What Is a Security Token?

A security token is a physical device that users must possess to access a system. Authentication data must flow between both the user and the system to validate identities and access. A security token is the conduit for this data.

The Prevalence of Security Tokens

Passwords and personal identification numbers are ubiquitous in modern businesses. Most employees know that they must enter some set of credentials to access files, servers, and sensitive documents. Security tokens take this protection to the next level.

A security token can be as big as a key fob or as small as a microchip. They either hold information that verifies a person's identity or communicate with a database or third-party system that offers verification services.

How Do Security Tokens Work? 

Each year, hackers cause approximately $400 billion in losses. Businesses have to protect against this very real threat, or the damage could be immense.

Imagine you work for a large corporation, and it's your job to protect intellectual information worth millions. Hackers want it, and it's your job to keep them away. Your token setup could include:
 

  • Keywords. The user must type in a secure password from memory. There are often detailed requirements for this password, such as a certain minimum number of characters or other specifications.
     
  • Computer setup. During an attempted login event, the computer system sends a message to the user's cellphone. That message contains a password that must be entered, or access is blocked.

On the surface, this is the same type of authentication and authorization consumers have used for years with passwords. They must enter credentials they have memorized to access the systems they need. But security tokens require some type of tool. Simple memory isn't enough.

 

Security Token Illustration

3 Main Types of Security Tokens

Security tokens are built with customization in mind. The needs of one company can be quite different than those of another. Select your version carefully to ensure you're delivering the right balance of security and flexibility.

Security token types include:

  1. Connected tokens. Users must physically tie the token to the system they want to use. A smartcard or fob like a Yubikey is a good example. Users slide the device into a reader, and the device automatically pushes authentication information to the computer system.
     
  2. Disconnected tokens. Users don't need to physically insert anything into a device, but they may need to enter a code generated by the token. A cellphone set up as a 2-factor authentication device is a good example of a disconnected token.
     
  3. Contactless tokens. Users don't need to connect to a device, and they aren't required to input an additional keyword or access code. Instead, these devices connect with the system wirelessly, and access is granted or denied based on that connection. Bluetooth tokens work just like this, as do keyless entry systems.

The customization doesn't stop there. Your security token system could also include:

  • Keypads. Lock down the data inside your token by requiring a password.
     
  • Biometric data. Store iris scans or fingerprints, and tie that data to scanners on site.
     
  • Tamper-resistant qualities. Security measures are added to ensure that thieves can't take apart the keys and steal data. 

Security Token Password Types 

Every security token contains a tiny bit of data that could be considered a password. It isn't always entered into a system via a keypad or scanner, but the token completes some type of secure data exchange with the resource the user is trying to access.

Plenty of security token password types exist, including:

  • Static passwords. A string of numbers, letters, or both sit within the token. The password never changes without direct support from a security professional. The person who holds the token may not know that the password exists, and the person can't call out the data if asked.
     
  • Dynamic passwords. The security system picks a new password, and it's tossed to the token. Typically, the user must type in the results before gaining access. Some systems like this use a timer and an algorithm to generate passwords, while others use a one-time password solution.
     
  • Challenge passwords. The server and the key connect with one another, and the data is encrypted along the journey. The device must provide the challenge in its decrypted form to gain access. 

Benefits of Security Tokens 

Passwords are incredibly hackable. In fact, researchers say the most common password is "123456." Leave your security solely in the hands of your users, and a catastrophe is just waiting to happen. Security tokens can moderate these threats by supplementing — or even fully replacing — user-generated passwords.

A proper security token system is built on two types of information.

  1. Possession: The person must have something (like a phone, a key card, or a USB) handy to access the system. 
  2. Knowledge: The person must know something (a password) to complete the loop and get access. 
  3. Inheritance: This relates to biometrics. It is something the person is (like a fingerprint or a facial recognition scan).

When used in conjunction with passwords, security tokens form part of a multi-factor authentication (MFA) solution. MFA solutions reinforce authentication security, as they require the user to submit another verification factor, such as one-time passcodes and U2F token information.

Exclusively using a password is like protecting your home with just a number combination. It works, but it also grants access for anyone else who knows the number. Adding a security token puts a key-locked gate in front of your door. Even those who know your door combination can’t get past the gate, and your home stays safe and sound. It adds another level of protection to keep you secure.

Consumers appreciate the benefits of security tokens. They also have critical information to protect, including:

  • Financial data. 
  • Stored savings information. 
  • Identity documents. 
  • Legal documents.

Some companies, including banks, use their two-factor authentication plans as selling points to cautious customers. By proving the company cares about safety, they are more likely to retain and build their customer base.

Vulnerabilities of Security Tokens 

As the name implies, security tokens should keep critical data secure. Unfortunately, they're not invincible. The risks are real, and they can sometimes be hard to mitigate.

Common security token vulnerabilities include:

  • Loss. Keycards, fobs, and USB sticks are tiny and easy to lose. If they're not encrypted or protected with a secondary password, anyone who finds them has access.
     
  • Theft. These same devices can be stolen, either in a targeted assault or as part of another crime, such as a purse theft. As with loss, this can put them in the hands of nefarious individuals. 
     
  • Hacking. Tokens should protect users from malware, and companies like banks often tell their customers token systems are safer for that reason. But anything that's electronic and connected to a network can be hacked by someone with skill and patience. While security tokens add another layer of support, they aren’t impervious to hacking.
     
  • Security breaches. Hackers can step in front of authentication systems and entice users to tap in keywords for collection. This happened to a major banking system in 2006, and it caused quite a scandal.

No matter what security token system you use, moderation and vigilance are required. Ensure that everything is working as you planned, and prepare to step in if you see something that has gone awry. 

Comparison to Crypto Security Tokens 

Cryptocurrency deals require proof of ownership, and that ownership must be transferred to a buyer. Crypto security tokens work as a sort of liquid contract.

Some experts believe this form of security token represents the future of finance. These tokens have a security element, but they aren't germane to the work most IT administrators do every day. 

Simplify Your Processes 

Security tokens could help your company lock down and protect valuable assets. They bring an enhanced layer of protection to ensure your customers, employees, partners, and overall business remain secure.

Creating a system like this isn't always easy. You want to ensure this system is set up the right way, free from glitches.

More than 8,400 global organizations trust Okta to help them manage and authenticate systems like this. Join them to make your organization more secure.

Okta + Yubico

Okta is working with Yubico to boost our token-based authentication. Find out more about the partnership.