General Security Concepts: Access Control, Authentication, and Auditing • Chapter 1  25


                 NOTE
                      Strong password policies are covered in greater detail in Chapter 12.





                 Tokens

                 Token technology is another method that can be used in networks and facilities to
                 authenticate users.These tokens are not the access tokens that are granted during a
                 logon session by the NOS. Rather, they are physical devices used for the randomiza-
                 tion of a code that can be used to assure the identity of the individual or service
                 which has control of them.Tokens provide an extremely high level of authentication
                 because of the multiple parts they employ to verify the identity of the user.Token
                 technology is currently regarded as more secure than most forms of biometrics,
                 because impersonation and falsification of the token values is extremely difficult.
                    Token authentication can be provided by way of either hardware- or software-
                 based tokens. Let’s take a look at the multiple pieces that make up the process for
                 authentication using token technology.
                    To start with, you must have a process to create and track random token access
                 values.To do this, you normally utilize at least two components.They are:

                      ■  A hardware device that is coded to generate token values at specific
                         intervals.
                      ■  A software or server-based component that tracks and verifies that these
                         codes are valid.

                    To use this process, the token code is entered into the server/software moni-
                 toring system during setup of the system.This begins a process of tracking the
                 token values, which must be coordinated.A user wishing to be authenticated visits
                 the machine or resource they wish to access, and enters a PIN number in place of
                 the usual user logon password.They are then asked for the randomly generated
                 number currently present on their token.When entered, this value is checked
                 against the server/software system’s calculation of the token value. If they are the
                 same, the authentication is complete and the user can access the machine or
                 resource. Some vendors have also implemented a software component that can be
                 installed on portable devices, such as handhelds and laptops, which emulates the
                 token device and is installed locally.The authentication process is the same; how-
                 ever, the user enters the token value into the appropriate field in the software,



                                                                              www.syngress.com