What is a security token?
- IAM Glossary
- What is a security token?
A security token is a physical or digital device used to verify a user's identity. Security tokens are an integral part of the Token-Based Authentication method, a security protocol that uses encrypted tokens to authenticate users for network access. This authentication method is used to either replace traditional verification methods or add on top of another verification method as an extra security layer.
How security tokens work
Security tokens typically operate in two ways. First, when a user is dealing with a software-based token, they are issued a unique digital code to submit as proof of their identity. This is usually provided through an application or program installed on the user's device. When dealing with a hardware-based token, the user must insert it into the system’s reader to validate their identity. However, this is not how all security tokens work, as several different types offer more specific procedures.
Types of security tokens
With security tokens presented in various forms, organisations can choose their ideal type based on their preferences and security requirements. Here are six different types of security tokens and how they work.
Connected tokens
A connected token is a common type of hardware token that is associated with the network or system. An example of a connected token authentication procedure is inserting a hardware security key into a device.
Disconnected tokens
A disconnected token is a type of hardware token that generates a code instead of having to insert a physical object into a device. This could come in the form of a one-time code or another credential asked to be provided for proof. For example, when a user logs into an application, they’ll be sent a code to their phone. Then, they must provide the specific token code to authenticate their identity.
Contactless tokens
A contactless token is a token that does not require a user to connect to the system or enter a code. Instead, it typically uses a wireless connection for users to gain access to the necessary network resources. For example, the device will use Bluetooth or an NFC key to wirelessly connect to the system.
Smart cards
A smart card is a common type of connected token that is used to verify a user. It is a physical card with an embedded computer chip that stores information regarding a user’s digital identity and authentication credentials. When a user wants to access a network, they must insert or tap the card into the card reader where it will verify the user and ultimately establish a connection.
One-Time Password (OTP)
One-time passwords are a common type of disconnected token that operates by generating a unique code that is only valid for one login session. When a user wants to access a resource, they will request an OTP to be generated. This can be presented to the user in the form of a text message, phone call, email or through an authenticator app linked to the token. Once this is provided, the user will have a limited amount of time to log in with their credentials in addition to providing the unique OTP.
Single Sign-On (SSO)
Single sign-on uses a software token that allows users to gain access to multiple applications through a single set of login credentials. This method eliminates the need to remember complex passwords and undergo the login process numerous times. When a user logs into the Identity Provider (IdP) with their username and password, the IdP will generate an authentication token that corresponds to the user's identity information. Then, when a user attempts to log in to an application, the service provider will request authentication from the IdP which will send a token back to confirm their authentication.
Advantages of using security tokens
Implementing security tokens as a form of authentication comes with the benefit of increased security and efficiency for your organisation.
Enhanced security
In comparison to traditional authentication methods like a username and password, security tokens offer robust security as they have a shorter life span, which provides stronger protection against unauthorised access.
Increased efficiency and scalability
Security tokens can be applied simultaneously across multiple sets of applications and networks. This creates a convenient process for users in addition to relieving pressure on the organisation from handling each user’s login sessions.
Security token vulnerabilities
While security tokens offer an additional layer of security compared to traditional authentication methods, this does not mean that they are immune from vulnerabilities. Some examples of these vulnerabilities include loss, theft and compromise.
Physical tokens can be lost or stolen
Physical tokens are subjected to loss or theft. For instance, an individual could misplace their smart card, and an unauthorised individual could steal the card and gain access to sensitive data and information. A good practice is to always deactivate and replace your security tokens if misplaced.
Compromised security key
Security tokens carry the risk of being compromised by cybercriminals if organisations do not revoke and renew them regularly. Tokens can be compromised through brute force, phishing and Man-in-the-Middle (MITM) attacks. Rotating the life cycle of security tokens mitigates this risk as it reduces the window of opportunity for cyber attacks. For instance, even if a token happens to be stolen, it can only be useful for a limited time.