They may be used in place of or in addition to a password to prove the owner's identity.
Security tokens are not always secure—they may be lost, stolen, or hacked.
Real-World Example of a Security Token
You might use a security token to access a sensitive network system such as a bank account, in order to add an extra layer of security. In this instance, the security token is used in addition to a password to prove the account owner's identity.
Also, security tokens store data in order to authenticate the owners' identities. Some store cryptographic keys, a system used in cryptocurrency services such as Bitcoin, but the key must be kept secret. Some use time-sensitive passwords, which are coordinated between the token and the network and are reset at constant intervals. Others use biometrics such as fingerprint data to ensure that only the owner of the security token can access protected information.
Weaknesses of Security Tokens
As with any system, security tokens are not flawless. If the token is lost or stolen or if it isn't in the owner's possession, it cannot be used to access a service. However, the owner can take steps to prevent loss or theft, such as locks or alarms, and the token can be rendered useless to a thief by using two-factor authentication, which requires both an item in the owner's possession (for example, a bank card) and a piece of knowledge (for example, a PIN) to access the token.
Security tokens can also be hacked. This often happens when the owner unknowingly provides sensitive information to an unauthorized provider who then inputs the information into the secure network. This is known as man-in-the-middle fraud. Any network connected to the Internet is vulnerable to such an attack.