Something You Have

Anything that is unique and that the user is required to possess can be used as an authenticating token. A token is generally issued to one user. A token is registered to a user, and when it is presented for authentication, the token is verified as being legitimate . The identifying label of the token is used to verify its registration, if it has been lost or stolen, and if the user ID presented with it matches. If it is a match, the user is authenticated. Otherwise, the authentication request is rejected. Tokens fall into two general categories:

1. Storage tokens

2. Dynamic tokens

Let's examine each in further detail.

Storage Tokens

Storage tokens are generally made up of smart cards and Universal Serial Bus (USB) tokens. There is unique information stored on the token that identifies the possessor. If a computer system accepts only the presentation of a token for authentication, then anyone who has that token can be authenticated. If the token is lost or stolen, entry can still be gained . However, passwords are employed with tokens to prevent this from happening. Thus, when a user wants to authenticate with a token, he/she inserts the token and then provides a password to unlock the credentials stored inside. The token and the password are used by the system to authenticate the user. This multi-factor authentication methodology still has the weaknesses of passwords because the token and associated password can be loaned or stolen. Still, simply knowing the password without the token is not sufficient for authentication. Both must be used together. Most people are familiar with multi-factor authentication from ATM use: The card is the storage token and the PIN is the password. That said, the user is still inconvenienced, as he/she needs to remember two things instead of only one: the password and where the token is.

Dynamic Tokens

Dynamic tokens come in many forms, including smart cards, USB tokens, and key fob styling. What makes these tokens different from storage tokens is they are used to generate a one-time authentication code. The code could be in the form of a challenge sent from the computer and the response from the token, or a registration of the token and time-based response keys. Just as for the storage token, the simple possession of a dynamic token is not sufficient for authentication. The dynamic token must be used in conjunction with a password to authenticate. This is still inconvenient for the user.

Token Usability

Tokens do have their use as a method of authentication. Storage tokens are most often used in conjunction with digital certificates. The certificates are stored within the token and then released for authentication. This method is most commonly used for Web-based authentication. It can also be used in Windows 2000 and XP as a certificate-based login, or in a Kerberos environment for granting an access ticket.

Dynamic tokens are most often used for remote access. The user enters the response code from the token into the remote client software along with his/her password for authentication. This method of authentication is gaining market share. It does not require additional connected hardware on a remote personal computer (PC). Thus, a user can go to any Internet-connected computer and strongly authenticate to a company network.

Tokens in conjunction with passwords have brought us one step closer to strong authentication. Still, the strength of tokens is compromised by the need for the user to remember his/her token and the password to access it. Tokens do offer a suggestion to attain a better factor of authentication. This better factor of authentication would have uniqueness like a token, require the user to process it, but not require a password to access it.