Passwords are the most common form of authentication. However, they are not as cheap and straightforward as we thought, especially from an organizational point of view, since they have to provide an ID and password for every resource they use and also have to manage the password portals of the many people who use them. Also, it becomes cumbersome for users to remember their passwords for every website they log into. Therefore, we can use an alternative to passwords, namely authentication tokens.
Authentication tokens are a very useful alternative to passwords. It is a small device that generates a new random value each time it is used. This random value is used to authenticate the user.
The composition of the authentication token
- Liquid Crystal Display for Display Output (Liquid Crystal Display)
- A keypad for entering information
- Real-Time Clock
Each such device (authentication token) is preprogrammed with a unique number called a random seed or seed.
This seed ensures that the output generated by the authentication token (device) is unique. Authentication tokens are an example of 2-factor authentication because some PIN protects the token itself.
Authentication tokens work
1. Creation of Tokens
After an authentication token is created, the authentication server generates a corresponding random seed for the token. This seed is used automatically by the authentication token, so the user does not know the value of the seed. The seed is preprogrammed in the token and entered against the user’s record in the user database.
2. Use of Tokens
Authentication tokens automatically generate pseudo-random numbers called one-time passwords or one-time passwords (these passwords can only be used once). Once they are used, they cannot be reused. This one-time password is basically a 4-digit PIN code. Here are some key points for using this one-time password.
- The authenticated user will enter their ID and one-time password, which will be sent to the server
- The server uses a seed retrieval program to receive the seed corresponding to the user ID from the user database.
- The server provides the seed and one-time password to the password validator.
- The program checks whether the one-time password and the seed are associated with each other.
3. Server response
The server finally responds with an appropriate message based on the output of the previous step (success/failure).
Types of authentication tokens:
- The user sends a login request by providing only their user ID and no one-time password.
- The server checks whether the user ID is valid. If invalid, an error message is returned; otherwise, the server will create a random challenge. A random challenge is then sent to the user.
- The user receives a random challenge. Open verification token in random challenge using PIN and keypad.
- The seed of the token encrypts a random challenge, which the user then enters in the password portion of the login request.
- The server verifies the encrypted random challenge received by the user, which can be done in two ways:
- The server can decrypt the encrypted random challenge received from the user using the user’s seed value, which is made available to the server through the user database. Authentication succeeds if this decryption matches the original random challenge available on the server.
- The server can use the user’s seed to encrypt its own version of the random challenge, which was sent to the user earlier. Authentication is successful if this encryption matches the encrypted random challenge received from the user.
In time-based tokens, the server does not need to send any random challenge to the user. Tokens do not require keyboard input. In effect, it uses time instead of random challenges. The token automatically generates a password every 60 seconds and displays the latest password for the user on the LCD output.
To generate passwords, time-based tokens use the seed and the current system time.
- When a user wants to log in, he/she enters the password displayed on the LCD of the token and uses that password and its user ID to log in.
- The server receives the password and performs a separate encryption function on the user’s seed value and the current system time to generate a version of its password. If the two values match, it will consider the user to be valid.
- Finally, the server sends the appropriate message back to the user based on the previous step’s results.
Due to their automated nature (compared to challenge/response tokens), time-based tokens are used more frequently in real life.