How can a security token provide a valid access code without communicating with the server? How does such a token work? Let's find out! (AKIO TV) MMXVIII
Exceptionally well-done video on the subject matter. Although this video was posted in 2018, it provides very easy to understand information on the subject of Security Tokens. I was recently issued a security token devise and wanted to know how it worked. This video was spot on. Thank you for doing such a great job explaining.
@@AKIOTV About three years ago my bank gave me an electronic device, an ENTRUST datacard 8-digit random code generator, to carry out online operations in web banking, etc. That device still seems great to me, I even carried it on my keychain, and it had nothing to do with my smartphone and the 6-digit code generator App (less secure) and the possibility of losing the smartphone, being hacked, or be the target of a DDos attack. How can I reuse that ENTRUST datacard device?
Omg, I have been searching for explanation on this topic for half an hour but didnt find a proper, easily understandable video, but you did it. Thank you very much, your sentences and explanation are just number 1. I have had only a few teachers in my whole life who were able to explain things this way as you did. Thanks again!!! I have heard in another video, that if the clock is going in a different speed on the token, then the server tries to generate the hash for 1 minute earlier and 1 minute after as its current counter and it compare those values with the value generated on the token, is that right? p.s. i have subscribed to your channel
I believe that is indeed a thing, but it depends on the implementation. Someone might opt for a very harsh system for maximum security if that's needed (which wouldn't do what you mentioned) but it's also possible to have a more forgiving approach when convenience is valued. Also you have to consider what happens for 2 minutes, or three? Where do you draw the line? That all depends on how much you value ease of use or security.
@@AKIOTV About three years ago my bank gave me an electronic device, an ENTRUST datacard 8-digit random code generator, to carry out online operations in web banking, etc. That device still seems great to me, I even carried it on my keychain, and it had nothing to do with my smartphone and the 6-digit code generator App (less secure) and the possibility of losing the smartphone, being hacked, or be the target of a DDos attack. How can I reuse that ENTRUST datacard device?
Excellent video, I just pulled apart token which is no longer used as bank has moved to phone based system. This token was operational till couple of months ago, it is clock based token. Manufactured in Oct 30th 2006, so clock did stay in sync for 15 years, used daily and battery lasted that long as well.
I would modify the counter based method so that the user can press a "I have accidently pressed button on the token" button on the server after typing in the password. That way, the server counter will be in sync again.
Let's say you are finding this token device, and it takes some good amount of time , AND THEN we press the button for it to give us an 8 digit code. how will that be sync since the click was later on then the servers'
About three years ago my bank gave me an electronic device, an ENTRUST datacard 8-digit random code generator, to carry out online operations in web banking, etc. That device still seems great to me, I even carried it on my keychain, and it had nothing to do with my smartphone and the 6-digit code generator App (less secure) and the possibility of losing the smartphone, being hacked, or be the target of a DDos attack. How can I reuse that ENTRUST datacard device?
I was kind of guessing that's how it works but wouldn't it in theory be possible to extract the data in the memory of the token, then using a number of working examples to figure out how it generates the key?
I've small tiny relatively simple token device which looks pretty much like the one you first explained. Its authentication system for my job taking care of Mom . So , it doesn't seem to have a GPS function. As you've explained , both server and token device both generate a random number ? And it generates a new set of numbers every minute ..
What happens if the battery dies in the key fob? The server n the key clock not synchronized if the battery dies. What if the server and the key get synchronize when ever it asks the user to type the key.
great video btw :) I'm pretty certain what many people (and I) own is a version of the first system you mentioned, mixed with the last one, I think it has a timer connected to some kind of key/algorithm, you input the 6 digit code the server gives you, get a code back and fill that in. A quick look at its patent page seems to confirm that (it has the patent numbers on the back). Most bank security tokens are like that where I live. maybe it allows for larger time blocks?
The most comprehensive video on this topic on the internet. Simply impressive.
Excellent, very clear explanation.
Exceptionally well-done video on the subject matter. Although this video was posted in 2018, it provides very easy to understand information on the subject of Security Tokens. I was recently issued a security token devise and wanted to know how it worked. This video was spot on. Thank you for doing such a great job explaining.
yeah, I'm watching it in 2024 and still relevant. This kid must be a TH-cam Celebrity now, 🙂
This guy really has an amazing way of explaining the concepts, I am jealous. Great Job man.
I had 3 questions to which I was searching for answers. And you just answered all of them in one video. Thanks mate!
thank you for this explanation, that was an easy and simple
That's actually quite some interesting maths and computing that goes on with these tokens. Great video as always!
It is indeed very interesting. Thanks for the comment!
@@AKIOTV About three years ago my bank gave me an electronic device, an ENTRUST datacard 8-digit random code generator, to carry out online operations in web banking, etc. That device still seems great to me, I even carried it on my keychain, and it had nothing to do with my smartphone and the 6-digit code generator App (less secure) and the possibility of losing the smartphone, being hacked, or be the target of a DDos attack. How can I reuse that ENTRUST datacard device?
Omg, I have been searching for explanation on this topic for half an hour but didnt find a proper, easily understandable video, but you did it. Thank you very much, your sentences and explanation are just number 1. I have had only a few teachers in my whole life who were able to explain things this way as you did. Thanks again!!!
