Strong authentication tokens are a type of security tokens that are well known in the art. They allow service providers and applications to authenticate the possessor of the token, by providing dynamic passwords that could only be generated with knowledge of a secret or key that is shared between the authentication server employed by the service provider or application on the one hand, and the authentication token on the other hand. To generate dynamic passwords, the strong authentication token applies a cryptographic algorithm to the shared secret and a dynamic variable, for example comprising one or more of a counter value, a value representing the present time, and a random challenge. Usually the dynamic password can only be used once, thus greatly enhancing the level of security with respect to static passwords. Strong authentication tokens are popular, especially to secure applications such as internet banking, because they offer a much higher level of security than static passwords combined with a high user convenience.
Another type of security tokens are transaction signature tokens. Such transaction signature tokens allow service providers and applications to verify the approval of the transaction by the possessor of the token and the integrity of the transaction data, by providing electronic signatures on the transaction that could only be generated with knowledge of a secret or key that is shared between the authentication server employed by the service provider or application on the one hand, and the authentication token on the other hand. To generate electronic signatures, the transaction signature token applies a cryptographic algorithm to the shared secret and the transaction data. In some cases the transaction signature token may also include the value of a dynamic variable into the calculation of the electronic signature as a measure against replay attacks.
To verify the validity of the dynamic password or electronic signature generated by the security token, the authentication server performs the same or a complementary calculation as the security token to obtain a verification value using its own copy of the shared secret, and its locally kept value of the counter, the present time, the challenge it submitted to the end user, or the relevant transaction related data. The server then compares the verification value it generated with the dynamic password or electronic signature received from the user. Authentication or transaction approval is successful if the token-generated dynamic password or electronic signature submitted by the end user matches the verification value generated by the authentication server.
Typical strong authentication and transaction signature tokens have a display for communicating the generated credentials such as one-time passwords or electronic signatures to the end user, and a button or keypad to request the generation of a new credential and/or to enter challenges, transaction data, PIN codes, etc. Other known communicating means include auditory output, USB interfaces, and wireless interfaces. Other known input means include optical sensors, USB interfaces, and wireless interfaces.
Some security tokens require the user to enter a PIN code to perform certain actions such as generating an electronic signature. In some cases the user submits to the authentication server also a static password in addition to the dynamic password generated by a strong authentication token as a counter measure against the fraudulent use of lost or stolen tokens.
Some security tokens are capable of generating both dynamic passwords and electronic signatures.
Some security tokens are dedicated hardware devices whose only or main function is to generate dynamic passwords and electronic signatures, while other tokens are devices having general purpose computing capabilities (for example Personal Computers, Personal Digital Assistants, cell phones) that run software emulating the functions of dedicated hardware strong authentication and transaction signature tokens and that often offer the generation of dynamic passwords and electronic signatures merely as an additional functionality besides other functionalities. The latter kind of token is sometimes referred to as a software token.
In a first class of strong authentication and transaction signature tokens, the secret is embedded in a memory internal to the token itself, which is typically made inaccessible to the outside world. In a second class of strong authentication and transaction signature tokens, the token is capable of receiving an external component carrying a secret, such as a smart card, and of cooperating with this external component to generate and provide dynamic passwords and electronic signatures.
The range of products sold by Vasco Data Security under the brand DIGIPASS contains several examples of security tokens as described above.