Misplaced Pages

Security token: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 22:13, 20 September 2012 edit70.190.0.52 (talk) Undid revision 513781750 by 70.190.0.52 (talk)← Previous edit Latest revision as of 01:19, 8 December 2024 edit undoAnomie (talk | contribs)Edit filter managers, Autopatrolled, Administrators33,899 edits Un-copy-paste slightly customized {{Disputed}} 
(329 intermediate revisions by more than 100 users not shown)
Line 1: Line 1:
{{Short description|Device used to gain access to restricted resource}}
] A water proof token device from ]]]
{{Disputed|date=November 2024|details=Review the definitions of "Security Token" and "Security Token Generator".}}
] for scale.]]
] designed as ]s.]] ]
] tokens from ]]]
]]]
] token from Yubico]]
A '''security token''' (or sometimes a ''hardware token'', ''authentication token'', ''USB token'', ''cryptographic token'',<ref name="PKCS">] -- The RSA standards ] and PKCS #15 define software interfaces.</ref> or '']'') may be a physical device that an authorized user of computer services is given to ease ]. The term may also refer to ]s.


A '''security token''' is a ] used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a ].<ref>{{Cite journal |last1=Schink |first1=Marc |last2=Wagner |first2=Alexander |last3=Unterstein |first3=Florian |last4=Heyszl |first4=Johann |date=2021-07-09 |title=Security and Trust in Open Source Security Tokens |url=https://tches.iacr.org/index.php/TCHES/article/view/8972 |journal=IACR Transactions on Cryptographic Hardware and Embedded Systems |pages=176–201 |doi=10.46586/tches.v2021.i3.176-201 |s2cid=235349083 |issn=2569-2925|doi-access=free }}</ref> Examples of security tokens include wireless ]s used to open locked doors, a banking token used as a digital authenticator for signing in to ], or signing transactions such as ].
Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.


Some may store ]s, such as a ], or ] data, such as ] minutiae. Some designs feature ] packaging, while others may include small keypads to allow entry of a ] or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a ] connector, ] functions or ] wireless interface to enable transfer of a generated key number sequence to a client system. Security tokens can be used to store information such as ], ]s used to generate ], or ] data (such as ]). Some designs incorporate ] packaging, while others may include small ]s to allow entry of a ] or a simple button to start a generation routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces including ], ] (NFC), ] (RFID), or ]. Some tokens have audio capabilities designed for those who are vision-impaired.


== Token types and usage == == Password types ==
There are four types of tokens:
# Static password.
# Synchronous dynamic password
# Asynchronous password
# Challenge response


All tokens contain some secret information used to prove identity. There are four different ways in which this information can be used:
This article currently focuses on synchronous dynamic password tokens.
]
; Static password token: The device contains a password that is physically hidden (not visible to the possessor), but is transmitted for each authentication. This type is vulnerable to ]s.


; Synchronous dynamic password token: A timer is used to rotate through various combinations produced by a ]. The token and the authentication server must have synchronized clocks.
The simplest security tokens do not need any connection to a ]. The ] enters the number to a local keyboard as displayed on the token (second security factor), usually along with a ] (first security factor), when asked to do so. Being disconnected from the authenticating server, however, renders such tokens vulnerable to man-in-the-middle attacks.


; Asynchronous password token: A ] is generated without the use of a clock, either from a ] or cryptographic algorithm.
Other tokens connect to the computer using wireless techniques, such as ]. These tokens transfer a key sequence to the local client or to a nearby access point.


; ] token: Using ], it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.
Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice, ], ]). Like physically disconnected tokens, out-of-band delivered tokens are also vulnerable to man-in-the-middle attacks.


Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between the ]'s token and the authentication ]. For disconnected tokens, this time-synchronization is done before the token is distributed to the ]. Other token types do the synchronization when the token is inserted into an ]. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized.<ref>{{Cite web|last=RD|first=Token2|date=2019-01-07|title=Time drift: a major downside of TOTP hardware tokens|url=https://token2.medium.com/time-drift-a-major-downside-of-totp-hardware-tokens-c164c2ec9252|access-date=2020-11-21|website=Medium|language=en}}</ref> However, some such systems, such as ], allow the user to re-synchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced – so there is an additional cost.<ref>{{Cite web|date=2019-06-03|title=Time Drift in TOTP Hardware Tokens Explained and Solved - Protectimus Solutions|url=https://www.protectimus.com/blog/time-drift-in-totp-hardware-tokens/|access-date=2020-11-21|website=Protectimus|language=en-GB}}</ref>
Still other tokens plug into the computer. For these one must:
Another type of one-time password uses a complex mathematical algorithm, such as a ], to generate a series of one-time passwords from a secret shared key. Each password is unique, even when previous passwords are known. The open-source ] algorithm is standardized;{{Citation needed |date=March 2023 |reason=This claim needs references to reliable sources.}} other algorithms are covered by US ]s. Each password is observably unpredictable and independent of previous ones, whereby an adversary would be unable to guess what the next password may be, even with knowledge of all previous passwords.


==Physical types==
# Connect the token to the computer using an appropriate ].
{{More citations needed section|date=March 2023}}
# Enter the ] if necessary.
Depending on the type of the token, the ] ] will then either
* read the key from token and perform cryptographic operation on it or
* ask the token's firmware to perform this operation


Tokens can contain ] with functions varying from very simple to very complex, including multiple authentication methods.
A related application is the hardware ] required by some computer programs to prove ownership of the ]. The ] is placed in an ] and the ] accesses the ] in question to ] the use of the ] in question.


