Introduction to Authentication Tokens
Authentication tokens are an alternative for the password. It is a small device that is used to generate a new random value every time. This random value becomes a basis for authentication. The small devices are typically of the size of small key chains, calculators or credit cards. Usually, an authentication token has the features such as Battery, Liquid Crystal Display (LCD) for output display, Processor, Small keypad to enter information (It is optional), Real-time clock (optional).
Each authentication token is preprogrammed with a unique number called as random seed or seed. This random seed ensures that every value generated by an Authentication token is unique.
How Do Authentication Tokens Work?
There are basically three steps involved in authentication tokens.
Step 1: Creation of Token
- Whenever an authentication token is created, the corresponding random seed for the token is generated by the authentication server.
- This seed is pre-programmed and stored inside the token as well as its entry is made against that user’s record in the user database.
- Conceptually think about this used as the user’s password. Also, the user does not know about the value of the seed, unlike a password. This is because the seed is used automatically by the authentication token.
Step 2: Use of Token
- An authentication token automatically generates pseudo-random numbers, called a one-time password. This one-time password is generated by an authentication token based on these values that they are pre-programmed with. They are called a one-time password because they used for one time only when it generates.
- When the user wants to be authenticated, the user will get a screen that enables the user to enter a third and one time password. In this case, the user will enter the user id and the one-time password which is generated by an authentication token.
- The user id and password travel to the server as a part of the login request. the server used the seed retrieval program to gets a corresponding seed for the user id from the user database. After that server calls, another program called a password validation program.
- The server submits a seed and a one-time password to the password validation program. Then this program establishes a relationship between seed and one-time password. This process is done using symmetric techniques.
- It generates the same one time password as was done by the authentication token. The authentication server can also use this program to identify that is a particular seed value relates to a particular one time password or not.
- An authentication token is protected by using 4 digit pin, this pin is used to create a one time password. So if the user somehow loses his authentication token, there is no need to worry.
Step 3: Server Returns an Appropriate Message Back to The User
Finally, the server sends an appropriate message to the user. it depends on the success and failure of the previous operation.
There are two types of authentication tokens which are explained below:
1. Challenge or Response Tokens
- challenge/ response tokens, a combination of techniques is used. The seed is preprogrammed inside the authentication token, this seed is kept as secret and should be unique. In this tokens, the seed becomes an encryption key.
- In this technique, the user has to make three entries, the first user needs to enter the PIN to access the token. the second user needs to read the random challenge from the screen and key in the random number challenge into the token. And this last one is user has to read the encrypted random challenge from the LCD of the token and enter it into the password field.
- The problem with this token is that it can result in long string generation. Assume that if we use 128-bit seed and 128-bit key, the encrypted seed will also of 128 bits. That means the user will have to read 16 characters from the LCD of the authentication token and enter that on the screen for the password. This can be quite cumbersome to the user. To solve this alternative approach has been used i.e. message-digest technique.
- Authentication token combines the seed with a random challenge to produce the message digest. It truncates it to pre a determined number of bits, transforms it into a user-readable format and displays it on the LCD. Then the user will read this text of smaller size and enter it as a password. The server also performs the same procedure.
2. Time-Based Tokens
- There are some disadvantages and problems in challenge/response tokens, these problems are addressed in time-based tokens. In this technique, the server needs to send any random challenge to the user.
- Token need not have a keypad for entry. The goal behind this is to use the time as a variable input to the authentication process, in place of the random challenge.
This is a guide to Authentication Tokens. Here we discuss what is authentication token and its detailed working along with their types. You may also look at the following articles to learn more –