# Token

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/token

## Quick definition

A token is like a digital ticket that proves you are allowed to do something. When you log in to a website, you often get a token stored in your browser that lets you stay logged in without typing your password again. Tokens can also be physical devices like key fobs that generate codes. In AI services, tokens can be small pieces of text the computer understands.

## Simple meaning

Imagine you go to a movie theater and buy a ticket. That ticket is a token. It gives you permission to enter the theater, sit in a specific seat, and watch the movie. You don’t have to prove you paid every time you enter the room; you just show your ticket. In the world of computers, a token works the same way. When you log in to an online service, the system checks your username and password once, then gives you a token. That token is a small piece of data that acts like a digital ticket. Whenever you click on a new page or request something from the server, your computer automatically presents the token. The server looks at the token and says, “Ah, this person is already logged in, I trust them,” and sends back the information you asked for.

Tokens are very useful because they mean you do not have to keep typing your password, which would be annoying and unsafe. Tokens can also expire after a certain time, like a movie ticket that is only good for today’s show. If someone steals your token, they can only use it for a short while, so the damage is limited. There are different types of tokens. A software token is just a special file or string of characters stored on your computer or phone. A hardware token is a small physical device, like a key fob that shows a number that changes every 30 seconds. You might have seen one from your bank or work. Both types serve the same purpose: they prove you are who you say you are.

In another context, like when you use an AI system that understands language, a “token” is a tiny piece of text. For example, the word “unbreakable” could be split into three tokens: “un”, “break”, and “able”. The AI counts tokens to know how much text it can process at once. So, the same word “token” has multiple meanings in IT, but they all share the idea of being a small, replaceable unit that represents something bigger.

## Technical definition

In IT and cybersecurity, a token is a cryptographic or non-cryptographic data object that serves as proof of identity, authorization, or possession of certain attributes. Tokens are central to authentication, authorization, and session management in modern distributed systems. The most common implementation is the JSON Web Token (JWT), defined by RFC 7519. A JWT consists of three parts: a header, a payload, and a signature. The header specifies the signing algorithm (e.g., HS256 or RS256). The payload contains claims, such as user ID, roles, and expiration time (exp). The signature is created by taking the base64url-encoded header and payload, concatenating them with a dot, and signing the result using a secret key (for HMAC) or a private key (for RSA). The recipient verifies the signature using the corresponding public key or shared secret, ensuring the token has not been tampered with.

Tokens are used in OAuth 2.0 and OpenID Connect protocols. OAuth 2.0 defines an access token, which is a credential issued by an authorization server. The client application presents this token to a resource server to access protected resources, like user data or APIs. Refresh tokens are longer-lived tokens used to obtain new access tokens without requiring the user to log in again. OpenID Connect extends OAuth 2.0 by adding an ID token, which is a JWT that contains identity information about the user, such as name and email. The ID token is always a JWT, while access tokens can be opaque (a random string) or structured (JWT).

In the context of Azure AI services, the term “token” refers both to authentication tokens (e.g., for calling Cognitive Services APIs) and to text tokens used in natural language processing. Azure Cognitive Services APIs typically require a subscription key or an access token obtained from Azure Active Directory. The token is included in the HTTP Authorization header. For language models like GPT, “token” refers to a unit of text that the model processes. A token can be as short as one character or as long as one word, depending on the language. The model’s context window is measured in tokens, meaning the model can only “remember” a certain number of tokens at once. Developers must be aware of token limits when designing prompts.

Hardware tokens, such as YubiKeys or RSA SecurID, generate one-time passwords (OTPs) using time-based or event-based algorithms. They follow standards like HOTP (RFC 4226) and TOTP (RFC 6238). The device and the server share a secret key. The token combines this key with the current time (TOTP) or a counter (HOTP) to produce a number that changes frequently. The server replicates the same calculation and compares the results. This provides two-factor authentication (2FA) because the user must possess the hardware token and know their password. Tokens can also be virtual, stored on smartphones via authenticator apps.

In networking, a “token” appears in token ring networks, where a special frame called a token circulates around the ring. A device must capture the token to send data. This is largely obsolete but appears in some older exam questions. Overall, the technical concept of a token is about delegation of authority: the user authenticates once, receives a token, and then uses that token for subsequent requests, reducing the need for repeated credential transmission.

