How Security Tokens Work: Hardware Keys, OTP, and Authentication Explained
A thorough explanation of security tokens—TOTP, HOTP, FIDO2, hardware security keys, smart cards, and their role in multi-factor authentication and phishing resistance.
This article is for informational purposes only. Consult a qualified healthcare professional for medical advice, diagnosis, or treatment.
What Is a Security Token?
A security token is a physical or software-based device used to authenticate a user's identity as part of a multi-factor authentication (MFA) scheme. By requiring something the user physically has (a token) in addition to something they know (a password), security tokens dramatically reduce the effectiveness of stolen credentials and password-based attacks. Security tokens span a spectrum from simple one-time password (OTP) generators to sophisticated hardware security keys implementing cryptographic challenge-response protocols. They are a critical defense against credential phishing, password spraying, and account takeover attacks.
The Authentication Factors Framework
Security tokens operate within the three-factor authentication model:
- Knowledge factor (something you know): Passwords, PINs, security questions
- Possession factor (something you have): Physical tokens, smartphones running authenticator apps
- Inherence factor (something you are): Biometrics—fingerprint, face ID, iris scan
MFA combines at least two factors. Security tokens represent the possession factor. The combination of a password (knowledge) and a token (possession) means an attacker who steals a password without the physical device—the most common attack scenario—cannot authenticate.
One-Time Password Tokens
HOTP: HMAC-Based OTP (RFC 4226)
HOTP generates a one-time password using a counter-based algorithm. A shared secret key (K) and an incrementing counter (C) are fed into an HMAC-SHA1 computation: HOTP(K, C) = Truncate(HMAC-SHA1(K, C)). The resulting 6–8 digit code is valid until used, at which point the counter increments. The server must track the counter state and tolerate synchronization skew. HOTP is used in hardware tokens from RSA SecurID and similar products where a button press generates the next OTP.
TOTP: Time-Based OTP (RFC 6238)
TOTP extends HOTP by replacing the counter with the current Unix timestamp divided by a time step (typically 30 seconds): TOTP = HOTP(K, floor(UnixTime / 30)). This generates a new 6-digit code every 30 seconds that is valid for a short window (typically ±1 step to account for clock skew). TOTP is the standard used by Google Authenticator, Microsoft Authenticator, Authy, and most authenticator apps. During enrollment, the service provides a QR code encoding a URI (otpauth://totp/...) containing the shared secret; the app stores the secret and computes codes on demand.
Security Token Types
| Token Type | Protocol | Form Factor | Phishing Resistant | Example Products |
|---|---|---|---|---|
| Software OTP / Authenticator App | TOTP, HOTP | Smartphone app | No (code can be relayed) | Google Authenticator, Authy, Microsoft Authenticator |
| Hardware OTP Token | TOTP, HOTP | Key fob / card | No (code can be relayed) | RSA SecurID, SafeNet |
| SMS/Voice OTP | OTP delivered out-of-band | Mobile phone | No (SIM swap attack vector) | Carrier delivery; widely deployed but weakest MFA |
| Push Notification MFA | Proprietary | Smartphone app | Partially (MFA fatigue attack possible) | Duo Security, Microsoft Authenticator push |
| FIDO2 / WebAuthn Hardware Key | FIDO2 / CTAP2 | USB / NFC / Bluetooth key | Yes (origin-bound) | YubiKey, Google Titan Key, Feitian |
| PIV / Smart Card | X.509 certificate + PKI | Credit-card form; requires reader | Yes | US government CAC, PIV cards |
| Passkeys (synced FIDO2) | FIDO2 / WebAuthn | Platform authenticator (OS keychain) | Yes (origin-bound) | Apple Passkeys, Google Passkeys, Windows Hello |
FIDO2 / WebAuthn: The Gold Standard
FIDO2 (Fast IDentity Online 2) is a set of standards developed by the FIDO Alliance and W3C that enables strong, phishing-resistant authentication using public-key cryptography. The two core components are:
- CTAP2 (Client to Authenticator Protocol 2): Defines how browsers and operating systems communicate with hardware authenticators (security keys) over USB, NFC, or Bluetooth.
- WebAuthn (Web Authentication API): A W3C standard that allows web applications to use FIDO2 authenticators for authentication. Supported natively in all major browsers since 2019.
The authentication flow works as follows: During registration, the authenticator generates a new cryptographic key pair specific to the relying party (website). The private key never leaves the secure element of the hardware key. The public key is sent to and stored by the server. During login, the server sends a challenge. The authenticator signs the challenge with the stored private key and returns the signature. The server verifies the signature against the stored public key. Because the key pair is bound to the specific origin (domain) of the relying party, a phishing site using a lookalike domain cannot receive a valid authentication from the security key—the authenticator checks that the origin in the authentication request matches the origin for which the key was registered.
Why TOTP is Not Phishing-Resistant
A real-time phishing attack against TOTP works as follows: the attacker sets up a convincing lookalike login page. When a victim enters their credentials and TOTP code, the attacker immediately forwards both to the real service. Since TOTP codes are valid for 30 seconds and the relay takes only seconds, the attacker can successfully authenticate. This attack, known as an adversary-in-the-middle (AiTM) or real-time phishing attack, is increasingly common and has rendered TOTP-based MFA insufficient for high-security applications. FIDO2/WebAuthn hardware keys are immune because authentication is cryptographically bound to the legitimate origin.
Deployment Considerations
| Consideration | Detail |
|---|---|
| Recovery / backup | Provide backup codes or backup token; hardware key loss can lock users out |
| FIDO2 account recovery | Register 2+ security keys per user; or pair with recovery method |
| Enrollment security | Token enrollment must be identity-verified; self-service enrollment is a social engineering target |
| MFA fatigue attacks | Push notification MFA can be bypassed by spamming approval requests; number matching and additional context combat this |
| Enterprise deployment | FIDO2 integrates with Azure AD, Okta, Google Workspace; PIV/smart cards via Windows Hello for Business |
Related Articles
cybersecurity
Endpoint Detection and Response (EDR): How Modern Threat Defense Works
An encyclopedic guide to Endpoint Detection and Response covering real-time monitoring, behavioral analysis, threat hunting, and how EDR platforms differ from traditional antivirus solutions.
10 min read
cybersecurity
How Antivirus Software Works: Detection Methods and Protection
Understand how antivirus software works, including signature-based detection, heuristic analysis, behavioral monitoring, and real-time protection mechanisms.
8 min read
cybersecurity
How Blockchain Consensus Mechanisms Validate Transactions
Blockchain networks use Proof of Work, Proof of Stake, and other consensus mechanisms to validate transactions without central authority. Compare their tradeoffs and energy costs.
9 min read
cybersecurity
How Cloud Security Misconfigurations Happen and How to Prevent Them
Misconfiguration is the leading cause of cloud data breaches. Learn how S3 buckets get exposed, IAM policies fail, and what the Shared Responsibility Model means for your security.
9 min read