A security token is a physical or digital object used to prove identity during authentication. Physical tokens generate time-based one-time passwords (TOTP) that change every 30 seconds. Digital tokens like OAuth bearer tokens are strings of data that grant access to systems without requiring repeated credential entry.
Hardware tokens like RSA SecurID and YubiKey require physical possession as part of authentication. Even if an attacker steals a password, they cannot authenticate without the physical token — a strong defense against credential theft and phishing.
CISSP Relevance
Security tokens are covered in Domain 5 (Identity and Access Management) as part of multi-factor authentication and identity verification. CISSP candidates must understand token types, their strengths and weaknesses, and how they fit into broader identity architectures.
External reference: NIST SP 800-63B Digital Identity Guidelines
Related terms: Multi-Factor Authentication, Authentication