Software token

Software token

A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone. This is in contrast to hardware tokens, where the credentials are stored on a dedicated hardware device.

Software tokens are considered to be weaker than hardware tokens, as they are exposed to threats such as computer viruses and software attacks. However, the software token does have benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens. [SecurityPro News [http://www.securitypronews.com/2004/0121.html Strong Authentication] Retrieved on April 3, 2007]

Security architecture

There are two primary architectures for software tokens: Shared secret and public-key cryptography.

For a shared secret, an administrator will typically generate a configuration file for each end-user. The file will contain a username, a personal identification number, and the secret. This configuration file is given to the user.

The shared secret architecture is potentially vulnerable in a number of areas. The configuration file can be compromised if it is stolen and the token is copied. With time-based software tokens, it is possible to borrow an individual's PDA or laptop, set the clock forward, and generate codes that will be valid in the future. Any software token that uses shared secrets and stores the PIN alongside the shared secret in a software client can be stolen and subjected to offline attacks. Shared secret tokens can be difficult to distribute, since each token is essentially a different piece of software. Each user must receive a copy of the secret, which can create time constraints.

Some newer software tokens rely on public-key cryptography, or asymmetric cryptography. This architecture eliminates many of the traditional weaknesses of software tokens. A PIN can be stored on a remote authentication server instead of with the token client, making a stolen software token no good unless the PIN is known as well. If there are attempts made to guess the PIN, it can be detected and logged on the authentication server, which can disable the token. Using asymmetric cryptography also simplifies implementation, since the token client can generate its own key pair and exchange public keys with the server.

References

See also

* Multifactor authentication
* Security token
* eAuthentication

External links

* [http://www.vnunet.com/news/1161914 Microsoft to abandon passwords] ,
* [http://it.slashdot.org/article.pl?sid=05/10/19/2340245&tid=172&tid=95 Banks to Use 2-factor Authentication by End of 2006]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать реферат

Look at other dictionaries:

  • Token — (aus dem englischen: token) bezeichnet: Token (Münze), eine englische Scheidemünze privater Prägung Token (EDV Netzwerk), eine Bitsequenz in bestimmten EDV Netzwerken Security Token, eine Hardwarekomponente zur Identifizierung und… …   Deutsch Wikipedia

  • Token — may refer to:* Token (railway signalling), a physical object given to a locomotive driver to authorize him to use a particular stretch of single railway track * Token coin, a piece of metal or other composition used as a substitute for currency;… …   Wikipedia

  • Token money — is Money made from tokens of some form, as opposed to Account Money. Coins are token money, as are paper notes.Token money has a strong privacy feature in that it works as money without the intervention of any other party in each transaction… …   Wikipedia

  • Token-Based Lizenzmodell — Das Token based Lizenzmodell beschreibt in der Informationstechnik eine Lizenzierungsform, bei der die maximale Zahl von Tokens (Gutscheinen) festgelegt wird, die in einem Warenkorb mit bestimmten Softwareanwendungen zur Verfügung steht. Jede… …   Deutsch Wikipedia

  • Software protection dongle — This article is about the software protection devices. Dongle can also refer to, e.g., serial ports, USB flash drives, wireless networking devices, USB Mobile broadband modems. Daisy chained parallel port copy protection dongles. A software… …   Wikipedia

  • token ring extended user interface —    (TOKREUI)    A direct interface to the link protocol of IBM s Token Ring    Network. Some token ring software products use TOKREUI and some competitive LANs provide TOKREUI compatibility …   IT glossary of terms, acronyms and abbreviations

  • token-ring extended user interface —    (TOKREUI)    A direct interface to the link protocol of IBM s Token Ring Network. Some token ring software products use TOKREUI and some competitive LANs provide TOKREUI compatibility …   IT glossary of terms, acronyms and abbreviations

  • Security token — Several types of security tokens with a penny for scale …   Wikipedia

  • Security-Token — USB Token zum sicheren Verwahren eines geheimen Schlüssels Matrix Token, verschiedene Baugrößen Ein Security Token (e …   Deutsch Wikipedia

  • Security Token — USB Token zum sicheren Verwahren eines geheimen Schlüssels Matrix Token, verschiedene Baugrößen Der Begriff Security Token (einfach: Token) bezeichnet eine …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”