User authentication tokens are typically implemented as small, hand-held devices that display a series of passwords over time. These passwords, which may be one-time passwords, are more generally referred to herein as tokencodes. A user equipped with such an authentication token reads the currently displayed password and enters it into a computer or other element of an authentication system as part of an authentication operation. This type of dynamic password arrangement offers a significant security improvement over authentication based on a static password.
Conventional authentication tokens include both time-based tokens and event-based tokens. In a typical time-based token, the displayed passwords are based on a secret value and the time of day. A verifier with access to the secret value and a time of day clock can verify that a given presented password is valid. In a typical event-based token, the displayed passwords are based on a secret value and an event counter. The event counter may count the number of occurrences of a particular event, such as a user pressing a button on the token. A verifier with access to the secret value and the current event count can verify that a given presented password is valid.
It should be noted that a time-based authentication token may also be triggered to display a password in response to a designated event, such as a user pressing a button on the token. For example, a given time-based token may display a password only in response to a user pressing a button. In the absence of such a button press, no password is displayed. However, time-based authentication tokens need not be triggered in this manner. For example, a given time-based token may automatically display the current password without the need for a user to press a button.
Passwords can be communicated directly from the authentication token to a computer or other element of an authentication system, instead of being displayed to the user. For example, a wired connection such as a universal serial bus (USB) interface may be used for this purpose. Wireless authentication tokens are also known. In such tokens, the passwords are wirelessly communicated to a computer or other element of an authentication system. These wired or wireless arrangements save the user the trouble of reading the password from the display and manually entering it into the computer.
Additional details of exemplary conventional authentication tokens can be found in, for example, U.S. Pat. No. 4,720,860, entitled “Method and Apparatus for Positively Identifying an Individual,” U.S. Pat. No. 5,168,520, entitled “Method and Apparatus for Personal Identification,” and U.S. Pat. No. 5,361,062, entitled “Personal Security System,” all of which are incorporated by reference herein.
It is generally desirable in authentication tokens and other types of low-power hand-held devices to minimize power consumption so as to conserve battery power. However, such devices are often carried in pockets or wallets and are thereby susceptible to having their buttons inadvertently pressed. For example, an event-based token may have its event button inadvertently stuck in a pressed state, thereby causing current to be drained from the battery. Although the amount of current drain associated with a given press of the event button is small, typically on the order of 30 microamps, the battery capacity in a small form factor device may be only about 10-20 milliamp-hours. Thus, a button being stuck in the pressed state could potentially drain the battery entirely in a matter of days. This drastically decreases the lifetime of the device and has a detrimental impact on the user experience. A similar problem arises for time-based tokens that are triggered based on events such as a user pressing a button on the token.
It is therefore apparent that a need exists for improved techniques for mitigating current drain in an authentication token or other type of low-power hand-held device, which avoid the problems associated with buttons being inadvertently stuck in a pressed state.