Authentication based on Tokens: Something you Have.

• We know about these:
  • Keys, cards, ...
• We know the basic problems as well
  • lost
  • stolen
  • broken
  • Given away
  • Duplicated ...
• They start to classify by the following:
  • I don't care about the classification, just the ideas
  • Active vs Passive
    • Passive tokens do not change over time or directly interact.
      • Think key or photo id.
    • Active tokens can change or interact with the environment.
      • A hotel key card with a magnetic strip or RFID card.
  • Static vs Dynamic
    • static tokens remain fixed.
      • Again constant not changing.
    • Dynamic tokens can be updated or update themselves.
    • Think about a hotel key card
      • These normally store the room id , start and end date.
      • They are changed each time a guest checks into a room.
  • Skimming
    • A criminal attaches a second "card reader" to an authentication device.
    • This collects the data sent to the device
    • And allows the criminal to duplicate the authentication token.
    • I grabbed this article mostly for the pictures.
  • What if the token were intelligent?
    • The token holds a key
    • The token knows when it was accessed
    • It then updates the state to generate a new valid "key"
    • This must be in sync with the authenticator for key generation.
  • Look at at about 1:00
    • Probably a key and a counter are stored.
    • Each time a valid code is generated the counter is incremented.
    • The bank also keeps track of the number of times authentication was done
      • With a "window" of perhaps 10 button presses.
    • See This PDF