A security apparatus receives a biometric input from a user, which then is compared to a template to determine a correlation factor. The correlation factor, a fixed code and either a time-varying code or a challenge code then are combined to generate a token. The token is displayed to the user, who then enters the token at an access device. The access device is coupled to a secure host system. The access device forwards the token to the host, which processes the token to determine whether access is permitted. In one embodiment, the host is an electronic banking system. If access to such system is permitted the user is allowed to perform an electronic funds transfer. The security apparatus in one embodiment is an integrated circuit card. Each apparatus includes a sensor for detecting the holder's biometric information (i.e., voice, signature, fingerprint), along with a processor and display. The processor generates the token which then is displayed to the holder.