## Real-life example

Think about a concert wristband. When you buy a ticket for a big music festival, you go to the entrance, show your ID and ticket, and they give you a colorful wristband. That wristband is a token. You wear it for the whole day. Whenever you want to go from one stage to another, you just show your wristband. You don’t have to pull out your ID and paper ticket every time. The security guard sees the wristband and knows you’re allowed to be there. If the wristband has a special color for VIP access, you get to go to the VIP lounge too. The wristband might have a tiny chip that lets you tap to pay for food and drinks, so it also acts like a payment token.

Now, let’s compare this to a computer token. When you log into your company’s email system, you type your username and password once. The server checks and then “gives” you a digital wristband, a token. Your email client (like Outlook) stores this token. Every time you click “Send” or “Refresh,” your email client automatically shows the token to the server. The server says, “Great, you have a valid wristband, here’s your inbox.” This token might expire at the end of the workday, just like a wristband that is only good for one day. The next day, you need to log in again to get a new token.

What if you lose your physical wristband? Someone else could pick it up and sneak into the concert. That’s why digital tokens are protected with signatures and encryption. They can also be quickly revoked. If your company suspects your token was stolen, they can immediately cancel it, just like security can cut off a wristband. The physical analogy breaks a little because you can’t duplicate a wristband easily, but digital tokens must be carefully protected from copying. Still, the core idea is the same: a token is a convenient, temporary proof of permission that saves you from going through the full identification process every time you make a request.

## Why it matters

Tokens are fundamental to nearly every modern IT system. When you access a website, use a mobile app, call an API, or authenticate to a cloud service, tokens are at work. Without tokens, every request would require transmitting your password, which is extremely dangerous. Passwords could be intercepted by anyone on the network, and if the server’s database of passwords is stolen, all users are compromised. Tokens reduce this risk because they are temporary and specific to one service. Even if a token is stolen, it usually expires within minutes or hours, limiting the attacker’s window of opportunity.

For IT professionals, understanding tokens is essential for designing secure authentication systems. When building an application, you must decide what kind of tokens to use: JWT, opaque tokens, or perhaps a session cookie. You need to know how to store tokens securely on the client side, often using HttpOnly cookies or secure local storage. You must also implement token refresh flows so that users are not forced to log in every few minutes. In a microservices architecture, services need to validate tokens to enforce permissions. If a token is misconfigured, a user might be able to access data they should not see. For example, if a JWT does not have an explicit audience claim, a token meant for one API might be accepted by a different API, causing a privilege escalation.

In cloud environments like Azure, tokens are used for everything from accessing storage accounts to calling AI services. Azure AD issues tokens for users and service principals. Developers must understand how to acquire tokens via OAuth 2.0 flows, such as authorization code flow or client credentials flow. Mistakes in token handling are a leading cause of security vulnerabilities, including session hijacking, cross-site request forgery (CSRF), and broken authentication. Therefore, mastering tokens is not just an exam topic; it is a day-to-day skill for any IT role involving security, development, or administration.

## Why it matters in exams

Tokens appear in many IT certification exams, from CompTIA Security+ to Microsoft Azure certifications like AZ-900 and SC-900. In CompTIA Security+, tokens are covered in the authentication and identity management domain. You might see questions about multifactor authentication (MFA) where a hardware token is one factor, or about session tokens and how they can be protected. The exam expects you to know that tokens can be something you have (a physical token) or something you are (biometric is not a token, but rather a separate factor). You should understand that tokens reduce the risk of replay attacks because they often include timestamps and expiration times.

In Microsoft Azure exams, especially SC-900 (Security, Compliance, and Identity), tokens are central to Azure AD authentication. Questions ask about the difference between access tokens, ID tokens, and refresh tokens. You might be given a scenario where an application needs to call Microsoft Graph, and you must select the correct token flow, such as the on-behalf-of flow. The exam also tests your understanding of managed identities, which use tokens automatically provisioned by Azure for resources like virtual machines to access other services. For AZ-900, you should know that Azure AD issues tokens for authentication and that tokens expire, requiring periodic refresh.

In general IT exams like the ITIL foundation, tokens might appear in the context of access management, where a token is a method of authentication. However, the deepest coverage is in security and cloud-specific exams. Exam questions often present a scenario where a user’s session token is stolen, and you need to identify the risk (session hijacking) and the best mitigation (using HTTPS, HttpOnly cookies, and short token lifetimes). Another pattern is comparing tokens with cookies or certificates. You must know that a certificate is a specific type of token that uses public key infrastructure (PKI), while a JWT is a lightweight, self-contained token format.

