A conventional authentication token is a portable electronic device which creates one-time passcodes (OTPs) for use in authenticating a user to an authentication entity. Within the authentication token, a programmed microprocessor derives an OTP from a secret (e.g., a seed or an encryption key), and visually outputs the OTP on a display to the user.
Authentication tokens can be based on a variety of underlying mechanisms. Some examples include those which are based on time, others are based on counters or events, and so on.
To demonstrate to the authentication entity that the user currently possesses a particular time-based authentication token, the user must provide the currently displayed OTP to the authentication entity by a certain time. After that time passes, the authentication entity considers that OTP to have become stale, and no longer accepts that OTP as proper authentication of the user.
An authentication token provider may take steps to stop a hacker from duplicating the authentication token operation. One previously-used approach involves the provider (i) positioning the display over the microprocessor and (ii) tightly gluing the internal circuitry of the authentication token (i.e., the microprocessor, the display, the printed circuit board, the battery, etc.) within the authentication token housing to block physical access to the microprocessor. Another previously-used approach involves spring loading the battery of the authentication token within the authentication token housing so that, if the hacker successfully opens the housing, the spring automatically disconnects the battery from the microprocessor causing the microprocessor to lose its memory.