The present invention relates generally to the field of electronic access control and more particularly to systems in which respective users are equipped with portable code-generating tokens into which a personal identification number (PIN) or other password corresponding to a respective user account must be entered in order for the token to perform an operation for that account. That operation may in turn be, for example, the generation of a "dynamic password" for use in gaining access to a data network or the generation of a "digital signature" for use in the authorisation of a financial transaction, (as known e.g. in the case of the tokens marketed by the present applicant under the trade mark WATCHWORD). The purpose of the initial password entry is of course to ensure that any such token can be used only by a person authorised to do so. It is also necessary to ensure that the correct password cannot be discovered by an unauthorised person through repeated trial and error. For this reason it is conventional to programme such tokens to become inoperative (or "locked") in response to a predetermined number of consecutive incorrect password entries and once a token has become locked in this way it will remain so even if the correct user account password is subsequently entered. While this is of great value for the prevention of fraud in the event that a token falls into unauthorised hands it is equally of great inconvenience should a token become locked in the hands of an authorised user through the inadvertent repeated entry of an incorrect password, and some means must be provided for unlocking the token in such circumstances.
The conventional technique for unlocking an inadvertently locked token is to enter a separate "master" password which the token (and others used by the same organisation) has been programmed to recognise as overriding its locking function. Since knowledge of this "master" password would prejudice the security afforded by the locking function it is imperative that it is itself kept secret. In practice, therefore, it is usual for this "master" password to be known only to the central authority from whom the locked token was issued and to whom the token must therefore be returned to be unlocked. This is inconvenient to the user whose token will remain out of action until reissued and can represent an expensive administrative overhead to the issuing authority.
The present invention accordingly seeks to provide a means for the unlocking of locked tokens which can avoid the need to return such tokens to their issuing authority while at the same time avoiding the possible dissemination of information useful for subverting their locking function.