The simplest security tokens do not need any connection to a ]. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as ]. These tokens transfer a key sequence to the local client or to a nearby access point.<ref>{{Cite web |date=2021-01-15 |title=2.3.3: Authentication Methods - Security Tokens |url=https://eng.libretexts.org/Courses/Delta_College/Information_Security/02%3A_Authenticate_and_Identify/2.3%3A_Authentication_Methods_-_Password/2.3.3%3A_Authentication_Methods_-_Security_Tokens |access-date=2023-05-08 |website=Engineering LibreTexts |language=en}}</ref>
== Minimum requirement ==


Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice, ], or ]).
1. Option 1: (for zero-installation and disconnected tokens): The minimum requirement of any token is at least an '''inherent unique identity''' in a protected memory that cannot be tampered with and preferably is not openly accessible to applications other than those offered by the token vendor or other trusted organizations.


Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, the ] ] will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.{{Citation needed |date=March 2023 |reason=This claim needs references to reliable sources.}}
2. Option 2: (for out-of-band tokens): The minimum requirement of this form of token is connectivity from another medium, like mobile network for USSD, SMS and voice. All you need is a registered telephone / mobile number.


A related application is the hardware ] required by some computer programs to prove ownership of the ]. The dongle is placed in an ] and the ] accesses the ] in question to ] the use of the ] in question.
=== Vulnerabilities ===


Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the ] as compliant with ], a federal security standard.<ref>{{Cite report |url=https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf |title=Security requirements for cryptographic modules |last=National Institute of Standards and Technology |date=April 2019 |publisher=National Institute of Standards and Technology |issue=NIST FIPS 140-3 |doi=10.6028/nist.fips.140-3 |location=Gaithersburg, MD}}</ref> Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.{{citation needed|date=April 2013}}
The simplest vulnerability with any password container is losing the special key device or the activated smart phone with the integrated key function. Such vulnerability cannot be healed with any single token container device within the pre-set time span of activation. All further consideration presumes performance loss prevention, e.g. by additional ] or body sensor and alarm.

Physically disconnected token approaches, including out-of-band approaches, are also vulnerable to man-in-the-middle attacks. In a man-in-the-middle attack, a fraudster acts as the "go-between" the user and the legitimate system, soliciting the token value from the user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. Citibank made headline news in 2006 when its hardware token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle phishing attack.

In June, 2012, a team of computer scientists claimed to have developed a method of quickly extracting the secret key generated by several RSA dongles including the SecurID 800. Calling themselves "Team Prosecco," the group published a research paper documenting their findings which they plan to present at a cryptography conference in August, 2012.
<ref>{{cite news
| author = Somini Sengupta
| title = Computer Scientists Break Security Token Key in Record Time
| url = http://bits.blogs.nytimes.com/2012/06/25/computer-scientists-break-security-token-key-in-record-time/
| work = ]
| date = 2012-06-25
| accessdate = 2012-06-25
}}</ref>

== Digital signature ==

Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof for the user’s identity.

For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as ]s according to some national laws.{{Citation needed|date=February 2007}} Tokens with no on-board keyboard or another ] cannot be used in some ] scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.

== Embodiments and vendors ==

Tokens can contain ] with functions varying from very simple to very complex, including multiple authentication methods. Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the USA as . Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by 3rd-party agencies.


=== Disconnected tokens === === Disconnected tokens ===
] ] field by hand.]]
Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.<ref>{{cite web|url=http://www.insight.co.uk/files/whitepapers/Two-factor%20authentication%20(White%20paper).pdf|title=Two-factor authentication|last=de Borde|first=Duncan|publisher=Siemens Insight Consulting|accessdate=2009-01-14|date=2007-06-28}}</ref> Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a ] or ]. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.<ref>{{cite web|url=http://www.insight.co.uk/files/whitepapers/Two-factor%20authentication%20(White%20paper).pdf|title=Two-factor authentication|last=de Borde|first=Duncan|publisher=Siemens Insight Consulting|access-date=2009-01-14|date=2007-06-28|url-status=dead|archive-url=https://web.archive.org/web/20120112172841/http://www.insight.co.uk/files/whitepapers/Two-factor%20authentication%20(White%20paper).pdf|archive-date=2012-01-12}}</ref>


=== Connected tokens === === Connected tokens ===
Connected tokens are tokens that must be physically connected to the client computer. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are ] and USB tokens, which require a smart card reader and a USB port respectively. Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are ]s and USB tokens (also called ''security keys''), which require a smart card reader and a USB port respectively. Increasingly, ] tokens, supported by the open specification group ] have become popular for consumers with mainstream browser support beginning in 2015 and supported by popular websites and social media sites.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}}


Older ] tokens are made to work primarily with ]s. Type II PC Cards are preferred as a token as they are half as thick as Type III.
==== Smart cards ====
{{Main|smart card}}
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra thin form-factor requirements.


The audio jack port is a relatively practical method to establish connection between mobile devices, such as ], ] and ], and other accessories.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} The most well known device is called ], a credit card reader for ] and Android devices.
=== Contactless tokens ===
Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result contactless tokens are a popular choice for ] systems and electronic payment solutions such as ] ], which uses ] to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at ] and ] discovered that RFID tags could be easily cracked and cloned.<ref>{{cite web|url=http://www.pcworld.com/article/119661/does_your_car_key_pose_a_security_risk.html|title=Does Your Car Key Pose a Security Risk?|first=Erin|last=Biba|date=2005-02-14|accessdate=2009-01-14|publisher=PC World}}</ref>
Another downside is that contactless tokens have relatively short battery lives; usually only 3–5 years, which is low compared to ] tokens which may last more than 10 years.{{Citation needed|date=June 2008}} Though some tokens do allow the batteries to be changed, thus reducing costs.


