Security tokens are tools that allow to prove one's identity electronically. They are usually used as additional means of authentication, typically together with passwords.
The tokens may be either physical devices or pure software applications, operating on computers or mobile devices. Depending on their implementation, security tokens may be referred to as authentication tokens, cryptographic tokens, hardware or software tokens, USB tokens, or key fobs.
Irrespective of the type, the main functionality of all security tokens is basically the same. Every token provides some kind of authentication code for the users, which allows them to access a particular service (for example, an online bank account).
Another typical application of tokens are hardware dongles. They are required by some applications to prove ownership of the software. During the startup, the program queries the token connected to the USB port and checks the authentication code.
Usually a security token requires a password to release the internal authentication code. The password is usually in a form of a short pin number. Sometimes a more sophisticated ways of authentication are implemented, for example fingerprint readers.
The way the authentication code is produced may also vary between tokens. The simplest (and the most popular) method is to display the code on the device display, so that the user may use it later when required. Other tokens use NFC or bluetooth technologies for transmitting the password, or require to be connected in another way, for example to the computer USB port or a smart card reader.
Tokens may use different means for generating authentication codes.
The tokens with a static password are the simplest type of security tokens. The secret code is stored inside the token and it is released when the user asks for it.
It is quite obvious that such tokens do not provide good security.
The time-synchronized tokens generate a password based on the current time. They must contain a timer which is synchronized with another timer, operating on the authentication server side. The passwords generated by time-synchronized tokens change constantly at a set time interval, for example every minute.
The time-synchronized tokens may, over time, become unsynchronized. In such a case, the passwords generated by them cannot be used to access the protected service, until a resynchronization is performed.
The passwords generated by asynchronous tokens change every time they are generated. The algorithms may be based on hash functions that generate series of one-time codes based on a shared secret symmetric key.
Each created password must be unpredictable to guess, even if all the previously generated passwords are known. One of the popular algorithms used in asynchronous tokens is the OATH algorithm.
If the token contains a private key, the server may use the corresponding public key to authenticate it, without the need of transmitting the private key outside the token environment.
Usually the server sends the data encrypted with the public key. After decrypting the message, the token sends it back to the server, allowing it to confirm the token identity. In such a case, a direct communication between the token and the server must be established.