Password is the most common way of authentication. However, they are not as cheap and simple as we think, especially from the organization’s point of view because they have to provide an id and password to each resource they use as well as they’ve to manage the passwords of so many people using their portal. Also, it becomes cumbersome for the users to remember the passwords of every website they log into. So we have an alternative to the passwords and that is Authentication Tokens.
Authentication Token is an immensely useful alternative to passwords. It is a small device that generates a new random value every time it is used. This random value is used for authenticating the users.
Components of Authentication Token
- LCD for displaying output (Liquid Crystal Display)
- A small keypad for entering information
- A real-time clock
Every such device(authentication token) is pre-programmed with a unique number called random seed or seed. This seed ensures that the output generated by the authentication token (the device) is unique. An authentication token is an example of 2-factor authentication because the token itself is protected with some PIN.
Working of Authentication Token
1. Creation of Token
When an authentication token is created, the corresponding random seed is generated for the token by the authentication server. This seed is automatically used by the authentication token due to which the value of the seed is not known by the user. This seed is pre-programmed inside the token, as well as its entry is made against that user’s record in the user database.
2. Use of Token
An authentication token automatically generates pseudo-random numbers, called one-time passwords or one-time passcode (these codes/passwords can be used only once). Once they are used, they cannot be reused. This one time password is basically a 4 digit PIN. Below are some important points to use this one time password.
- The user being authenticated will enter his/her id and one-time password which goes to the server.
- The server receives the seed corresponding to the user id from the user database, using a seed-retrieval program.
- The server gives the seed and one-time passcode to a Password Validation Program.
- This program checks if the one-time password and seed are related to each other.
3. Server responds
The server finally responds back with a suitable message based on the output (success/failure) of the previous step.
Types of Authentication Token:
1. User sends a login request by providing only his user id and not the one-time password.
2. Server checks whether the user id is valid. If it is not valid, it responds with an error message otherwise if it is valid, then the server creates a random challenge. Then sends the random challenge to the user.
3. User receives the random challenge. Open the authentication token using the PIN and keys in the random challenge using the small keypad.
4. The seed of the token encrypts the random challenge which is then entered by the user in the password section of the login request.
5. Server verifies the encrypted random challenge received by the user which can be done in two ways-
- The server can decrypt the encrypted random challenge received from the user with the seed value for the user, which is available to the server via the user database. If this decryption matches the original random challenge available on the server, the authentication is successful.
- The server can encrypt its own version of the random challenge, which was sent earlier to the user, with the seed for the user. If this encryption matches with the encrypted random challenge received from the user, the authentication is successful.
In a time-based token, the server need not send any random challenge to the user. The token need not have a keypad for entry. In fact, it uses time in place of a random challenge. The tokens automatically generate a password every 60 seconds and display the latest password on the LCD output for the user.
For generating the password, the time-based tokens use seed and current system time.
- When a user wants to log in he/she enters the password displayed on the LCD of the token and uses it to login along with their user id.
- The server receives the password and performs an independent cryptographic function on the user’s seed value and the current system time to generate its version of the password. If the two values match, it considers the user as a valid one.
- Finally, the server sends an appropriate message back to the user based on the result of the previous step.
Due to their automized nature (as compared to challenge/response tokens), time-based tokens are used more often in real life.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.