Some use a special purpose interface (e.g. the ] deployed by the United States ]). Tokens can also be used as a photo ]. ] and ] can also serve as security tokens with proper programming.
==== Bluetooth tokens ====
] tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (10 meters). If the Bluetooth is not available, the token must be inserted into a ] ] to function.


==== Smart cards ====
In the USB mode of operation sign off required care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with a distance metrics. Respective products are in preparation, following the concepts of ].
{{Main article|Smart card}}
Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents){{citation needed|date=September 2013}} and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra-thin form-factor requirements.


Smart-card-based ] tokens which contain a ] chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the ]'s point of view such a token is a USB-connected smart card reader with one non-removable smart card present.<ref name="noteusbSpec"> {{webarchive|url=https://web.archive.org/web/20051229033623/http://www.usb.org/developers/devclass_docs/DWG_Smart-Card_CCID_Rev110.pdf |date=2005-12-29 }}, usb.org</ref>
==== GSM cellular phones ====
A new category of T-FA tools allows users to utilize their mobile phone as a security token. A Java application installed on the mobile phone performs the functions normally provided by a dedicated token. Other methods of using the cell phone include using ] messaging, instigating an interactive telephone call, or using standard Internet protocols such as ] or ].


=== Contactless tokens ===
Such a method can simplify deployment, reduce logistical costs and remove the need for separate token devices.<ref>http://www.fireid.com/products/overview.html</ref> In the case of SMS options, there are trade-offs: users may incur fees for text messages or for WAP/HTTP services.
Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular choice for ] systems and electronic payment solutions such as ] ], which uses ] to transmit authentication info from a keychain token.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} However, there have been various security concerns raised about RFID tokens after researchers at ] and ] discovered that RFID tags could be easily cracked and cloned.<ref>{{cite web|url=http://www.pcworld.com/article/119661/does_your_car_key_pose_a_security_risk.html|title=Does Your Car Key Pose a Security Risk?|first=Erin|last=Biba|date=2005-02-14|access-date=2009-01-14|publisher=PC World|archive-date=2011-06-05|archive-url=https://web.archive.org/web/20110605231530/http://www.pcworld.com/article/119661/does_your_car_key_pose_a_security_risk.html|url-status=dead}}</ref>


Another downside is that contactless tokens have relatively short battery lives; usually only 5–6 years, which is low compared to ] tokens which may last more than 10 years.{{Citation needed|date=June 2008}} Some tokens however do allow the batteries to be changed, thus reducing costs.
=== Single sign-on software tokens ===
Some types of ] (SSO) solutions, like ], use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned.


=== Mobile device tokens === ==== Bluetooth tokens ====
{{tone|section|date=September 2016}}
Mobile devices tokens use a ] device such as a smart phone or tablet computer as the authentication device. This provides secure ] that does not require the user to carry around an additional physical device. Some vendors offer a mobile device authentication solution that uses a ] for user authentication. This provides a high level of security protection including protection from a ], which can occur from a rogue ].


The ] protocols provide long lasting battery lifecycle of wireless transmission.
== Related authentication technologies ==


* The transmission of inherent Bluetooth identity data is the lowest quality for supporting authentication.
=== Two-factor authentication (T-FA or 2FA) ===
* A bidirectional connection for transactional data interchange serves for the most sophisticated authentication procedures.


Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised Bluetooth power control algorithm to provide a calibration on minimally required transmission power.<ref>{{cite web|url=http://depatisnet.dpma.de/DepatisNet/depatisnet?action=bibdat&docid=DE102009039879B9|title=Verfahren zum Steuern der Freigabe einer Einrichtung oder eines Dienstes, als Master ausgebildete Sendeempfangseinrichtung sowie System mit derartiger Einrichtung|website=dpma.de|access-date=16 April 2018}}</ref>
Security tokens provide the "what you have" component in ] and multi-factor authentication solutions. Some tokens provide up to three factors of authentication,<ref name="threefactor">{{cite web|url=http://www.goldkey.com/SmartCard/usb-security-token.html |title= GoldKey USB Security Token| publisher=] |accessdate=2008-10-29 }}</ref> or allow you to combine different factors to create multifactor authentication.<ref name="multifactor">{{cite web|url=http://www.elephantsecurity.com |title= Elephant Security's KeyMaster| publisher=] |accessdate=2010-01-22 }}</ref>


Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than {{convert|32|ft|m|abbr=off|sp=us}}. When the Bluetooth link is not properly operable, the token may be inserted into a ] ] to function.
=== One-time passwords ===


Another combination is with a ] to store locally larger amounts of identity data and process information as well.<ref>{{cite web |url=https://www.certgate.com/de/produkte/cgtoken |title=cgToken {{!}} certgate |website=www.certgate.com |url-status=dead |archive-url=https://web.archive.org/web/20131009094610/http://www.certgate.com/de/produkte/cgtoken/ |archive-date=2013-10-09}}</ref> Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.<ref>{{cite web|url=https://www.hypr.com/biometric-token/|title=Biometric U2F OTP Token - HYPR|website=HYPR Corp|access-date=16 April 2018}}</ref>
A ] is a ] that changes after each ], or changes after a set time interval.


In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic leash.
==== Mathematical-algorithm-based one-time passwords ====


==== NFC tokens ====
Another type of one-time password uses a complex mathematical algorithm, such as a ], to generate a series of one-time passwords from a secret shared key. Each password is unguessable, even when previous passwords are known. The open source ] algorithm is standardized; other algorithms are covered by U.S. ]s. Each new password is unique, so an unauthorized user would be unable to guess what the new password may be, based on previously used passwords.