For the exam, you should memorize token lifecycle: issuance, presentation, validation, expiration, and revocation. Know the difference between stateless tokens (JWTs that contain all information) and stateful tokens (session IDs stored on the server). Be familiar with token handling best practices: never put sensitive data in JWT payload (it is base64 encoded, not encrypted), always validate the signature, check the issuer and audience, and enforce expiration. The exam might also ask about token binding, where a token is cryptographically bound to the client device, preventing its use elsewhere. This is advanced, but appears in some security-focused questions.

## How it appears in exam questions

Exam questions about tokens come in several flavors. The most common is the scenario-based question, where you are given a description of an application and its authentication method, then asked to identify the best token type or correct flow. For example: “A company builds a web app that accesses user calendar data from Microsoft 365. Users log in with their corporate credentials. The web app needs to access the Calendar API without storing the user’s password. Which OAuth 2.0 flow should the app use?” The answer is the authorization code flow with PKCE, which returns an authorization code that is exchanged for an access token and a refresh token. You must know that the implicit flow is deprecated because it exposes the access token in the browser URL.

Another type of question is about token security. The question might present: “An e-commerce site uses JWTs for user sessions. A penetration tester discovers that a user can modify the JWT payload to change their role from ‘user’ to ‘admin’ and gain access to admin functions. What is the most likely cause?” The answer is that the JWT signature is not being validated, or the server is using a weak or default secret key. A follow-up question might ask how to fix it: implement proper signature verification using a strong, unique secret key stored securely.

A third pattern involves token expiration and refresh. For instance: “A mobile app uses an access token with a 60-minute lifetime. The user works for several hours without interruption. What should the app do to maintain access?” The correct approach is to use a refresh token to obtain a new access token before the old one expires. The app might also silently refresh the token in the background. Wrong answers could include storing the password in the app or extending the access token lifetime, which is less secure.

In Azure-specific exams, questions might present a configuration scenario: “You deploy a virtual machine that needs to access Azure Key Vault to retrieve secrets. You do not want to store any credentials in the VM. What should you use?” The answer is a managed identity, which automatically rotates tokens. You might also see a question about token validation: “When an API receives a JWT, what claim must be checked to ensure the token was issued by the correct authority?” Answer: the “iss” (issuer) claim.

Finally, some questions compare token types: “What is the difference between an access token and a refresh token?” An access token is used to access protected resources and has a short lifespan. A refresh token is used to obtain new access tokens, is longer-lived, and must be stored securely. You may also be asked about opaque tokens vs. self-contained tokens. Opaque tokens are just random strings that require the server to look up the session in a database, while self-contained tokens (JWTs) contain the session data within the token itself.

## Example scenario

Scenario: Imagine you work at a company called TechCorp. You are an IT support specialist. Sarah, a sales representative, calls you because her work laptop keeps asking her to log in every few minutes. She types her username and password, works for a while, then suddenly the system locks her out and she has to log in again. She says it is very frustrating and reduces her productivity. You suspect the issue is related to token expiration. You check the system settings and find that the company’s authentication server is configured to issue session tokens that expire after 5 minutes of inactivity. The application does not use refresh tokens. When the token expires, the app requires Sarah to re-enter her credentials.

You decide to implement a solution. First, you increase the session token lifetime to 60 minutes, which is more reasonable for a sales role that involves short bursts of activity. However, you know that longer token lifetimes increase security risk, so you also configure the server to issue refresh tokens with a 24-hour lifetime. Now, when Sarah’s session token expires after 60 minutes, her laptop automatically uses the refresh token to get a new session token without prompting her for credentials. This only works if the refresh token is still valid (less than 24 hours old). You also enable “session revocation” so that if Sarah’s laptop is stolen, an admin can invalidate both the session token and the refresh token immediately.

You test the setup with Sarah. She logs in once in the morning. She takes a lunch break for 30 minutes. When she returns, the system still works because the session token hasn’t expired yet. Later in the afternoon, her session token expires, but the system silently refreshes it. She does not notice any interruption. Sarah is happy. You also educate her that if she ever leaves her laptop unattended, she should lock it, because an attacker could use her active session to access company data until the token expires. This scenario illustrates how tokens, expiration, and refresh flows directly impact user experience and security.

