257:.
1230:.
1200:.
1172:.
1132:.
1110:.
1085:.
957:.
932:.
912:}}
908:{{
894:.
871:.
863:.
849:.
463:.
432:,
315:OS
156:A
97:,
65:,
58:.
34:A
1309:.
1289:.
1269:.
1242:.
1215:.
1182:.
1143:.
1096:.
1071:.
1026:.
994:.
990::
968:.
943:.
918:)
904:.
879:.
857::
595:)
589:(
584:)
580:(
570:.
272:)
266:(
261:)
257:(
243:.
136:.
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.