The core security token design feature is a built-in display screen requesting access via authentication code or personal identification number (PIN). Some security tokens store digital signatures, biometric data, fingerprints or cryptographic keys. Advanced security tokens include USB tokens, Bluetooth tokens, Global System for Mobile Communications (GSM) mobile phones and PC/smart cards.

The security token's small design allows transport via keychain, pocket or purse.

The three main security token types are as follows:

• Connected token: Requires a physical connection to generate automated authentication data transfer. Requires special installed host input devices. Popular connected security tokens include USBs and smart cards.
• Disconnected tokens: This token is the most common and categorized for two-factor authentication and usually requires a PIN before generating authentication data. Does not physically or logically connect to a host computer but displays manually entered authentication data via a built-in screen.
• Contactless tokens: This rarely used token is not physically connected to the host computer and forms a logical host computer connection for authentication data transmission. Radio-frequency identification (RFID) tokens are based on contactless tokens and under development. Due to security concerns, RFID usage is limited.