The biggest danger is either via unauthorized access by an employee, or worse, internal fraud. An unattended token can grant inappropriate access to someone else's account. And while the thief would still need the user's ID and password, they could easily obtain those.
The best way to prevent malicious token use is to educate employees on how to use them securely. Employees should be taught safe password practices, such as not writing them down and posting them by their desk. Employees should lock up their tokens or carry them when not in use. They should also lock their monitors when they get up from their desk, even if it is simply to get a cup of coffee or use the bathroom.
Distribute tokens from a central location or warehouse where they can be inventoried. Keep a record of all tokens received, as well as their serial numbers and apiece count. To verify that the right user received the right token, implement a policy that requires users to send inactive tokens to the help desk or to an online registration system to be activated. That way the help desk or online system can verify the user, ask for the token serial number and match it with the serial number of the sent token. Please keep in mind that the system you choose should depend on the size of your organization. For example, if you work for a large company, it's not a good idea to deluge the help desk with calls to activate tokens.
An alternate system can involve sending a new user an activation code by e-mail. Again, keep in mind that if you use this system only the activation code should be sent to the user. This will prevent theft of the token and its credentials. To activate the token, the code can be entered online at a predetermined registration site.
This was first published in February 2006