Security Tokens

What Are They?

A security token (or sometimes a hardware token, authentication token or cryptographic token) may be a physical device that an authorized user of computer services is given to aid in authentication. The term may also refer to software tokens. Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's keychain. Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint. Some designs feature tamper resistant packaging, other may include small keypads to allow entry of a PIN.

To log onto the network, the security "card" or "token" may be read directly like a credit card, or it may display a changing number that is typed in as a password. The latter has also been implemented entirely in software. Tokens may also plug directly into the computer via a USB port.

How Do They Work?

Security tokens are a method of "two-factor" authentication, as opposed to standard "one-factor" password authentication. identifies these two factors as:e
  • Something you know
  • Something you have
"One-factor" authentication relies solely on "Something you know", which forces many users to create simple, easily guessed passwords.
The "something you have" in SecurID Security token solutions is the number displayed on the screen, while the something you know is your login name and a pin given to you to append to the SecurID number on screen.

(A standard SecurID Login page)

The code on the Security Token generally changes once every 30 to 60 seconds in time-based models. Other models require you to enter a pin into the token for it to display the correct number.

What Are the Benefits?

  • Secure

Security Tokens are used to provide additional security based on international cryptography standards. They are physical objects, unlike passwords. A fob key, for example, is easy to protect due to the fact that its practical and easy to carry. Even if you were to loose your fob key, your information is still safe. The PIN, which only the user knows, would also be needed to gain access to the network. In today's world user names and passwords ae no longer safe due to theives and hackers. But now with security tokens, we will be able to keep our security on us and impossible for it to ever be encrypted. Unlike passwords, security tokens cannot be guessed, and owners know if their security token is stolen.

  • Cost Effective

Security token can be relatively inexpesive for a low brand model with only 1 key costing only about 20 dollars. But, there are packages which large companies buy that contain thousands of keys for their employees, which can cost around $80,000. Having tokens in a business can be an important security feature because spending a couple thousand can save a company millions in losses due to hackers.

  • Easy to Use

Most security tokens come in USB form and have HOT PLUG enables, so when you take it out of the box just hook it to the port and it will integrate itself. They work with any operating system and integrate easily with many software products that allow tokens. Security tokens are an easy device to use whether your technology literate or not.

  • Portable

Security tokens are about the size of a key chain which makes having all your personal information like PIN numbers, social security numbers, account information, passwords, and whatever you want to keep safe, available on you at all times so no one can gain access without you knowing.
  • Reliable

Most security tokens can safely store your valuable information for more than 10 years!

They Work with Applications Like:

  • Workstation security through Windows 2000 smart card logon
  • Standard e-Mail signing and encryption with Microsoft Outlook/ Outlook Express, Internet Explorer and Netscape Messenger
  • SSL Secure Web access
  • PKI compatibility with Win98SE and above, Microsoft Internet Explorer and Netscape Navigator
  • Secure Network (extranets & intranets) logon
  • Secure VPN access
  • Secure File and Data Protection
  • Secure PC Protection
  • Secure Password Protection

What Fields are Tokens Being Used?

  • Health Care
  • Stock Brockerage
  • Online Subscriptions
  • Online Banking
  • Military and Government Applications

Risks and Weaknesses:

There are weaknesses with using only this id and passnumber approach. For instance, is someone is able to steal or frveaudulently obtain the key fob and, they also know the user's id, then they will be able to successfully masquerade as the identity. Additionally, there are significant management costs with the key fobs or credit card size tokens. Recent announcements in February 2007 by Entrust selling one-time password tokens at $5 means that the price points are now much lower and more affordable. Users need to be issued them physically, they need to be replaced when lost (which is common) and recovered or terminated when an identity leaves the enterprise. Poor de-provisioning processes may result in security holes being created by the identity still having access to the network using their secureID token and id.

What Can They Look Like?

These are the products offered by RSA Security:
external image rsa-tokens.jpg

These are security tokens from ActivIdentity:
external image 180px-ActivIdentity-Tokens.jpg

VeriSign, Inc. also provides two-factor authentication solutions:

Example of how to use a security token: