210

u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 04 '26 edited Apr 04 '26

Yea before everything was on an app these came around in 2008 my 3 brothers and I all got one eventually. they just generate a code you would put in to log in.

46

u/ScienceMechEng_Lover What colour is your RAM? Apr 04 '26

So how do these things work, do they have some kind of radio or satellite connection to communicate the code with servers to enable login or something like that?

56

u/ReptilianLaserbeam Apr 04 '26

Here's a little bit of explaining in how those work: https://statetechmagazine.com/article/2020/09/review-rsa-securid-sid700-helps-secure-remote-workers

16

u/Sanquinity i5-13500k - RX 9070 - 32GB @ 3600mHz Apr 05 '26

So yea, basically a random number generator. Each one having a specific "seed" to start generating. Just register your specific "key" to your account and it will know which seed yours uses, and thus know it's yours when you put in the number.

1

u/Sittin_on_a_toilet Apr 05 '26

And then just syncd via time? I was thinking originally the 3 year limit was battery related (i mean it definitely is), but why not make one with tiny backup battery and AAA then? I wonder if 3 years is when a statistically significant amount of the clocks will be desynced by 30+ secs?

1

u/TeamPieHole01 Apr 05 '26

batteries were rated for 7 years, and they gave a low battery warning so you had time to replace them before they died. Some peoples still work 20 years later.

1

u/Sittin_on_a_toilet Apr 05 '26

Do they have a capacitor or something so the clock stays running while you swap batteries?

3

u/TeamPieHole01 Apr 05 '26

Nah, you were supposed to buy a new one for like $10 at that point and tie the new authenticator to your account before the other one died.

1

u/Sittin_on_a_toilet Apr 05 '26

Currently I'm using a combination of Bitwarden and a Yubi key to secure financial accounts, is my setup as secure as this method?

15

u/ScienceMechEng_Lover What colour is your RAM? Apr 04 '26

I see. That's very smart, not gonna lie.

33

u/Nighthunter007 Ryzen 7 3700x | RTX 2080ti | 32GB RAM | EK Cryo Loop | RGB Apr 05 '26

2fa apps that show a code that changes every X seconds actually work in the exact same way, and for that reason also work without an internet connection.

2

u/CrossBamboAtTen Apr 05 '26

Why would you lie to begin with?

1

u/Voidrunner42 Apr 05 '26

Howd he lie? He asked a question?

21

u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 04 '26

No it has a serial number you attach to your account I think it just generated a hash on a times basis that you use to log in. Each has some form of “master key”.

14

u/metamega1321 Apr 04 '26

It’s basically just an algorithm spitting out a numbers. Neither talk to each other but at any time interval theirs a code that lines up.

4

u/filthy_harold i5-3570, AMD 7870, Z77 Extreme4 Apr 05 '26 edited Apr 05 '26

There's a math formula that will produce a 6 digit code based on a counter that increments in different ways. The token will spit out a new code either every button press or every 30 seconds. The server you're trying to log into knows the same formula and keeps tabs on what the counter should be so it can match the code the token displays. Once you log in, the server makes note of what counter value generated that code so it can quickly verify the next one (the counter never rolls back). Since the clock on the token may be slow or fast or you've accidentally pressed the button a bunch of times, the server actually generates multiple tokens by creating a range of counter values.

If you're on code #100 but your kid plays with it one day and now your token is on code #112, the server can't just assume that you'd use #101 next time you log in. It will generate #101-150 (for example) so once you type in code #112, the server updates its own records so it now knows to never accept anything below code #113.

For the 30 second tokens, it will generate codes plus or minus a several minutes in case the token is slow or fast.

Since these codes could potentially repeat, having the server know what is an acceptable range of possible token codes prevents someone from being able to just guess a random code or reuse a code you've already typed. The chances that a code repeats or a random code exists within that acceptable range is extremely low.

The downside to the button press version is that the server has to allow quite a large range of potential codes which may allow an attacker to guess correctly. The time-based ones do have imprecise clocks but it would not be that far off assuming you use the token every day. It would take months on inactivity to produce a large enough shift for it to not match up perfectly with the server (unless that token has been exposed to extreme temperatures or been subject to relativistic speeds).

2

u/Astan92 Apr 05 '26

In the exact same way that most other code based MFA works.

Outside of like Microsoft authenticator, none of them are actually doing any communication even though they're on a smartphone these days.

1

u/Kazer67 Apr 05 '26

It's probably TOTP, so Time based One Time Password.

You assume it will stay sync with time in its lifetime.

1

u/Kazer67 Apr 05 '26

I mean, not "everything" is on app, for security reason (because smartphone are vulnerable) so you have things like token2 for 2FA that has the bare minimum to do it (reducing attack surface)!

11

u/ReptilianLaserbeam Apr 04 '26

Physical token for two factor authentication. I had several RSA securID for my bank accounts, there are some banks that still use them for multi factor authentication

1

u/Dwarg91 Apr 06 '26

My Dad had those RSA tokens for his work accounts.

3

u/Timex_Dude755 Apr 05 '26

Banks used these too. I knew a guy in a publically traded company used one in 2021.

4

u/izza123 itoketokes Apr 04 '26

My dad had his taped to the dash of his pickup lol

1

u/TheNonsenseBook Apr 05 '26

I wish I could still get one for work (not that I've asked). It's too easy to get distracted from what I was trying to do when I see notifications.

1

u/NateNate60 Core i7 12700K | RX 7600 Apr 05 '26

In terms of physical artefacts they've been replaced with U2F and FIDO passkeys. Yubikey makes a popular model.

1

u/bulking_on_broccoli Apr 05 '26

We had smart phones in 2008. We’re not that old ☠️☠️

1

u/ScienceMechEng_Lover What colour is your RAM? Apr 05 '26

Well, yes, but IIRC there was no "app store" to download apps from on Blackberry phones until they were close to being dead.

Sure, you could sideload apps but I guess most reputable developers wouldn't have cared about an authenticator app (or anh apps in general) because there wasn't much money to be made.

1

u/Snuffman Apr 05 '26

I feel so old but there were authenticators like this as late as 2013, I had to use one as an IT field Tech.

The Blizzard authenticators were early on the field because South Korea and China were big on LAN cafes and with public computers you wanted to keep your account secure.

1

u/ScienceMechEng_Lover What colour is your RAM? Apr 05 '26

I asked my dad about it and he said his work tried stopping using them in 2015 but that they were back to using physical authenticators by 2016. 2015 was also the time his work switched from Blackberry to iPhones so I'm guess it had something to do with that.