<img src="https://secure.leadforensics.com/69529.png" style="display:none;"> Apogee IT Services
Blog  |  FAQ
  • Apogee Aim Higher Website header
    What's going on in IT.

What is token-based authentication?

Posted on November 03, 2022

What is token-based authentication?

Token-based authentication is just one of many web authentication methods used to create a more secure verification process. Other web authentication methods include biometric authentication and password authentication. While each authentication method is unique, all methods fall under one of the following three categories: knowledge (something you know), inheritance (something you are), and possession (something you own).

Token authentication requires users to obtain a computer-generated code (or token) before they’re granted network entry. Token authentication is typically used in conjunction with password authentication for an added layer of security. This is what we refer to as two-factor authentication (2FA). That means even if an attacker successfully implements a brute force attack to take out any password in place, they’ll have to also bypass the token authentication layer. Without access to the token, gaining access to the network becomes increasingly difficult. This additional layer discourages attackers and can save networks from potentially disastrous breaches.

How Does Token-Based Authentication Work?

As a managed services provider (MSP), cybersecurity is never far from your mind. To keep these costs at a minimum for your customers, it’s your responsibility to not only understand best practices for the user and network security but also to communicate them to relevant end users. While a plethora of network authentication methods currently exists to help aid in the execution of a robust security strategy, token-based authentication is a favorite among many MSPs. By pairing this tried-and-true process with other comprehensive security measures, MSPs help keep their customers safe from security breaches that put their bottom line and their reputation in jeopardy.

Types of security tokens:

  • One-time passwords (OTPs). A form of the digital security token, OTPs are valid for only one login session, meaning they are used once and never again. After the initial use, the authentication server is notified that the OTP should not be reused. OTPs are typically generated using a cryptographic algorithm from a shared secret key composed of two unique and random data elements. One element is a random session identifier, and the other is a secret key.

  • Disconnected tokens. This is a form of digital security token that does not connect physically or logically to a computer. The device may generate an OTP or other credentials. A desktop application that sends a text message to a cellphone, which the user must input in the login, is using a disconnected token.

  • Connected tokens. A connected token is a physical object that connects directly to a computer or sensor. The device reads the connected token and grants or denies access. YubiKey is an example of a connected token.

  • Contactless tokens. Contactless tokens form a logical connection with a computer without requiring a physical connection. These tokens connect to the system wirelessly and grant or deny access through that connection. For example, Bluetooth is often used as a method for establishing a connection with a contactless token.

  • Single sign-on (SSO) software tokens. SSO software tokens store digital information, such as a username or password. They enable people who use multiple computer systems and multiple network services to log in to each system without having to remember multiple usernames and passwords.

  • Programmable tokens. A programmable security token repeatedly generates a unique code valid for a specified time frame, often 30 seconds, to provide user access. For example, Amazon Web Services Security Token Service is an application that generates 2FA codes required for information technology administrators to access some AWS cloud resources.

The benefits of authentication tokens:

Historically, one layer of authentication was the gold standard. But in today’s cybersecurity climate—in which hackers are more cunning than ever before—one authentication is the bare minimum. Knowledge-based authentication practices work best when implemented alongside possession-based ones to form robust 2FA systems.

This is where token authentication comes into effect. Token systems that rely on hardware to deploy computer-generated codes are a critical component of any comprehensive security strategy. These systems put 2FA to work to stop attackers before they gain access to—and wreak havoc on—the network.

On top of proactively securing customer networks, however, it’s critical that MSPs also help customers react to data breaches. If a bad actor does successfully manage to gain access to a network, having data stored safely on the cloud can prevent your customers from having to fall victim to data loss or the threat of hefty ransoms.

Source: https://www.n-able.com/blog/how-does-token-based-authentication-work


11 keys to network security

Clients in the US & Canada


Learn More