Most smart tokens are used instead of static user IDs and passwords to provide a stronger and more convenient means for users to identify and authenticate themselves to computers and networks. When it is used for this function, a smart token is an example of authentication based on something a user possesses (for example, the token itself). Although authentication to some computer systems is based solely on the possession of a token, typical smart token implementations also require a user to provide something he or she knows (for example, a password) in order to successfully utilize the smart token.
In general, smart tokens can be classified according to physical characteristics, interfaces, and protocols used. These classifications are not mutually exclusive.
1. Physical characteristics. Smart tokens can be divided into two physical groups: smart cards and other tokens. A smart card looks like a credit card but includes an embedded microprocessor. Smart tokens that are not smart cards can look like calculators, keys, or other small objects.
2. Interfaces. Smart tokens have either a human or an electronic interface. Smart tokens that look like calculators usually have a human interface, which allows humans to communicate with the device. Other smart tokens, including smart cards, have an electronic interface that can only be understood by special readers and writers. Two physical interfaces for smart cards have been standardized through the International Organization for Standardization, resulting in two types of smart cards. The first type, known as contact cards, works by inserting the card in a smart card reader, while the second type, known as contactless cards, uses radio frequency signals and the card needs only to be passed within close proximity to a card terminal to transmit information. Smart cards can be configured to include both contact and contactless capabilities, but because standards for the two technologies are very different, two separate interfaces would be needed.
3. Protocols. Smart tokens use three main methods for authentication, based on different protocols. The first method, static password exchange, requires users to first authenticate themselves to a token before the token can then authenticate the user to the computer. The other two methods are known as time-synchronized and challenge-response, and are based on cryptography. These methods generate a one-time password, which is a password or pass code that can be used only once, for a brief interval, and then is no longer valid. If it is intercepted in any way, the password has such a limited life span that it quickly becomes invalid. The next time the same user attempts to access a system, he or she must enter a new one-time password that is generated by the security token.
If implemented correctly, smart tokens can help create a secure authentication environment. However, smart tokens do not necessarily verify a person; they only confirm that a person has the token. Because tokens can be lost or stolen, an attacker could obtain a token and attempt to determine the user’s PIN or password.