The Square Enix Security Token is a small device that fits on a keychain which is used to provide additional security for your Square Enix Account by providing an additional constantly-changing password that is needed to log on in addition to your usual account name and password.
In order to use this service, you must first purchase the Security Token directly from Square Enix. Tokens purchased this way can be used with any Square Enix Account related service, and if you already own a Security Token you can continue to use it both for FFXI and for FFXIV.
Follow the steps below to register your token and enable its use:
Once the process is complete, you will need the Token to enter the one-time password in order to access the account management system, and any services tied to the account.
When attempting to log in to any Square Enix Account-related service to which a token is linked, an additional one-time password field will be shown in addition to the usual account name and password. You must press the button on the security token and then enter the number displayed on the screen in order to log in. Once used, that password becomes invalid for future logons. The one time password also expires if not used within a certain amount of time.
If your token is lost/stolen/destroyed, you will need to contact the Square Enix information center to have the token removed from your account in order to log in again. Note that any given Security Token cannot be used again once it is removed from the account.
Once enabled, you will need the token to access any of the following Square Enix services:
Regardless of the method of acquisition, the token must be registered as described above before use.
A one-time password is a method of identification that is facilitated by a registered Security Token, as an extra security measure. This password takes the form of a 6-digit number which is obtained by pressing the button on the token. The one-time password is then entered along with a regular username and password in order to log in. The password is shown for 30 seconds after the button is pressed, and changes after that period of time has elapsed, making unauthorized access to an account more difficult.
As this system is not 100% foolproof, Square Enix provides game-data recovery at no cost or penalty if an account is compromised despite use of the token. Normally only one recovery is allowed per account, however a breach of security because of the security token does not count towards this limit.
The system used inside of the Security Tokens is a Shared Password Algorithm - one or two pieces of information are shared between the token and server, and are used along with another mathematical algorithm that is not known. The token-side information (the information that a player can access) in this case would include a player's Token ID (ID) and the current time (T). Your Token ID, the time, and the unknown algorithm (U) are then input into the Token Algorithm (A) (Example: 'U(ID + T) = 000000' ). Square Enix's password server and the player's token are then synced together when the player registers their token, so that when they use the token, the password server will have the same one-time password for that player as long as it is used before that password has expired.