## Common mistakes

- **Mistake:** Storing tokens in browser local storage for single-page applications.
  - Why it is wrong: Local storage is accessible by any JavaScript running on the same domain. If an attacker injects a script via XSS, they can steal the token and impersonate the user.
  - Fix: Use HttpOnly cookies instead, which cannot be read by JavaScript. For SPAs, consider the BFF (Backend for Frontend) pattern where tokens are stored in server-side session cookies.
- **Mistake:** Not validating the JWT signature on the server.
  - Why it is wrong: A token without signature validation can be easily forged. An attacker can modify the payload (e.g., change role from “user” to “admin”) and construct a new token. The server will accept it as valid.
  - Fix: Always verify the signature using the correct public key or shared secret. Use established libraries that handle this automatically. Do not implement your own JWT parsing.
- **Mistake:** Using tokens with very long expiration times without refresh tokens.
  - Why it is wrong: A long-lived token (e.g., 30 days) increases the window of risk. If the token is stolen, an attacker has a month to use it. Also, the user cannot be revoked easily without invalidating all sessions.
  - Fix: Use short-lived access tokens (e.g., 15-60 minutes) combined with refresh tokens that have longer lifetimes. Implement token revocation endpoints for immediate invalidation.
- **Mistake:** Putting sensitive data in the JWT payload, such as Social Security numbers or credit card details.
  - Why it is wrong: JWT payload is only base64-encoded, not encrypted. Anyone who intercepts the token can decode and read the data. The signature does not provide confidentiality.
  - Fix: Never put sensitive information in a JWT. If you must include personal data, use encrypted JWTs (JWE) or store the data on the server and include only a reference in the token.
- **Mistake:** Assuming all tokens are the same and can be used interchangeably.
  - Why it is wrong: Different token types (access token, ID token, refresh token) serve different purposes. Using an ID token as an access token can lead to missing the intended access controls. ID tokens are for client identification, not resource access.
  - Fix: Understand the specification for each token type. In OAuth 2.0, use access tokens for API calls and ID tokens only for client-side user identification. Refresh tokens should only be sent to the authorization server, not to resource servers.

## Exam trap

{"trap":"A question asks: “Which of the following provides the strongest authentication? A) Password + SMS code, B) Password + hardware token, C) Password + security questions, D) Password + email verification.” A learner might choose B because hardware token seems secure, but the trap is that SMS codes are also considered a “token” and can be intercepted via SIM swap attacks.","why_learners_choose_it":"Learners often think hardware tokens are always superior to software-based tokens. They may not realize that SMS-based codes are vulnerable to phishing and SIM swapping, and that modern authenticator apps (software tokens) are actually more secure than hardware tokens in some scenarios because they are tied to the device.","how_to_avoid_it":"Read the question carefully. The exam expects you to know that a hardware token (something you have) combined with a password (something you know) is generally considered strong. But the trick is that security questions and email are weaker. The best answer is usually “Password + hardware token” if the alternative is SMS. However, be aware that modern exams may require you to select the most secure combination among the given options. If the option includes “password + FIDO2 security key” that is even better. Always apply the principle of phishing resistance: hardware tokens that are FIDO2/WebAuthn are resistant to phishing, while SMS codes are not."}

