Software Token

Warning: mkdir() [function.mkdir]: Permission denied in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: mkdir() [function.mkdir]: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 12

Warning: fopen(/home/templatecore2cache//*cluesnet.com/e3/e36eb1c9054dce82e603622f9f828a736d618113.tc2cache) [function.fopen]: failed to open stream: No such file or directory in /home/webs/affiliatelib2/CacheManager.php on line 130

Warning: fwrite(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 131

Warning: fclose(): supplied argument is not a valid stream resource in /home/webs/affiliatelib2/CacheManager.php on line 132

A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens operate on a general purpose electronic device like a desktop computer, laptop, Personal digital assistant, or mobile phone. In contrast to hardware tokens that store the user's credentials on a dedicated device.

Software tokens are considered to be weaker than hardware tokens as they are exposed to threats such computer viruses and other malicious Computer software attacks. However, the benefits of the software token is that there is no physical token to carry, they do not expire (no Battery (electricity)), and they are cheaper than hardware tokens. SecurityPro News Strong Authentication Retrieved on April 3, 2007

Security architecture There are two primary architectures for software tokens: Shared secret and public-key cryptography.

For a shared secret, a Network administrator will typically generate a configuration file for each user. The file will contain a username, a personal identification number, and the shared secret. The file is given to the user. However, this can make the system vulnerable due to the potential of having the file stolen and the token copied. With time-based software tokens, it is possible to borrow an individuals Personal digital assistant or laptop, reset the clock and generate codes that will be valid in the future. Any software token that uses shared secrets and keeps the PIN (the first factor) with the shared secret (the second factor) in a software client can be stolen and subjected to an offline attacks. Shared secret tokens can be difficult to distribute, since each token is essentially a different piece of software. Each user must get an appropriate secret, which can create time constraints.

Some newer software tokens rely on public-key cryptography, or asymmetric cryptography. This Software architecture eliminates many of the traditional weaknesses of software tokens. A PIN can be stored on a remote authentication Server (computing) instead of with the token client, making a stolen software token no good unless the PIN is known as well. If there are attempts made to guess the PIN, it can be detected and logged on the authentication server; which can disable the token. Using asymmetric cryptography also simplifies implementation as the token client can generate its own key pair and exchange public keys with the server. Yet software tokens remain dependent on the integrity of the computer on which they reside.

Examples Shared secret tokens

VASCO's Digipass, Authentication tokens
Deepnet Unified Authentication Platform
KerPass UST token for mobile phone, provide time synchronous one time password.
Secure Computing's software tokens
PhoneFactor for all phones
PassGo Technologies' software tokens
Tempest Security Intelligence's m-Trusted mobile token

Asymmetric software tokens

KerPass UST token for mobile phone and provides ECDSA mobile digital signature.
WiKID Systems' software tokens
WiKID's project page at sourceforge

References See also

Authentication#Multifactor authentication
Security token
eAuthentication

External links

Microsoft to abandon passwords,
Banks to Use 2-factor Authentication by End of 2006
WiKID System's Sourceforge page
Software and Security Token