Frequently Asked Questions


Security Questions

Is the ring or its authentication protocol hackable?

The ring uses the FIDO2 protocol for authentication, and 128bit encryption for communication and authentication, which would require over 1 billion years of current supercomputer power to hack. Coupled with the storage of credentials on a dedicated, biometrically-secured hardware device, Token provides an effectively unhackable authentication solution.

Who has validated this?

The ring's implementation of the FIDO2 protocol has been given Authenticator Certification Level 1 (L1) by the FIDO Alliance. 

What is 5FA?

5FA is a multi-factor approach to security, where authentication depends on five factors:
  • Having the right credential.
  • Being biometrically verified.
  • Physically wearing the ring.
  • Being physically present within inches of the device to which you are authenticating.
  • Performing an action that conveys the real intent by the user to conduct an authentication.

What about alternative 2FA methods of security, like text messages, usb authenticators, or OTP cards?

Most common methods of 2FA are vulnerable to low-skill attacks (ex: sim-swapping, phishing email forms, etc.) or require users to remember to keep with them at all times an unwieldy or easily misplaced security device. With Token, you wear it all day and don't have to think about it.

What makes 5FA so secure?

Token's approach is built on many exciting technologies, but the core of the design is to take the human out of the equation. Users can't share -- intentionally or accidentally -- credentials or secret information stored on the ring. There are no one-time codes to view or guess, and no text messages on which to eavesdrop. The user is biometrically verified, and the ring is only usable when worn by that user, so the ring cannot be shared to transferred to anyone else.

What is Zero Trust?

Zero Trust is a paradigm in which trust is not granted based on factors like device ownership or location within or outside of a network. (A convincing phishing attempt might utilize weak or reused credentials to gain control of the email account of an employee. That employee's account then requests access or information from a coworker, who may trust that the request is valid without questioning if it's really the presumed account holder who is sending the emails.

Alternatively, a network may treat devices within a local network as inherently trustworthy, allowing attackers to move laterally, uninhibited after an initial network intrusion is successful.)

Zero Trust is akin to a philosophy of "trust but verify," where the organization adopts a security posture in which access to resources is minimized, and access permissions are contingent upon continuously authenticating and authorizing each request for access. Token's 5FA approach is rooted in this way of thinking and will bolster the security of any organization interested in a Zero Trust approach.

Is there a risk of false-positive authentications?

Each element of Token's multi-factor security approach is robust on its own, but the combination of the five factors makes exploitation or accidental authentications an effective impossibility.

What happens when someone loses their ring?

Unlike access badges or keys, there's virtually zero risk of a lost or stolen ring being used for malicious access. The ring owner simply needs to inform the appropriate IT personnel, who can revoke the access permissions associated with the credential stored on that ring and enroll the user again with a new ring. The old ring cannot be unlocked by anyone but the enrolled user, so there's no risk of someone utilizing it if one is found or stolen.

Is the biometric authentication reliable?

The biometric authentication performed by the ring isn't significantly affected by environmental or behavioral factors, like temperature or stress, making authentication reliable. However, if a user experiences an injury to the enrolled finger or is otherwise having issues reliably authenticating biometrically, simply inform the appropriate IT personnel, who provide troubleshooting or even re-enroll you using a different finger.

I'm concerned about phishing attempts and ransomware threats to my organization. How can Token prevent these?

Token virtually eliminates the need for weak and reused credentials. These are the primary vectors by which threat actors gain a foothold in or otherwise impersonate someone within an organization. Furthermore, if Token is used for authentication as part of a Zero Trust approach to security, you can rest assured that the user who is being authenticated is the same one you enrolled.

General Questions

Questions about Token

Is the company funded?

The company has raised $23M from Grand Oaks Partners, New York State, Rochester Institute of Technology and others.

Do you have a question that is not answered here?