] (NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than {{convert|1|ft|m|1|abbr=off|sp=us}}.{{Citation needed|date=March 2023|reason=This claim needs references to reliable sources.}} The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.{{citation needed|date=October 2016}}
;Aladdin Knowledge Systems’ eToken NG-OTP: The ]' ] NG-OTP is a hybrid USB and one-time password token. It combines the functionality of smart card-based authentication tokens with one-time password user authentication technology in detached mode.


=== Single sign-on software tokens ===
;ArrayShield's Array-Card Hardware token and Software token: Some of these security tokens are available both in hardware token and software token format. For example, two-factor authentication provider offers both Software token and Hardware token as Security tokens. If one can observe, both hardware token and software token appear identical in their structure. But they both change in functionality.<ref name="arrayshield">{{cite web|url=http://www.arrayshield.com |title= ArrayShield's Array-Card| publisher=] |accessdate=2012-02-20 }}</ref>
Some types of ] (SSO) solutions, like ], use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned. Usually most tokens store a cryptographic hash of the password so that if the token is compromised, the password is still protected.<ref>{{Cite web |date=2021-01-15 |title=2.3.3: Authentication Methods - Security Tokens |url=https://eng.libretexts.org/Courses/Delta_College/Information_Security/02:_Authenticate_and_Identify/2.3:_Authentication_Methods_-_Password/2.3.3:_Authentication_Methods_-_Security_Tokens |access-date=2024-11-21 |website=Engineering LibreTexts |language=en}}</ref>


=== Programmable tokens ===
;Deepnet Security: ]'s Deepnet Unified Authentication Platform is a multi-factor authentication platform for provisioning, managing and verifying all types of user and host authentication methods, form-factors and user credentials, including OTP tokens, PKI certificates, biometrics and device DNA.
Programmable tokens are marketed as "drop-in" replacement of mobile applications such as ] (miniOTP<ref></ref>). They can be used as mobile app replacement, as well as in parallel as a backup.


== Vulnerabilities ==
;Duo Security: ]'s D-100 hardware tokens employ the OATH standard for OTP generation, in addition to its mobile soft tokens, voice callback, SMS, and Duo Push authentication methods.


=== Loss and theft ===
;RCDevs OpenOTP Tokens: The OpenOTP authentication platform developed by RCDevs uses OATH Tokens (Time-based, Event-based and Challenge-Response), YubiKey, mOTP soft Tokens, SMS Tokens and the Google Authenticator (with QRCode user Token provisioning).


The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using ]. Commonly, in order to authenticate, a ] (PIN) must be entered along with the information provided by the token the same time as the output of the token.
;Swekey: The Swekey, manufactured by Musbe, Inc. is a USB device that provides secure authentication for web sites using a ] algorithm. The device presence and authentication can be controlled by web sites using JavaScript.


=== Attacking ===
;VeriSign: ] Identity Protection credentials employ the OATH standard. VeriSign eToken is ] from ].


Any system which allows users to authenticate via an untrusted network (such as ]) is vulnerable to ]s. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006, ] was the victim of an attack when its hardware-token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle ] operation.<ref>{{Cite news|url=https://www.theregister.co.uk/2006/07/13/2-factor_phishing_attack/|title=Phishers rip into two-factor authentication |work=The Register |date=2006-07-13 |first=John |last=Leyden |access-date=2018-09-25|language=en}}</ref><ref>{{Cite news |url=http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html|archive-url=https://web.archive.org/web/20110703141728/http://voices.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html|url-status=dead|archive-date=July 3, 2011|title=Citibank Phish Spoofs 2-Factor Authentication|first=Brian |last=Krebs |author-link=Brian Krebs|date=July 10, 2006|newspaper=The Washington Post|access-date=2018-09-25}}</ref>
;Yubico YubiKey: The YubiKey, manufactured by Yubico, is a device that acts as a USB ] and provides secure authentication by a ] that is encrypted using the AES encryption algorithm with a 128-bit key. The Yubikey has four modes of operation including Standard Yubico 12-character ID + 32 character OTP, OATH 6 or 8-digit OTP for use with third-party OATH servers, Static pass code including 1-64 character for legacy login applications, and challenge-response functionality using client software.


==== Time-synchronized one-time passwords ==== === Breach of codes ===


In 2012, the Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from several ] cryptographic devices.<ref>
Time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the ]'s token and the authentication ]. For disconnected tokens this time-synchronization is done before the token is distributed to the ]. Other token types do the synchronization when the token is inserted into an ]. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized.{{Citation needed|date=June 2008}} However, some such systems, such as RSA's ], allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced - so there is additional cost.
{{cite news
| first = Somini
| last = Sengupta
| title = Computer Scientists Break Security Token Key in Record Time
| url = http://bits.blogs.nytimes.com/2012/06/25/computer-scientists-break-security-token-key-in-record-time/
| work = ]
| date = 2012-06-25
| access-date = 2012-06-25
}}</ref><ref>
{{cite news
| first = Nancy
| last = Owano
| title = Team Prosecco dismantles security tokens
| url = http://phys.org/news/2012-06-team-prosecco-dismantles-tokens.html
| work = ]
| date = 2012-06-27
| access-date = 2014-03-29
}}</ref> These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958,<ref>
{{cite web
| url = http://prosecco.gforge.inria.fr/publications.php
| title = Prosecco :: Publications
| access-date = 2014-03-29
}}</ref> and published at CRYPTO 2012.<ref>{{cite web
| title = Accepted Papers CRYPTO 2012
| url = https://www.iacr.org/conferences/crypto2012/acceptedpapers-2012.html
| access-date = 2014-03-29
}}</ref>


== Digital signature ==
<!-- --------------- Please keep entries in alphabetical order. --------------- -->
;Aradiom SolidPass: SolidPass, developed by Aradiom, is a mobile Java phone based security token that provides a time-based ] algorithm for secure authentication, and also offers challenge response based signing including transaction signing and additional security question.


