GIAC GSNA Exam - Topic 2 Question 30 Discussion

Contactless tokens are the third main type of physical tokens. Unlike connected tokens, they form a logical connection to the client computer

but do not require a physical connection. The absence of the need for physical contact makes them more convenient than both connected and

disconnected tokens. As a result, contactless tokens are a popular choice for keyless entry systems and electronic payment solutions such as

Mobil Speedpass, which uses RFID to transmit authentication information from a keychain token. However, there have been various security

concerns raised about RFID tokens after researchers at Johns Hopkins University and RSA Laboratories discovered that RFID tags could be

easily cracked and cloned. Another downside is that contactless tokens have relatively short battery lives, usually only 3-5 years, which is low

compared to USB tokens which may last up to 10 years. However, some tokens do allow the batteries to be changed, thus reducing costs.

Answer A is incorrect. Virtual tokens are a new concept in multi-factor authentication first introduced in 2005 by security company

Sestus. Virtual tokens work by sharing the token generation process between the Internet website and the user's computer and have the

advantage of not requiring the distribution of additional hardware or software. In addition, since the user's device is communicating directly

with the authenticating website, the solution is resistant to man-in-the-middle attacks and similar forms of online fraud.

Answer B is incorrect. Connected tokens are tokens that must be physically connected to the client computer. Tokens in this category

will automatically transmit the authentication information to the client computer once a physical connection is made, eliminating the need for

the user to manually enter the authentication information. However, in order to use a connected token, the appropriate input device must be

installed. The most common types of physical tokens are smart cards and USB tokens, which require a smart card reader and a USB port,

respectively.

Answer C is incorrect. Disconnected tokens have neither a physical nor logical connection to the client computer. They typically do not

require a special input device, and instead use a built-in screen to display the generated authentication data, which the user enters manually

via a keyboard or keypad. Disconnected tokens are the most common type of security token used (usually in combination with a password) in

two-factor authentication for online identification.