## Commonly confused with

- **Token vs Session cookie:** A session cookie is a small piece of data stored by the browser that identifies a session. It is often a random string that the server uses to look up session data. A token (like a JWT) is self-contained and does not require server-side storage. Tokens can also be used across multiple services, while session cookies are typically tied to one server. (Example: When you log in to an online store, the website sets a session cookie in your browser. That’s just an ID number. The server has a database that says “user 1234 is logged in.” A JWT token, on the other hand, contains the user’s name and roles directly in the token itself, so the server does not need a database lookup.)
- **Token vs Certificate:** A digital certificate (X.509) is a type of token that binds an identity to a public key using a digital signature from a trusted Certificate Authority. Certificates are used for TLS and code signing. While a JWT is also cryptographically signed, a certificate has a hierarchical chain of trust and is typically long-lived (years), whereas a JWT is short-lived and self-contained. (Example: An SSL certificate proves that a website is really google.com. It is a token that tells your browser “this public key belongs to Google.” A JWT token on the other hand might tell a website “this user is Alice,” but it does not use a public CA; it is signed by the website itself.)
- **Token vs API key:** An API key is a simple, static string that identifies the caller. It is not a token because it does not contain claims about the user and it does not expire automatically. API keys are like long-term passwords for machines. Tokens, in contrast, are dynamic, temporary, and often carry contextual information like permissions and expiration. (Example: Google Maps gives you an API key that you include in every request. That key never changes unless you regenerate it. That is an API key. A token would be something you get from logging in to Google, which expires after an hour and contains your specific access rights.)
- **Token vs OAuth 2.0 authorization code:** An authorization code is a short-lived, one-time-use code that is exchanged for tokens. It is not a token itself. Many learners confuse the two. The authorization code is used as a stepping stone to get an access token and refresh token. (Example: When you click “Log in with Google” on a third-party website, Google redirects you back with a code in the URL. That code is the authorization code. The website then sends that code to Google’s server to get an actual access token. The code is like a voucher, and the token is like the actual cash.)

## Step-by-step breakdown

1. **User Initiates Authentication** — The user opens an application and clicks “Log in.” The application redirects the user to an identity provider (IdP), such as Azure AD or Google, with a request for access. The user is prompted to enter their credentials and possibly MFA.
2. **Identity Provider Validates Credentials** — The IdP checks the username and password against its directory. If MFA is required, it prompts for a second factor, such as a code from a hardware token or an authenticator app. Upon successful validation, the IdP creates an authorization code (in the OAuth 2.0 authorization code flow) and sends it to the application via a redirect URL.
3. **Application Exchanges Authorization Code for Tokens** — The application takes the authorization code and sends it, along with its client credentials (client ID and client secret), to the IdP’s token endpoint. This exchange happens server-to-server, so the tokens are not exposed to the user’s browser. The IdP validates the code and issues an access token, an ID token, and possibly a refresh token.
4. **Token Issued and Stored** — The client application receives the tokens. The access token is often a JWT. The application stores the tokens securely. Typically, the access token is stored in memory or an HttpOnly cookie, while the refresh token is stored in a more secure, persistent location (e.g., server-side session or encrypted local storage).
5. **Application Uses Access Token for API Calls** — Whenever the application needs to access a protected resource (e.g., user’s email, calendar data), it attaches the access token in the HTTP Authorization header as “Bearer <token>”. The resource server (API) receives the request, validates the token by checking the signature, expiration, issuer, and audience, and then grants or denies access based on the claims in the token.
6. **Token Expires and Refresh Flow** — Access tokens have a short lifetime (e.g., 1 hour). When the application receives a 401 Unauthorized response, it knows the token is expired. The application sends the refresh token to the IdP’s token endpoint. The IdP validates the refresh token and issues a new access token (and optionally a new refresh token). The old tokens are discarded. This happens transparently to the user.
7. **Token Revocation or Logout** — When the user logs out, the application discards the tokens locally. For an additional security layer, the application calls the IdP’s revocation endpoint to invalidate the refresh token. The IdP then marks that refresh token as invalid. Any future attempt to use it will fail. The access token may remain valid until its natural expiration, but it cannot be used to obtain new resources because the application no longer has it.

## Practical mini-lesson

Let’s assume you are tasked with implementing authentication for a new web application that your company is building. The application is a single-page application (SPA) built with React, and it needs to call a REST API that you also built, as well as access Microsoft Graph to read users’ calendar events. This is a common real-world scenario. Your first decision is what protocol to use. The modern standard is OAuth 2.0 with OpenID Connect. For a SPA, the recommended flow is the authorization code flow with PKCE (Proof Key for Code Exchange). You cannot use the implicit flow because it is deprecated due to security issues with tokens in the URL.

Next, you register your application in Azure AD (or any IdP). You configure redirect URIs and generate a client ID. Because your app is public (no client secret that can be stored safely in a browser), you must use PKCE. PKCE works by generating a random string called the code verifier and a transformed version called the code challenge. The browser sends the code challenge during the authorization request. When the authorization code is exchanged, the IDP verifies that the code verifier matches the code challenge. This prevents interception of the authorization code.