Trusted as a regular hand-written signature, the ] must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof of the user's identity.
;BRToken SafeSIGNATURE: SafeSIGNATURE token, developed by the Brazilian company BRToken, was one of the first to provide support for the TOTP algorithm, defined by the OATH (]), an extension of the ] algorithm, but time-based. It also has the capacity of reading transaction data from any type of screen or projection, displaying in the token screen, and generating an ], based on the public OCRA algorithm.


For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as ]s according to some national laws.{{Citation needed|date=February 2007}} Tokens with no on-board keyboard or another ] cannot be used in some ] scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.
;CAT (Cellular Authentication Token): The CAT token, developed by the New Zealand company Mega AS Consulting Ltd, was the first to market a Cellular ] based soft token. The CAT uses an ] (OATH) compliant time-based ] (TOTP) algorithm for strong authentication, and also offers encrypted messaging and encrypted documents delivery system. The CAT is a multi tokens management system. Using a unique process, the CAT is secured on the Cellular device (or PDA, BlackBerry, Windows OS).

;Entrust IdentityGuard Mini Token: ] offers two variants of their OTP token — Entrust IdentityGuard Mini Token OT and Mini Token AT. The Entrust IdentityGuard Mini Token OT provides time-based, one-time passwords using the standards-based TOTP algorithm, endorsed by the Initiative for Open Authentication (OATH), providing compatibility with third-party software. The Entrust IdentityGuard Mini Token AT offers time- and event-synchronous, one-time passwords based on the stronger DES/Triple DES algorithm.

;Event-based token: An event based token, by its nature, has a longer life span.{{Citation needed|date=June 2008}} They work on the one-time password principle and so once used, the next password is generated. Often the user has a button to press to receive this new code via either a token or via an ] message. All CRYPTOCard's tokens are event-based rather than time-based.

;Identita Technologies Display OTP Card: Identita's LED or EINK display OTP cards display a number which changes each time the button on the card is pressed. This ] along with a ] when ] allows for successful identication of the end user. Since Identita's OTP Display cards are almost always asleep except during activation, the engineering team at Identita designed an algorithm which allowed for accurate OTP generation without requiring the clock on the card and the clock on the authentication server to be matched. Identita's time-based OTP generation is patent pending.

;JF Secure Digital Display FLN Token: JF's token provides OATH one time passwords to mobile and secure desktop solutions. The FLN key fob uses a color EINK display which changes every 24 seconds.

;KerPass UST: KerPass provide time synchronous OATH one time passwords on mobile phone. A new password is generated every 30 seconds. KerPass uses an exclusive server side password validation technology that makes possible using a KerPass password in the context of zero knowledge password proof algorithm like ] or ]. This combination renders password authentication insensitive to man in the middle attacks.

;NagraID Security Touch Display Card: The NagraID Security 306 Series Touch Display Card is a 6-digit Powered Display Card credential providing strong security with integrated 12-button touch keypad packaged in a familiar and convenient Credit card form factor. The innovative touch keypad supports various onboard applications such as PIN activation, challenge response and access to critical applications. The 306 Series card can function as a One Time Password credential, physical access device, PKI or dotNET Chip card, contactless eWallet and/or payment device. The cards are available with ]'s ], OATH and customer specific algorithms (time-based or event-based).<ref name="NagraID Security">, nidsecurity.com</ref>

;RSA Security's SecurID: ]'s ] displays a number which changes at a set interval. The ] enters the ] along with a ] when ]. US patented technology. In March 2011, hackers obtained the unique "seeds" used by the tokens, allowing them to access systems protected with SecureID without the tokens; this information was subsequently used in other attacks.{{Citation needed|date=July 2012}}

;Secure Computing's Safeword: ]'s Safeword is a hardware device that will display a passcode when pressing a button on the device. A barcode and serial number on the back of the device are used by administrators to synchronize the devices with the authentication system. The Safeword system can be event-based or time-based. Each press of the button will display a new passcode and once a passcode is used for authentication, combined with the user's PIN, it and all the passcodes generated before it can not be reused again. Time-based tokens display different tokens every 20 seconds or less depending on the configuration.

;] UniOTP Tokens: The UniOTP, manufactured by ],compliant with OATH standard for OTP generation. UniOTP series has 3 different models, which support different one-time-password generation mechanism, including time-based, event-based and challenge/response-based to provide two-factor authentication. The time-based OTP token has a real-time clock inside which is synchromized to the authentication server, the one-time-password will be changed every 60 seconds. The successfully authenticated users must provide the right password and the one-time-password generated by UniOTP device.

;Smart DisplayCard: The Smart DisplayCard by ActivIdentity is a combination security token and ]. A single button on the card displays a ] on a small ] when pressed. This device uses an OATH compliant event-based algorithm to generate OTPs. The embedded smart chip provides standard smart card ] capabilities; typically email encryption and ]. The display card portion of the product is produced by NagraID.

;VASCO's DIGIPASS: ]'s ] series have either a small numeric keypad where the user can enter a ] or either a single button, to generate a ] calculated from algorithms which are time and/or event-based.

;Winfrasoft PINgrid: PINgrid is a grid/pattern multi-factor authentication solution which uses Matrix Pattern Authentication to add an extra layer of security for passcodes. A user's passcode is derived by overlaying their memorized pattern onto a grid of unique randomly generated numbers. PINgrid is available as 1.5 Factor Authentication and/or 2 Factor Authentication options depending on where the grid is displayed. 2FA requires the grid to be displayed on a separate device such as a smartphone, tablet or desktop whereas with 1.5FA the grid can be displayed on the same web page that is requesting the OTP.

