Security token
A security token is a
Security tokens can be used to store information such as
Password types
All tokens contain some secret information that is used to prove identity. There are four different ways in which this information can be used:
- Static password token
- The device contains a password which is physically hidden (not visible to the possessor), but which is transmitted for each authentication. This type is vulnerable to replay attacks.
- Synchronous dynamic password token
- A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks.
- Asynchronous password token
- A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm.
- Challenge–responsetoken
- Using public key cryptography, it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.
Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between the
Physical types
This section needs additional citations for verification. (March 2023) |
Tokens can contain chips with functions varying from very simple to very complex, including multiple authentication methods.
The simplest security tokens do not need any connection to a computer. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as Bluetooth. These tokens transfer a key sequence to the local client or to a nearby access point.[4]
Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice, SMS, or USSD).
Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, the computer OS will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.[citation needed]
A related application is the hardware
in question.Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the United States as compliant with FIPS 140, a federal security standard.[citation needed] Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.[citation needed]
Disconnected tokens
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.[5]
Connected tokens
Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are
Older
The audio jack port is a relatively practical method to establish connection between mobile devices, such as
Some use a special purpose interface (e.g. the
Smart cards
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents)[citation needed] and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra-thin form-factor requirements.
Smart-card-based USB tokens which contain a smart card chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the computer operating system's point of view such a token is a USB-connected smart card reader with one non-removable smart card present.[6]
Contactless tokens
Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular choice for
Another downside is that contactless tokens have relatively short battery lives; usually only 5–6 years, which is low compared to
Bluetooth tokens
This section's tone or style may not reflect the encyclopedic tone used on Wikipedia. (September 2016) |
The Bluetooth Low Energy protocols provide long lasting battery lifecycle of wireless transmission.
- The transmission of inherent Bluetooth identity data is the lowest quality for supporting authentication.
- A bidirectional connection for transactional data interchange serves for the most sophisticated authentication procedures.
Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised Bluetooth power control algorithm to provide a calibration on minimally required transmission power.[8]
Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (9.8 meters). When the Bluetooth link is not properly operable, the token may be inserted into a
Another combination is with a smart card to store locally larger amounts of identity data and process information as well.[9] Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.[10]
In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic leash.
NFC tokens
Near-field communication (NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than 1 foot (0.3 meters).[citation needed] The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.[citation needed]
Single sign-on software tokens
Some types of
Programmable tokens
Programmable tokens are marketed as "drop-in" replacement of mobile applications such as Google Authenticator (miniOTP[11]). They can be used as mobile app replacement, as well as in parallel as a backup.
Vulnerabilities
Loss and theft
The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using
Attacking
Any system which allows users to authenticate via an untrusted network (such as the Internet) is vulnerable to man-in-the-middle attacks. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006, Citibank was the victim of an attack when its hardware-token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle phishing operation.[12][13]
Breach of codes
In 2012, the Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from several PKCS #11 cryptographic devices.[14][15] These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958,[16] and published at CRYPTO 2012.[17]
Digital signature
Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof of the user's identity.
For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signatures according to some national laws.[citation needed] Tokens with no on-board keyboard or another user interface cannot be used in some signing scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
See also
- Authentication
- Authenticator
- Hardware security module
- Identity management
- Initiative for Open Authentication
- Mobile signature
- Multi-factor authentication
- Mutual authentication
- One-time pad
- Single sign-on
- Software token
References
- S2CID 235349083.
- ^ RD, Token2 (2019-01-07). "Time drift: a major downside of TOTP hardware tokens". Medium. Retrieved 2020-11-21.
{{cite web}}
: CS1 maint: numeric names: authors list (link) - ^ "Time Drift in TOTP Hardware Tokens Explained and Solved - Protectimus Solutions". Protectimus. 2019-06-03. Retrieved 2020-11-21.
- ^ "2.3.3: Authentication Methods - Security Tokens". Engineering LibreTexts. 2021-01-15. Retrieved 2023-05-08.
- ^ de Borde, Duncan (2007-06-28). "Two-factor authentication" (PDF). Siemens Insight Consulting. Archived from the original (PDF) on 2012-01-12. Retrieved 2009-01-14.
- ^ Specification for Integrated Circuit(s) Cards Interface Devices Archived 2005-12-29 at the Wayback Machine, usb.org
- ^ Biba, Erin (2005-02-14). "Does Your Car Key Pose a Security Risk?". PC World. Retrieved 2009-01-14.
- ^ "Verfahren zum Steuern der Freigabe einer Einrichtung oder eines Dienstes, als Master ausgebildete Sendeempfangseinrichtung sowie System mit derartiger Einrichtung". dpma.de. Retrieved 16 April 2018.
- ^ "cgToken | certgate". www.certgate.com. Archived from the original on 2013-10-09.
- ^ "Biometric U2F OTP Token - HYPR". HYPR Corp. Retrieved 16 April 2018.
- ^ Programmable hardware tokens Token2 miniOTP
- ^ Leyden, John (2006-07-13). "Phishers rip into two-factor authentication". The Register. Retrieved 2018-09-25.
- ^ Krebs, Brian (July 10, 2006). "Citibank Phish Spoofs 2-Factor Authentication". The Washington Post. Retrieved 2018-09-25.
- ^
Sengupta, Somini (2012-06-25). "Computer Scientists Break Security Token Key in Record Time". New York Times. Retrieved 2012-06-25.
- ^ Owano, Nancy (2012-06-27). "Team Prosecco dismantles security tokens". Phys.org. Retrieved 2014-03-29.
- ^ "Prosecco :: Publications". Retrieved 2014-03-29.
- ^ "Accepted Papers CRYPTO 2012". Retrieved 2014-03-29.
- General references
External links
- Media related to OTP tokens at Wikimedia Commons
- OATH Initiative for open authentication