I have heard in another video, that if the clock is going in a different speed on the token, then the server tries to generate the hash for 1 minute earlier and 1 minute after as its current counter and it compare those values with the value generated on the token, is that right?
p.s. i have subscribed to your channel
I believe that is indeed a thing, but it depends on the implementation. Someone might opt for a very harsh system for maximum security if that's needed (which wouldn't do what you mentioned) but it's also possible to have a more forgiving approach when convenience is valued. Also you have to consider what happens for 2 minutes, or three? Where do you draw the line? That all depends on how much you value ease of use or security.
@@AKIOTV That's true. Thanks for the quick answer. :)
@@AKIOTV About three years ago my bank gave me an electronic device, an ENTRUST datacard 8-digit random code generator, to carry out online operations in web banking, etc. That device still seems great to me, I even carried it on my keychain, and it had nothing to do with my smartphone and the 6-digit code generator App (less secure) and the possibility of losing the smartphone, being hacked, or be the target of a DDos attack. How can I reuse that ENTRUST datacard device?
Really really good explanations, thank you very much, I wasn't aware of much of this and have been researching it for 2 days.
Excellent video, I just pulled apart token which is no longer used as bank has moved to phone based system. This token was operational till couple of months ago, it is clock based token. Manufactured in Oct 30th 2006, so clock did stay in sync for 15 years, used daily and battery lasted that long as well.
Thank you for explaining the concepts so clearly.
Well-done video covering the need aspects to understand the token based authentication
Thanks man, the moment you said 'clock', it Clicks! 👍
Dr. Harinda is undoubtedly the best lecturer!
Excellent explanation...very clear for everyone. Thanks
Very clear and informative. Great video!
Thanks very much! That was an absolutely stellar explanation! Much appreciated!
I subscribed due to the wooden and duct tape mic stand. This is my people.
Interesting video, congrats on your knowledge and clear explanation.
That was a really really really helpful video, thank you king.
FYI. Clocks can be synchronized via HF radio receiver or GPS receiver. The HF radio takes less power and is used by some wristwatch.
I would modify the counter based method so that the user can press a "I have accidently pressed button on the token" button on the server after typing in the password. That way, the server counter will be in sync again.
Very well presented!
Thanks for your explanation, really helpful and great knowledge
Keep it up man your voice is made for youtube!
very well presented.. cheers.
Brilliant explanations! Thanks!👍
Your presentation is really outstanding, Keep it going.
Thank you for the explanation
Great explanation and super helpful Thank you
Boy your voice and Accent is nice & so British ....:-)
Very well explained
Great explanation, thank you!!!
What’s the difference between a security token and a Yubikey?
thanks, finally found what i was looking for. go on the good work
Great !!
Excellent..
Really interesting, thanks man!
Let's say you are finding this token device, and it takes some good amount of time , AND THEN we press the button for it to give us an 8 digit code. how will that be sync since the click was later on then the servers'
About three years ago my bank gave me an electronic device, an ENTRUST datacard 8-digit random code generator, to carry out online operations in web banking, etc. That device still seems great to me, I even carried it on my keychain, and it had nothing to do with my smartphone and the 6-digit code generator App (less secure) and the possibility of losing the smartphone, being hacked, or be the target of a DDos attack. How can I reuse that ENTRUST datacard device?
I was kind of guessing that's how it works but wouldn't it in theory be possible to extract the data in the memory of the token, then using a number of working examples to figure out how it generates the key?
great explanation!
I've small tiny relatively simple token device which looks pretty much like the one you first explained. Its authentication system for my job taking care of Mom . So , it doesn't seem to have a GPS function. As you've explained , both server and token device both generate a random number ? And it generates a new set of numbers every minute ..
What happens if the battery dies in the key fob? The server n the key clock not synchronized if the battery dies. What if the server and the key get synchronize when ever it asks the user to type the key.
Thank you it is very helpful information
what type of memory they use ?
I've accidentally taken it with me for several hours all over town miles away from home and nothing negative happened .Called Vesta visit clock
Very fine video, very informative. Well done. I'm just getting into tokens, what are your thoughts on the Yubico line of tokens?
Not sure, I haven't used one.
Do you find that many online accounts supports this type of token I can't get it to work with sites like Google or Facebook?
I want to build this for a company and that's why I'm here
Do all non-counter type tokens issued to be used on the same server, display the same number at any given time block?
No
I like you mic stand lol
great video btw :)
I'm pretty certain what many people (and I) own is a version of the first system you mentioned, mixed with the last one, I think it has a timer connected to some kind of key/algorithm, you input the 6 digit code the server gives you, get a code back and fill that in. A quick look at its patent page seems to confirm that (it has the patent numbers on the back). Most bank security tokens are like that where I live.
maybe it allows for larger time blocks?
How does this technology compare to the 2FA of Google Authenticator and Twilio? Would this technology replace security token?
same principle except you run it on a phone instead of a dedicated device
@@AKIOTV Thank you!
@@AKIOTV I am using a App called Symantec VIP Access on my phone to generate a code is a dedicated device safer or is the phone just as safe?
Wonderful!
I love your accent OMG
Good video, thanks
You've got the same phone as me! Nokia 215
that was great!!!
Thanks!
Thank you, buddy
so thats why once the battery dies the device is done for.
I have a rsa token fallen on streets of India don't know what to do about it
is it possible to decrypt the hash with enough of codes generated and time?
I just found one of these on the floor and I’m here to know what the hell is it. I will never watch any kind of video like this. :)
Nice.
Its all Geek to me.