Security Token Overview

Tokens serve as security credentials that are assigned to users. During the login process, users utilize these tokens to securely verify their identity before gaining access to a system. However, it is important to note that tokens alone are insufficient for verifying a user's identity. In addition to the token, users must also provide their username and password as a first step, and then utilize the token for authentication.

Tokens come in various forms, but they can generally be classified into two categories: hard tokens and soft tokens. Hard tokens are physical devices that users carry, such as key FOBs, smart cards, and biometric cards. On the other hand, soft tokens are virtual tokens that are imported into mobile or desktop applications like SurePassID Authenticator or SurePassID Desktop Authenticator by scanning a QR code.

Hard tokens are physical devices that typically display a One Time Passcode (OTP). They may also have additional security features like biometric or PIN pads to show the OTP. These devices are designed to be highly secure because they are not frequently connected to any networks and operate independently. Even newer hard tokens, such as Fido2/WebAuthn tokens, which have USB, Bluetooth, or NFC interfaces, are difficult to compromise due to the secure micro-controller that stores the cryptographic secrets on the device. Fido2/WebAuthn hard tokens can be used for password-less authentication or as a second factor without user verification. SurePassID fully supports both password-less and second factor Fido2/WebAuthn authentication.

Soft tokens, also known as mobile tokens, can be easily installed on mobile phone apps like SurePassID Authenticator by scanning a QR code. Each token has its own unique properties and capabilities. SurePassID mobile tokens support both One Time Passcode (OTP) and push authentication methods. In the upcoming release, they will also support Fido2 platform authenticators, where the token is securely stored in the device's secure element or Trusted Platform Module (TPM), such as a laptop or mobile phone. Additionally, SurePassID mobile tokens can be used with roaming authenticators, which include hard tokens like key fobs or smartcards. As an administrator, you have the flexibility to choose which mobile tokens are acceptable for your users, based on their specific needs and preferences.