=== PC cards ===

The ] tokens are made to only work with ]s. Type II PC Cards are preferred as a token as they are half as thick as Type III.

;Mykotronx Corp.: Mykotronx Corp. (a division of SafeNet) makes the ] card token for laptops with a PC card.

=== Smart cards ===
]s are relatively inexpensive compared to other tokens.{{Citation needed|date=February 2007}} There are also significant wear-and-tear on the ]s themselves because of the friction on the electronic contacts the card is inserted. This has the potential to reduce the lifespan of a smart card token.

=== Virtual Tokens ===
Virtual token MFA is a relatively new concept in token authentication first introduced in 2005 by the security company Sestus. Virtual token MFA is fundamentally different from "soft" tokens in that soft tokens require the deployment of software to end users, while virtual token MFA does not. Virtual token MFA uses the user's existing Internet device as the "something the user has" factor, reducing the costs normally associated with implementation and maintenance of traditional token solutions. Processing occurs "server-side" and facilitates the retrieval of one-time-use digitally-signed key and other information from a connected device using Internet-standard HTTP/HTTPS delivery methods. The retrieved key is then authenticated against the connecting device's digital fingerprint, the user's account details, and other data. Since the authenticating server is communicating directly with the connected device, the method is not as prone to man-in-the-middle attacks as other methods. Sestus was granted a trademark for the phrase "Virtual Token®" in June of 2012.

=== Universal Serial Bus (USB) ===

The ] has become a standard in ]s today, USB tokens are therefore often a cheaper alternative than other tokens needing a special ].{{Citation needed|date=June 2008}}

The Smartcard-based USB Token is widely used, as compared to the normal smart card, which needs card reader and install driver on computer, the smartcard-based USB token does not need any further configuration. It's plug-and-play device. The typical tokens such like Aladdin's etoken, Safenet's iKey and SecuTech UniToken.

===Audio Jack port (TRRS)===
]
The audio jack port is a relatively practical method to establish connection between mobile devices, such as iPhone, iPad and Android, and other accessories. The most well known devices are Square, a credit card reader for iPhone and Android. Token with audio jack port can provide strong authentication for mobile devices.

] series have a audio jack port and focus on strong authentication for mobile devices. The UniMate TRRS and USB DUAL-Enabled token increases flexibility by enabling people to leverage the security benefits of two-factor authentication in either a computer or a smart phone.<ref name="SecuTech TRRS and USB dual enabled authentication tokens"> UniMate TRRS and USB dual enabled authentication devices</ref>

=== Smart-card-based USB tokens ===
Smart-card-based ] tokens which contain a ] chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the ]'s point of view such a token is a USB-connected smart card reader with one non-removable smart card present.<ref name="noteusbSpec">, usb.org</ref> Some these tokens are also made to support the ] standard for ] (PIV).<ref name="PIV_Token">, GoldKey</ref>

====Kobil mIDentity====
Kobil is a German firm building USB smartcard readers using removable SIM (SECCOS / EMV-CAP). SIMs are programmed to both delivering OTP passwords (Kobil OTP server needed) or authenticate through PKCS crytopgraphy fonctions (PKI needed) using up to ten X509 certificates. Certificates are stored in the SIM memory. mIDentity can also carry classic flash-memory to transport portable applications everywhere.

=== Other token types ===

Some use a special purpose interface (e.g. the ] deployed by the ] ]). Tokens can also be used as a photo ]. ] and ] can also serve as security tokens with proper programming.


== See also == == See also ==
<!---♦♦♦ Please keep the list in alphabetical order ♦♦♦--->
{{Commons category|OTP tokens}}
* ] * ]
* ] * ]
* ] * ]
* ] * ]
* ] * ]
* ]s * ]
* ] * ]
* ] * ]
* ]
* ]
* ] * ]
* ]


== References == == References ==
{{reflist|2}} {{reflist|30em}}
;General references ;General references
{{refbegin}} {{refbegin}}
Line 219: Line 156:


== External links == == External links ==
* {{Commons category-inline}}
*
* {{Webarchive|url=https://web.archive.org/web/20190424203824/http://www.openauthentication.org/ |date=2019-04-24 }}


{{DEFAULTSORT:Security Token}} {{DEFAULTSORT:Security Token}}
] ]
]

]
]
]
]
]
]
]
]
]
]
]
]
]
]
]

Latest revision as of 01:19, 8 December 2024

Device used to gain access to restricted resource
This article's factual accuracy is disputed. Review the definitions of "Security Token" and "Security Token Generator". Relevant discussion may be found on the talk page. Please help to ensure that disputed statements are reliably sourced. (November 2024) (Learn how and when to remove this message)
A GoldKey security token connected to a laptop

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

Security tokens can be used to store information such as passwords, cryptographic keys used to generate digital signatures, or biometric data (such as fingerprints). Some designs incorporate tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generation routine with some display capability to show a generated key number. Connected tokens utilize a variety of interfaces including USB, near-field communication (NFC), radio-frequency identification (RFID), or Bluetooth. Some tokens have audio capabilities designed for those who are vision-impaired.

Password types

All tokens contain some secret information used to prove identity. There are four different ways in which this information can be used:

Asynchronous password token for HSBC online banking.
Static password token
The device contains a password that is physically hidden (not visible to the possessor), but is transmitted for each authentication. This type is vulnerable to replay attacks.
Synchronous dynamic password token
A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks.
Asynchronous password token
A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm.
Challenge–response token
Using public key cryptography, it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.

