Definitions[edit | edit source]

A token (also referred to as an electronic token, security token, hardware token, hard token, authentication token, cryptographic token, access token, or key fob) is

[s]omething that the claimant possesses and controls (typically a key or password) used to authenticate the claimant's identity.[1]
[a] data structure that contains authorization information for a user or group. A system uses an access token to control access to securable objects and to control the ability of a user to perform various system-related operations on a local computer.[2]
[a] small device with an embedded computer chip that can be used to store and transmit electronic information.[3]

Overview[edit | edit source]

It may be a physical device or software that an authorized user of computer services is given to assist in authentication.

Tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Token threats[edit | edit source]

If an attacker can gain control of a token, they will be able to masquerade as the token's owner. Threats to tokens can be categorized into attacks on the three factors:

Mitigating threats[edit | edit source]

There are several complementary strategies to mitigate these threats:

References[edit | edit source]

See also[edit | edit source]

Community content is available under CC-BY-SA unless otherwise noted.