Once you have the authorization code, your backend (or a token exchange endpoint) sends it, along with the code verifier, to the IdP’s token endpoint. The IdP returns an access token, an ID token, and a refresh token. For security, you should never expose the tokens to client-side JavaScript. Instead, you can use the Backend for Frontend (BFF) pattern, where a lightweight server-side component receives the tokens and sets an HttpOnly session cookie. The SPA communicates only with the BFF, which in turn makes API calls with the token.

Now, what can go wrong? One common issue is that the token contains claims, but the API does not validate them properly. For example, if your API does not check the “azp” (authorized party) claim, another application could use the same token to access your API. Ensure your API validates the audience (“aud”) claim to confirm the token was meant for it. Another issue is token storage on the client side. If you must store tokens on the client (which is discouraged), never use localStorage. Use in-memory variables. But in-memory storage means the token is lost on page refresh, so you need to implement a token refresh before each page load.

Finally, monitoring and logging are crucial. Log token validation failures, such as expired tokens or invalid signatures. Set up alerts for high numbers of token validation errors, as this could indicate an attack. Use short token lifetimes, typically 15-60 minutes for access tokens, and refresh tokens up to 24 hours for user-facing applications. For machine-to-machine communication (e.g., a background service), use client credentials flow, which does not involve a user and issues access tokens directly. Those tokens can have longer lifetimes (up to 24 hours) but should still be refreshed periodically. Always follow the principle of least privilege: tokens should only include the minimum scope necessary for the application to function.

## Memory tip

Think “Ticket for Entry”, a token is just a digital ticket that gives you access. It has an expiration time like a movie ticket, and it proves you paid (authenticated).

## FAQ

**What is the difference between an access token and a refresh token?**

An access token is used to access protected resources (like an API) and is short-lived. A refresh token is used to obtain new access tokens and is longer-lived. Refresh tokens must be stored securely and never sent to resource servers.

**Can a token be used after the user logs out?**

An access token might still be valid until it expires, even after logout. However, if the refresh token is revoked, the user cannot get a new access token. For instant revocation, the server should maintain a blocklist of tokens that are checked on every request.

**Why is a JWT called “stateless”?**

Because the token itself contains all the information needed to authenticate the user. The server does not need to store session data in a database. The token is validated using its signature and claims. This makes JWTs ideal for distributed systems and microservices.

**What is a hardware token?**

A hardware token is a physical device, like a YubiKey or RSA SecurID, that generates one-time passwords or implements FIDO2/WebAuthn. It is used as a second factor in authentication, adding security because it cannot be stolen remotely.

**Is it safe to put user roles in a JWT?**

Yes, it is common to put user roles and permissions in the JWT payload. However, the payload is only base64-encoded, not encrypted. So you should not put sensitive personal data. For roles, it is fine as long as the token is transmitted over HTTPS and stored securely.

**What is a token ring?**

Token ring is a network topology where a special frame called a token circulates around the ring. A device must own the token to send data. This is an older technology (IEEE 802.5) and is rarely used today, but it appears in some IT fundamentals exams.

## Summary

In the world of IT, a “token” is a versatile concept with two primary meanings: a digital credential for authentication and authorization, or a unit of text for processing in AI systems. As a credential, a token acts like a temporary digital ticket that proves you have permission to access resources. It replaces the need to repeatedly send passwords, which is both unsafe and inconvenient. Tokens come in various forms, including JSON Web Tokens (JWTs), opaque session tokens, and hardware tokens like security keys. They are central to modern protocols such as OAuth 2.0 and OpenID Connect, which power authentication for countless applications and services.

Understanding tokens is critical for anyone working in IT, from help desk technicians to cloud architects. On the job, you must know how to configure token lifetimes, secure token storage, and implement proper validation. Mistakes in token handling are a leading cause of security breaches. In certification exams, tokens appear frequently in questions about identity and access management, security best practices, and cloud authentication. You will need to differentiate between token types, recognize the importance of token expiration and refresh, and identify vulnerabilities like missing signature validation or token theft.

The key exam takeaway is to think of a token as a permission slip that must be carefully managed. Always validate the issuer, audience, and signature. Use short lifetimes to limit risk. Combine tokens with refresh flows for a seamless user experience. Remember that hardware tokens provide strong second-factor authentication, but software tokens from authenticator apps are also robust and easier to deploy. By mastering the concept of tokens, you will be better prepared for your certification exams and more effective in building secure IT systems.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/token
