Security tokens are physical devices used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Like a wireless keycard opening a locked door. Or in the case of a customer trying to access their bank account online, the use of a bank provided token can prove that the customer is who they claim to be.
Some tokens may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint details. Some may also store passwords. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.
All tokens contain some secret information that are used to prove identity. There are four different ways in which this information can be used:
Time-synchronized one-time passwords change constantly at a set time interval, e.g. once per minute. To do this some sort of synchronization must exist between the client's token and the authentication server. For disconnected tokens this time-synchronization is done before the token is distributed to the client. Other token types do the synchronization when the token is inserted into an input device. The main problem with time-synchronized tokens is that they can, over time, become unsynchronized. However, some such systems, such as RSA's SecurID, allow the user to resynchronize the server with the token, sometimes by entering several consecutive passcodes. Most also cannot have replaceable batteries and only last up to 5 years before having to be replaced - so there is additional cost.