Token-Based Authentication can be used to identify a user logging into a web or cloud service. The user is sent an identification code known as a Token or Security Token from a web service that has been logged into. The Token is submitted back to the service and implemented as the second factor in Two-Factor Authentication.
In the broadest sense a Token is a unique identifier. In terms of authentication, a Token is a random number based on login credentials that was just entered and which cannot be traced back to the information without access to the web service. Tokens of this type allow the service to verify that the user is the same one it communicated with previously during login.
An Authentication Token can refer to:
A fixed number or one that can change at fixed intervals.
The number or the device on which it is stored.
A Token can be generated either in the client application or the online web service.
Hard (Hardware) Token
A Hard Token is stored on a dedicated hardware device that is designed not to be duplicated. Personal Identification Numbers (PINs) in key fobs and smartcards, are examples of hard tokens.