A security token is a piece of hardware used to identify and authenticate users. Occasionally, it is also used to refer to software tokens. They are usually part of a system of access control with two-factor authentication.
The terms electronic key or chip key are also used to refer to a token. If necessary, other features must be used for authentication against misuse, such as knowledge of a password or PIN or biometric features of the user. Security tokens can be personalized, in which case they are uniquely assigned to a specific user.
Designs and Technologies of a Security Token
The technical umbrella term token refers to all technologies used equally and does not depend on a specific form of appearance of the hardware. This includes any item that can store and transmit information for the purpose of identification and authentication.
Passive media
---
Smart cards are also tokens. USB tokens, which are connected to a USB port, have the advantages of a smart card without the need for a card reader. Contactless tokens are also used (RFID). These so-called transponders can be integrated into key fobs (so-called fobs), smart cards and any other product, as long as its properties do not interfere with the function. Thus, the respective product itself becomes a token. The other station must be able to activate the token and also read it.
Common Uses:
- Vehicle and building keys
- Clothing, watches and jewellery
- Implants in animals (chipping))
RSA Security’s SecurID Token Generator Keychain
There are also token generators that display a constantly changing and time-limited number combination as a security token according to the one-time password (OTP-)) procedure. The generator and server calculate this pseudo-random number at the same time. Thus, unique authentication is possible. This number may also be generated using a smart card in a portable reader. Additional security features often require a PIN and/or request code to be entered into the device.
Trusted Platform Modules (TPM) are chips that store secret keys similar to a smart card. In this case, however, the chip is permanently installed in a device, e.g. soldered onto a computer motherboard. The whole device becomes a token. It is now possible to assign a device that is uniquely identifiable via the TPM to a user. At the same time, the TPM offers the possibility of securing access to the device (pre-boot authentication). Thus, an authentication of the user can be (indirectly) carried out.
Active media
There are also commercially available devices that work as tokens and transmit an authentication factor. For this purpose, communication between the device and the test device or workstation must be possible. Furthermore, for secure authentication, bidirectional transmission must be possible, for example.
Uses of a Security Token
Security tokens are usually used as (user) IDs to secure transactions:
- for logging on to workstations, (company or government) networks
- for the use of internet services, in particular for online banking
- as a key container for data and email encryption as well as digital signatures
- as access authorisation and ID (e.g. company ID card, e-passport, car keys)
- for personnel time recording
- as a SIM card in mobile phones
- as a means of payment and/or customer card at vending machines and customer terminals (e.g. telephone booth))
- as an access card to pay-TV offers
- as a bank card, usually in conjunction with the bank card, for the use of ATMs and payment terminals
as a health insurance card; the (future) electronic health card will also be used as a token for access to a data network - as tickets and entrance tickets
- as a security module for unambiguous identification, e.g. Trusted Platform Module
- Digital Rights Management; in this case, the right to use data (software, music, e-books, …) may be tied to the hardware
In general, decentralized systems, in which data was stored on the token itself, are increasingly being replaced by networked systems in which the token only serves as an ID card.
The issuers of the tokens prefer to integrate several functions into a token in order to achieve “added value” through the use of the token and to create comprehensive usage and movement profiles.
