A security token (or sometimes a hardware token, hard token, authentication token, USB token, cryptographic token, smart token, or key fob) may be a physical device that an authorized user of computer services is given to ease authentication. The term may also refer to software tokens. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.

Hardware tokens are typically small enough to be carried in a pocket or purse and often are designed to attach to the user's keychain. Some may store cryptographic keys, such as a digital signature, or biometric data, such as a fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. Special designs include a USB connector, RFID functions or Bluetooth wireless interface to enable transfer of a generated key number sequence to a client system.

USB Tokens for X.509 PKI certificates are used in securing Internet transactions for applications including signing/encrypting email, PDF documents, Microsoft Office files, and software, as well as for strong authentication to your VPN or web-based applications. Client certificates are known to provide higher security than One-Time-Password (OTP) tokens for two factor authentication solutions, but the private key of the PKI certificate must be kept secret to be effective. Client certificate stored on USB token is more safe than on hard disks, because a USB token cannot be coerced.