|
|
|
|
|
|
| Token based authentication is a very important
piece of the security solution puzzle. Compared to biometrics which is "something
you are," token devices are "something you have" - like your keys. However,
there are various ways to protect "something you have". Tokens come in two
general categories: special purpose authentication tokens and general purpose,
smart card-like devices. Special purpose tokens only do authentication,
generally using a proprietary cryptographic scheme. These cards have the
advantage that they require little or no modification to existing systems
and applications. They are low in cost and usually don't require a special
hardware reader. Depending on the product, they may have the form factor
of a card, a calculator-like device or a fob which can go on a key chain.
|
| Smart card-like systems can be programmed
to do almost anything, including a proprietary authentication protocol like
a special purpose token. Most commonly they are used to store secret keys
and perform cryptographic operations, such as digital signatures. In this
mode, they are used in conjunction with a Public Key Infrastructure (PKI).
|
| Token based authentication provides enhanced
security compared to the traditional password method, but there are practical
tradeoffs and disadvantages. Users may leave their card home or on their
machine during lunch and thus create security holes. Other products require
extra steps when logging in. While token devices haven't been widely implemented
in the U.S., their ability to add an additional layer of security and store
digital certificates will most likely help their adoption rate grow over
the coming years. |
Return to Top 
|
|
| The smart card is one of the latest additions
to the world of information technology. Similar in size to today's plastic
payment card, the smart card has a microprocessor or memory chip embedded
in it that, when coupled with a reader, has the processing power to serve
many different applications. As an access-control device, smart cards make
personal and business data available only to the appropriate users. Another
application provides users with the ability to make a purchase or exchange
value. Smart cards provide data portability, security and convenience.
|
| Smart cards come in two basic varieties:
memory and microprocessor. Memory cards simply store data and can be viewed
as a small floppy disk with optional security. A microprocessor card, on
the other hand, can add, delete and manipulate information in its memory
on the card. Similar to a miniature computer, a microprocessor card has
an input/output port operating system and hard disk with built-in security
features. Advanced smart cards feature a cryptographic co-processor and
the most advanced devices offer a combination of digital signature, on-board
key generation and electronic payment with multi-application functionality.
|
|
|
| Smart cards and hardware tokens provide both
greater mobility and enhanced security by allowing users to carry their
digital certificates with them. Most cards supports RSA Labs' Public Key
Cryptography Standard (PKCS) #11 and X.509 version 3 certificates. With
a digital certificate stored on a smart card or hardware token, users can
remotely access protected data stored on corporate networks or send and
receive encrypted email from other computers in their enterprise, at home,
or from airport kiosks while they're on the road. |
Smart cards have been deployed in a number
of environments. Businesses, the government and healthcare organizations
continue to move towards storing and releasing information via networks,
Intranets, extranets and the Internet. These organizations are turning to
smart cards to make this information readily available to those who need
it, while at the same time protecting the privacy of individuals and keeping
their informational assets safe from hacking and other unwanted intrusions.
In this capacity, smart cards enable:
- Secure logon and authentication of users to PCs and networks
- Secure e-commerce
- Storage of digital certificates, credentials and passwords
- Encryption of sensitive data
|
| Smart cards also provide benefits for a host
of commercial applications. The smart card's portability and ability to
be updated make it a technology well suited for connecting the virtual and
physical worlds, as well as multi-partner card programs. |
Return to Top
|
|
|
Contactless cards contains a small antenna
so that the card reader detects the card from a distance. The distance
can vary from a fraction of an inch to several feet, depending on the
technology and hardware used. Contactless card are currently used mostly
to control physical access, such as access to a building or room. However,
in a multifactor PC authentication environment and in combination with
a biometric technology, these devices can provide a very convenient and
secure method of authentication.
|
|
|
Return to Top
|
|
| USB token devices are used for authenticating
user identification, usually in coordination with a personal identification
number (PIN) or single password. USB tokens contain a tiny computer chip
for securely storing information. They are technologically identical to
smart cards, with the exception of their form factor and interface. USB
smart tokens are typically smaller than a house key and are designed to
interface with the universal standard bus (USB) ports found on millions
of computers and peripheral devices. |
|
|
| Advantages of USB tokens include that readers
are not required-the token simply plugs into a USB port; token device drivers
are easily installed, unlike smart card readers, which can be difficult
to install and configure; the tokens are small and designed to fit on a
key chain. Furthermore, users are required only to remember a single PIN
(if required) as opposed to multiple passwords. |
| Disadvantages include that tokens can be
lost as easily as a house key; tokens need to be replaced every few years;
and compared to other methods, it takes longer for a user to authenticate
using a token device since there are usually multiple steps in the verification
process. |
Return to Top
|
|
| Soft tokens refer to intangible software-based
"tokens", which are theoretically similar to single sign-on passwords, but
offer the deployment advantages of a software application. This technology
solves the problem of providing a common installation and user interface
across a wide range of platforms, operating systems and application environments.
Token initialization binds the token to the user, generating correct one-time
passwords unique to the user for each logon. Soft tokens are revocable at
any time without recovery, making them ideal for large user populations
and external consultants requiring temporary network access. Once revoked,
they can be completely re-initialized and deployed to new users as required.
|
Return to Top
|
|
| Bio-tokens, also known as pseudo-tokens, combine
the functionality of a fingerprint reader and a token authentication device,
and are enhanced by the ability to store data directly on the device. That
is, a bio-token will store the authentication credentials (i.e., fingerprint
template used for comparison during the verification and identification
processes) on the card itself. This allows users to carry a bio-token card
to another machine and authenticate their identity without their template
data being stored on the machine or network. Hence, a user must not only
provide their fingerprint, but also have the appropriate bio-token in their
possession. A single bio-token has the ability to store multiple user data,
so users can share the device. Users can also store other data (such as
documents) on their bio-token. If multiple users are sharing one device
and have stored data/documents on the device, the currently logged on individual
will only have access to their own data. Hence, data stored on a bio-token
is secure, accessible only to the person who is currently authenticated.
|
Return to Top
|
|