Time-synchronized, one-time passwords change constantly at a set time interval; e.g., once per minute. To do this, some sort of synchronization must exist between the client's token and the authentication server. For disconnected tokens, this time-synchronization is done before the token is distributed to the client. Other token types do the synchronization when the token is inserted into an input device. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as RSA's SecurID, allow the user to re-synchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced – so there is an additional cost. Another type of one-time password uses a complex mathematical algorithm, such as a hash chain, to generate a series of one-time passwords from a secret shared key. Each password is unique, even when previous passwords are known. The open-source OATH algorithm is standardized; other algorithms are covered by US patents. Each password is observably unpredictable and independent of previous ones, whereby an adversary would be unable to guess what the next password may be, even with knowledge of all previous passwords.

Physical types

This section needs additional citations for verification. Please help improve this article by adding citations to reliable sources in this section. Unsourced material may be challenged and removed. (March 2023) (Learn how and when to remove this message)

Tokens can contain chips with functions varying from very simple to very complex, including multiple authentication methods.

The simplest security tokens do not need any connection to a computer. The tokens have a physical display; the authenticating user simply enters the displayed number to log in. Other tokens connect to the computer using wireless techniques, such as Bluetooth. These tokens transfer a key sequence to the local client or to a nearby access point.

Alternatively, another form of token that has been widely available for many years is a mobile device which communicates using an out-of-band channel (like voice, SMS, or USSD).

Still other tokens plug into the computer and may require a PIN. Depending on the type of the token, the computer OS will then either read the key from the token and perform a cryptographic operation on it, or ask the token's firmware to perform this operation.

A related application is the hardware dongle required by some computer programs to prove ownership of the software. The dongle is placed in an input device and the software accesses the I/O device in question to authorize the use of the software in question.

Commercial solutions are provided by a variety of vendors, each with their own proprietary (and often patented) implementation of variously used security features. Token designs meeting certain security standards are certified in the United States as compliant with FIPS 140, a federal security standard. Tokens without any kind of certification are sometimes viewed as suspect, as they often do not meet accepted government or industry security standards, have not been put through rigorous testing, and likely cannot provide the same level of cryptographic security as token solutions which have had their designs independently audited by third-party agencies.

Disconnected tokens

A disconnected token. The number must be copied into the PASSCODE field by hand.

Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually themselves via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in two-factor authentication for online identification.

Connected tokens

Connected tokens are tokens that must be physically connected to the computer with which the user is authenticating. Tokens in this category automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be installed. The most common types of physical tokens are smart cards and USB tokens (also called security keys), which require a smart card reader and a USB port respectively. Increasingly, FIDO2 tokens, supported by the open specification group FIDO Alliance have become popular for consumers with mainstream browser support beginning in 2015 and supported by popular websites and social media sites.

Older PC card tokens are made to work primarily with laptops. Type II PC Cards are preferred as a token as they are half as thick as Type III.

The audio jack port is a relatively practical method to establish connection between mobile devices, such as iPhone, iPad and Android, and other accessories. The most well known device is called Square, a credit card reader for iOS and Android devices.

Some use a special purpose interface (e.g. the crypto ignition key deployed by the United States National Security Agency). Tokens can also be used as a photo ID card. Cell phones and PDAs can also serve as security tokens with proper programming.

Smart cards

Main article: Smart card

Many connected tokens use smart card technology. Smart cards can be very cheap (around ten cents) and contain proven security mechanisms (as used by financial institutions, like cash cards). However, computational performance of smart cards is often rather limited because of extreme low power consumption and ultra-thin form-factor requirements.

Smart-card-based USB tokens which contain a smart card chip inside provide the functionality of both USB tokens and smart cards. They enable a broad range of security solutions and provide the abilities and security of a traditional smart card without requiring a unique input device. From the computer operating system's point of view such a token is a USB-connected smart card reader with one non-removable smart card present.

Contactless tokens

Unlike connected tokens, contactless tokens form a logical connection to the client computer but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and disconnected tokens. As a result, contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as Mobil Speedpass, which uses RFID to transmit authentication info from a keychain token. However, there have been various security concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA Laboratories discovered that RFID tags could be easily cracked and cloned.

Another downside is that contactless tokens have relatively short battery lives; usually only 5–6 years, which is low compared to USB tokens which may last more than 10 years. Some tokens however do allow the batteries to be changed, thus reducing costs.

Bluetooth tokens

This section's tone or style may not reflect the encyclopedic tone used on Misplaced Pages. See Misplaced Pages's guide to writing better articles for suggestions. (September 2016) (Learn how and when to remove this message)

The Bluetooth Low Energy protocols provide long lasting battery lifecycle of wireless transmission.

  • The transmission of inherent Bluetooth identity data is the lowest quality for supporting authentication.
  • A bidirectional connection for transactional data interchange serves for the most sophisticated authentication procedures.

Although, the automatic transmission power control attempts for radial distance estimates. The escape is available apart from the standardised Bluetooth power control algorithm to provide a calibration on minimally required transmission power.

Bluetooth tokens are often combined with a USB token, thus working in both a connected and a disconnected state. Bluetooth authentication works when closer than 32 feet (9.8 meters). When the Bluetooth link is not properly operable, the token may be inserted into a USB input device to function.

Another combination is with a smart card to store locally larger amounts of identity data and process information as well. Another is a contactless BLE token that combines secure storage and tokenized release of fingerprint credentials.

In the USB mode of operation sign-off requires care for the token while mechanically coupled to the USB plug. The advantage with the Bluetooth mode of operation is the option of combining sign-off with distance metrics. Respective products are in preparation, following the concepts of electronic leash.

