Token-based Authentication

By: David Puzder

Last month, we covered password-based authentication explaining how to authenticate a user based on something they know. Another means to authenticate a user’s identity is through something they possess – a token. A common instance of token-based authentication is a house key. Ideally, only the person who possesses the proper key can unlock the corresponding door. Similarly, there should only be one unique token per user. Besides physical keys, tokens can also be memory cards and smart cards.

Memory Cards

Memory cards, such as bank cards with a magnetic stripe on the back, can store data but not process data. Cards with magnetic stripes store readable and re-writable digital data. Due to simple operation and low replacement cost, hotels often use memory cards as room keys instead of metal keys. While adequate for temporary ownership, memory cards alone are not robust enough for permanent ownership.

Smart Cards

Smart cards, or smart tokens generally, all contain an embedded microprocessor. Using internal chips, smart cards store more data than memory cards and intelligently interact with the reader. Although some smart cards may also include a magnetic stripe, contemporary smart cards have either a contact interface, a contactless interface, or a hybrid of both.

Contact smart cards expose an electrical contact plate, usually gold-plated, on the card’s surface. After inserting a contact smart card into a reader, communication can begin. On the other hand, contactless smart cards only need to be near the reader to communicate via radio. Most contactless smart cards use an electromagnetic signal from the reader to power an internal chip, but the range is limited to about 1.5 to 3 inches. Contactless smart cards are useful for fast interactions like payments or building access.

Despite security improvements from memory cards to smart cards, token-based authentication alone still has its shortcomings:

  • Misplacement – It can be easy to lose or damage your token, and there is an administrative and manufacturing cost to replace it. While replacing the token, the owner could be temporarily locked out of the system. At an automatic teller machine (ATM), a lost debit card can prevent the owner from withdrawing cash on a deadline.
  • Specialized Reader – Buying and maintaining a card reader has its costs.
  • User Dissatisfaction – Using a token for computer access may inconvenience users.

As with any authentication method, combining token-based authentication with another form of authentication improves security. For instance, an ATM at Chase Bank requires customers to provide their debit card and their personal identification number (PIN). This way, if a thief steals or duplicates someone’s bank card, they would need to figure out the account’s PIN before using the victim’s account.

Tips for Smart Card Use:

  • Report lost smart cards and suspected fraud immediately.
  • Store your smart card in a safe place.
  • Only share your smart card in case of emergencies.
  • Shred or destroy your old smart cards. If it has an external contact point, make sure to cut it in half.
  • Consider using an AirTag or Tile to help locate your misplaced tokens.

Additional Reading:

 Your WashU ID | Campus Card Services | Washington University in St. Louis (

 Covid pandemic accelerating the shift from cash to digital payments (

 What is a national ID card? (National ID, digital ID) (

 Goodbye magnetic stripe | Mastercard Newsroom