Overview#

Modern authentication and/or authorization solutions have introduced the concept of tokens into their protocols.

Tokens are specially crafted pieces of data that carry just enough information to either authorize the user to perform an action, or allow a client to get additional information about the authorization process (to then complete it). In other words, tokens are pieces of information that allow the authorization process to be performed. Whether this information is readable or parsable by the client (or any party other than the authorization server) is defined by the implementation. The important thing is: the client gets this information, and then uses it to get access to a resource.[2]

Tokens are Claims

A Token maybe physical (Hard tokens or a message (Soft tokens).

Why use Tokens#

Why Use Tokens

Passing Token[1]#

As you start implementing Tokens, you’ll find that you have more tokens than you ever knew what to do with! How you pass these around your system will certainly affect your overall security. There are two distinct ways in which they are passed:

• By-value - Where the value of the Token is within the Token and if sensitive may require Encryption
• By-reference - Which is typically referred to as Tokenization

These are analogous to the way programming language pass data identified by variables. The run-time will either copy the data onto the stack as it invokes the function being called (by value) or it will push a pointer to the data (by reference). In a similar way, tokens will either contain all the identity data in them as they are passed around or they will be a reference to that data.

TIP#

Pass by reference when Tokens have to leave your network, and then convert them to by-value tokens as they enters your space. Do this conversion in your API gateway.

If you pass your tokens by reference, keep in mind that you will need a way to dereference the token. This is typically done by the API calling an endpoint exposed by your API server or using a Token Service Provider or a Security Token Service.

GlobalPlatform Token#

GlobalPlatform defines Token as: "Data derived from a credential." (Which make so little sense, the discussions around Tokenization revolves around passing By-reference).

Token Types#

A Token maybe a:

• bearer Token
• access Token
• Identity Token
• Payment Token
• Password Token
• Hard tokens
• Soft tokens
• One-time password device tokens
• JSON Web Tokens
• WS-Security Tokens
• Password tokens
• Legacy Tokens (e.g., those issued by a Web Access Management system)
• Custom Tokens are the most prevalent when passing them around by reference

The usages of each type of Token or a combination of Tokens determines the NIST Level Of Assurance is described in the NIST Electronic Authentication Guideline and increases the Level Of Assurance as applied to Identity Assurance as to the Identity being asserted.

Authentication systems that incorporate all three factors are stronger than systems that only incorporate one or two of the factors. The system may be implemented so that multiple factors are presented to the verifier, or some factors may be used to protect a secret that will be presented to the verifier.

For example, consider a hardware device that holds a cryptographic key. The key might be activated by a password or the hardware device might include a biometric capture device and uses a biometric to activate the key. Such a device is considered to effectively provide two factor authentication, although the actual authentication protocol between the verifier and the claimant simply proves possession of the key.

The secrets are often based on either public key pairs Asymmetric Key Cryptography or shared secrets. A public key and a related private key comprise a public key pair. The private key is used by the claimant as a token. A verifier, knowing the claimant’s public key through some credential (typically a public key certificate), can use an authentication protocol to verify the claimant’s identity, by proving that the claimant has control of the associated private key token (proof of possession).

Shared secrets use either Symmetric Key Cryptography or passwords. In a protocol sense, all shared secrets are similar, and can be used in similar authentication protocols; however, passwords, since they are often committed to memory, are something the claimant knows, rather than something he has. Passwords, because they are committed to memory, usually do not have as many possible values as cryptographic keys, and, in many protocols, are vulnerable to network attacks that are impractical for keys.

Moreover the entry of passwords into systems (usually through a keyboard) presents the opportunity for very simple keyboard logging or “shoulder surfing” attacks. Therefore keys and passwords demonstrate somewhat separate authentication properties (something you know rather than something you have). Passwords often have lesser resistance to network attacks. However, when using either public key pairs or shared secrets, the subscriber has a duty to maintain exclusive control of his token, since possession and control of the token is used to authenticate the subscriber’s identity.

Biometrics are unique personal attributes that can be used for Identification of a Natural Person. They include Facial recognition, Fingerprint recognition, DNA, Iris recognition and Retinal recognition, voiceprints and many other things. Biometrics are used in the Biometric Enrollment to be able to later prevent a subscriber who in fact registered from repudiating the registration, to help identify those who commit registration fraud, and to unlock tokens.

More Information#

There might be more information for this subject on one of the following:

• ACDC Grant type
• ACDC Token
• API-Gateway
• Access Token
• Authentication Protocol
• Authenticator
• Authenticator App
• Authorization Response
• Authorization Server
• Bearer Token
• Biometric Data Challenges
• Biometric Template
• By-value
• CSRF Token
• C_hash
• De-tokenization
• Delegation vs Impersonation
• Domain Authorization Document
• Dynamic Access Control
• EMVCo Tokenization
• ERC20
• Ethereum
• Fast IDentity Online
• Federation
• Grant Types
• HTTP
• Hard tokens
• Identify and Authenticate access to system components
• Identity Credential and Access Management
• Identity Token
• Identity Token Claims
• JSON Web Token Best Current Practices
• LOA 2
• LOA 3
• LOA 4
• Liberty Alliance
• Lock
• Logging Out
• Logout Mechanism
• M-04-04 Level of Assurance (LOA)
• Malicious Endpoint
• NewCredentials
• OAuth 2.0 Protocol Flows
• OAuth 2.0 Security Considerations
• OAuth 2.0 Token Exchange
• OAuth 2.0 Token Introspection
• OAuth 2.0 Token Revocation
• OAuth 2.0 Tokens
• OAuth Dynamic Client Registration Metadata
• OAuth Token Profile
• One-time password device tokens
• Open-Loop Authentication
• OpenID Connect Use Cases
• OpenLedger
• OxAuth
• Password
• Proof Key for Code Exchange by OAuth Public Clients
• Proof-of-Possession
• Proprietary Session Management
• Public-Key Cryptography Standards
• Refresh Token
• Remote Authentication Dial-In User Service
• Requesting Party Token
• Response_type
• Revocation Request
• SFSafariViewController
• Security Token
• Security Token Service
• Session
• Session Management
• Shared Secret
• Single Logout
• Social Login
• Soft tokens
• Something You Have
• Sub
• The Laws of Relationships
• Token
• Token Binding Protocol
• Token Binding over HTTP
• Token Consumer
• Token Provider
• Token Revocation
• Token Service Provider
• Token Storage
• Token-exchange
• Token_type_hint
• Tokenization
• Trust Model
• U-Prove
• U-Prove token
• User-Managed Access
• Verifier
• WS-Security Tokens
• Web Blog_blogentry_130418_1
• Web Blog_blogentry_130518_1
• Web Blog_blogentry_140216_1
• Webtask
• Why OAuth 2.0
• Why Use Tokens

---

• [#1] - Passing Tokens - based on data observed:2015-05-18
• [#2] - Refresh Tokens: When to Use Them - based on information obtained 2016-05-15-