NFC tokens

Near-field communication (NFC) tokens combined with a Bluetooth token may operate in several modes, thus working in both a connected and a disconnected state. NFC authentication works when closer than 1 foot (0.3 meters). The NFC protocol bridges short distances to the reader while the Bluetooth connection serves for data provision with the token to enable authentication. Also when the Bluetooth link is not connected, the token may serve the locally stored authentication information in coarse positioning to the NFC reader and relieves from exact positioning to a connector.

Single sign-on software tokens

Some types of single sign-on (SSO) solutions, like enterprise single sign-on, use the token to store software that allows for seamless authentication and password filling. As the passwords are stored on the token, users need not remember their passwords and therefore can select more secure passwords, or have more secure passwords assigned. Usually most tokens store a cryptographic hash of the password so that if the token is compromised, the password is still protected.

Programmable tokens

Programmable tokens are marketed as "drop-in" replacement of mobile applications such as Google Authenticator (miniOTP). They can be used as mobile app replacement, as well as in parallel as a backup.

Vulnerabilities

Loss and theft

The simplest vulnerability with any password container is theft or loss of the device. The chances of this happening, or happening unaware, can be reduced with physical security measures such as locks, electronic leash, or body sensor and alarm. Stolen tokens can be made useless by using two factor authentication. Commonly, in order to authenticate, a personal identification number (PIN) must be entered along with the information provided by the token the same time as the output of the token.

Attacking

Any system which allows users to authenticate via an untrusted network (such as the Internet) is vulnerable to man-in-the-middle attacks. In this type of attack, an attacker acts as the "go-between" of the user and the legitimate system, soliciting the token output from the legitimate user and then supplying it to the authentication system themselves. Since the token value is mathematically correct, the authentication succeeds and the fraudster is granted access. In 2006, Citibank was the victim of an attack when its hardware-token-equipped business users became the victims of a large Ukrainian-based man-in-the-middle phishing operation.

Breach of codes

In 2012, the Prosecco research team at INRIA Paris-Rocquencourt developed an efficient method of extracting the secret key from several PKCS #11 cryptographic devices. These findings were documented in INRIA Technical Report RR-7944, ID hal-00691958, and published at CRYPTO 2012.

Digital signature

Trusted as a regular hand-written signature, the digital signature must be made with a private key known only to the person authorized to make the signature. Tokens that allow secure on-board generation and storage of private keys enable secure digital signatures, and can also be used for user authentication, as the private key also serves as a proof of the user's identity.

For tokens to identify the user, all tokens must have some kind of number that is unique. Not all approaches fully qualify as digital signatures according to some national laws. Tokens with no on-board keyboard or another user interface cannot be used in some signing scenarios, such as confirming a bank transaction based on the bank account number that the funds are to be transferred to.

See also

References

  1. Schink, Marc; Wagner, Alexander; Unterstein, Florian; Heyszl, Johann (2021-07-09). "Security and Trust in Open Source Security Tokens". IACR Transactions on Cryptographic Hardware and Embedded Systems: 176–201. doi:10.46586/tches.v2021.i3.176-201. ISSN 2569-2925. S2CID 235349083.
  2. RD, Token2 (2019-01-07). "Time drift: a major downside of TOTP hardware tokens". Medium. Retrieved 2020-11-21.{{cite web}}: CS1 maint: numeric names: authors list (link)
  3. "Time Drift in TOTP Hardware Tokens Explained and Solved - Protectimus Solutions". Protectimus. 2019-06-03. Retrieved 2020-11-21.
  4. "2.3.3: Authentication Methods - Security Tokens". Engineering LibreTexts. 2021-01-15. Retrieved 2023-05-08.
  5. National Institute of Standards and Technology (April 2019). Security requirements for cryptographic modules (PDF) (Report). Gaithersburg, MD: National Institute of Standards and Technology. doi:10.6028/nist.fips.140-3.
  6. de Borde, Duncan (2007-06-28). "Two-factor authentication" (PDF). Siemens Insight Consulting. Archived from the original (PDF) on 2012-01-12. Retrieved 2009-01-14.
  7. Specification for Integrated Circuit(s) Cards Interface Devices Archived 2005-12-29 at the Wayback Machine, usb.org
  8. Biba, Erin (2005-02-14). "Does Your Car Key Pose a Security Risk?". PC World. Archived from the original on 2011-06-05. Retrieved 2009-01-14.
  9. "Verfahren zum Steuern der Freigabe einer Einrichtung oder eines Dienstes, als Master ausgebildete Sendeempfangseinrichtung sowie System mit derartiger Einrichtung". dpma.de. Retrieved 16 April 2018.
  10. "cgToken | certgate". www.certgate.com. Archived from the original on 2013-10-09.
  11. "Biometric U2F OTP Token - HYPR". HYPR Corp. Retrieved 16 April 2018.
  12. "2.3.3: Authentication Methods - Security Tokens". Engineering LibreTexts. 2021-01-15. Retrieved 2024-11-21.
  13. Programmable hardware tokens Token2 miniOTP
  14. Leyden, John (2006-07-13). "Phishers rip into two-factor authentication". The Register. Retrieved 2018-09-25.
  15. Krebs, Brian (July 10, 2006). "Citibank Phish Spoofs 2-Factor Authentication". The Washington Post. Archived from the original on July 3, 2011. Retrieved 2018-09-25.
  16. Sengupta, Somini (2012-06-25). "Computer Scientists Break Security Token Key in Record Time". New York Times. Retrieved 2012-06-25.
  17. Owano, Nancy (2012-06-27). "Team Prosecco dismantles security tokens". Phys.org. Retrieved 2014-03-29.
  18. "Prosecco :: Publications". Retrieved 2014-03-29.
  19. "Accepted Papers CRYPTO 2012". Retrieved 2014-03-29.
General references

External links

Categories: