TOKENS: SOMETHING YOU HAVE
Classic physical security practices often involve the use of two authentication factors: something you know and something you have. Examples of the first are a username, password, PIN number, or pass phrase. Examples of the second might include a door key and a photo ID. In order to gain access to a building or a room, you must have something that grants you that access.
In the computer-security world, “something you have” (a token) needs to be able to interact with software gatekeepers. Examples of such tokens will be examined in more detail in this chapter.
Of course, all tokens used in a security system have the same usability issue—if left behind (at the office, at home, or in a hotel room, to name some examples), the person will be unable to authenticate himself using the technology. This sometimes causes system administrators to turn away from such required tokens, using software-only approaches instead. This decision usually opens an organization up to the attack vectors common in software-only security systems and is not recommended.
Radio-frequency IDs (RFIDs) usually consist of a small set of passive electronics and an antenna packaged together to form a transponder within a flat, credit-card-sized object. The antenna and electronics are designed to respond only to a very narrow range of radio frequencies, and the electronics further restrict the signals to those that have features (bits) that have been ...