Security Token - Token Types and Usage

Token Types and Usage

There are four types of tokens:

1. Static password.
2. Synchronous dynamic password
3. Asynchronous password
4. Challenge response

This article currently focuses on synchronous dynamic password tokens.

The simplest security tokens do not need any connection to a computer. The client enters the number to a local keyboard as displayed on the token (second security factor), usually along with a PIN (first security factor), when asked to do so. Being disconnected from the authenticating server, however, renders such tokens vulnerable to man-in-the-middle attacks.

Virtual Token MFA is a newer token concept introduced by the security company Sestus in 2005. Virtual token MFA is fundamentally different from "soft" tokens in that soft tokens require the deployment of software to end users, while virtual token MFA does not.

Other tokens connect to the computer using wireless techniques, such as Bluetooth. These tokens transfer a key sequence to the local client or to a nearby access point.

Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice, SMS, USSD). Like physically disconnected tokens, out-of-band delivered tokens are also vulnerable to man-in-the-middle attacks.

Still other tokens plug into the computer. For these one must:

1. Connect the token to the computer using an appropriate input device.
2. Enter the PIN if necessary.

Depending on the type of the token, the computer OS will then either

• read the key from token and perform cryptographic operation on it or
• ask the token's firmware to perform this operation

A related application is the hardware dongle required by some computer programs to prove ownership of the software. The dongle is placed in an input device and the software accesses the I/O device in question to authorize the use of the software in question.