password fob : Java Glossary


password fob
Sometimes known as a security token, or identity tokens, these are electronic keys you can put on your keychain to hold your passwords. You usually have to enter a pin number to activate it, so you combine two locks — something you have and something you know, to login, unlock encrypted files etc. Sometimes they have an internal clock that changes the passwords every minute for further security. The passwords or passphrases can be huge, untypeable and unguessable.

Further, schemes can be set up so the fob never divulges its private keys to anyone, just answers challenges to prove it knows them. The same fob can be used for many purposes. It is designed to destruct rather than divulge its private keys.

flash drives can hold 64+ megabytes of additional information and can be used for securely transferring information from one place to another.

Other sorts of digital id are based on scanning fingerprints or the iris of the eye, but they are obviously much more expensive technology.

electronic product image recommend electronic⇒Ezio Time-based 6-Digit Token for use with Amazon Web Servicesto electronic home
asin B002CRN5X8
This product is not in stock at any of the Amazon stores.

Think about how this device might work: A high security implementation might works like this:

  • It has a private key burned into its firmware.
  • It encrypts the current time (rounded to the nearest 30 seconds) with the private key.
  • Amazon has on file a copy of the corresponding non-secret public key.
  • Amazon then takes the encrypted times, decrypts it with your public key and sees if it matches the current time.

The advantages include:

  • If someone snoops on your conversation, the password that they steal will not be of any use in future.
  • If someone breaks into Amazon, all they can steal is your public key which is non even a secret. It is useless for impersonating you.
  • If someone breaks into your computer, your private key is not there in any form. It lives only inside the token and cannot be retrieved.

A low security implementation might work like this:

  • To get it started, Amazon sends it a random number over and https: link.
  • The fob encrypts the current time (rounded to the nearest 30 seconds) with that seed.
  • Amazon has on file a copy of the corresponding seed.
  • Amazon then takes current time on its server, encrypts it to see if it matches the value just sent from the fob.

The weakness of this system, is if hackers steal the seeds, the whole system is compromised. The other weakness is that every website you use this device on, has to know its secret seed. That increase the odds of the hackers getting access to everything.


Manufacturers are notoriously close-lipped about just how their devices work. They don’t want you to crack them or be aware of their vulnerabilities to help protect yourself. However, they say they implement OATH standards, so that may contain a clue.

It is too bad that you cannot use this wonderful device on websites other than Amazan AWS, such as your bank.

A similar device could be invented that did not require you to key the generated password. You would insert it into a USB port. It would not even need a clock. Amazon could send a random string to encrypt. However, that hypothetical certificate-based device would need a special browser adaptation.

American flag Canadian flag
Canadian flag Canadian flag
German flag Canadian flag
Spanish flag Canadian flag
French flag Canadian flag
Italian flag Canadian flag
UK flag American flag
India flag American flag
UN flag other stores American flag American flag American flag
Greyed out stores probably do not have the item in stock

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Canadian Mind Products
Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number