Download Soft Token App
Julian Mejorado
A soft token is a software-based security token that generates a single-use login personal identification number (PIN). Traditionally, a security token was a hardware device, such as a key fob or USB token, that produces a new, secure and unique PIN for each use and displays it on a built-in liquid crystal display (LCD). The system activates after the user presses a button or enters an initial PIN.
Security tokens are generally used in environments with higher security requirements as part of a multifactor authentication (MFA) system. While the hardware tokens are more secure than soft tokens, they are also costly and difficult to deploy on a large scale, as might be required for online banking.
Soft tokens, also known as software tokens, are an attempt to replicate the security advantages of MFA, while simplifying distribution and lowering costs. Soft tokens exist on common devices, such as a smartphone with a soft token app that performs the same task as a hardware security token. The smartphone provides an easy-to-protect and easy-to-remember location for secure login information. Unlike a hardware token, smartphones are wirelessly connected devices, which can make them less secure. Just how secure they are depends on the device's operating system and client software.
When using a soft token system, an end user logging into a financial investment company's user portal is required to enter a username and a password. Then, the system sends a one-time password (OTP) to a phone number or email address associated with that user's account. The user enters the OTP in the field indicated in the security login screen to get access to the portal.
Soft tokens are used by individuals and organizations to enhance cybersecurity by providing an additional layer of authentication. Soft tokens are commonly used to provide secure remote access, as well as in virtual private networks and cloud applications.
Industries that deal with confidential personal data, such as healthcare, financial institutions and government agencies, are among the top adopters of soft tokens. Soft tokens are accessible and convenient, making them ideal for deployment to a range of users and applications.
Hard tokens predate soft tokens and are still in use, though far less than a few decades ago when they were common. A popular hard token is the RSA SecurID, a thumb-sized device with an LCD for token PINs. An algorithm in the device changes the six-character display at preset intervals. During a login process that uses a hard token, the user initiates a system login, enters an ID and password, followed by the number displayed on the token.
There are some circumstances where a hard token is required. For instance, if biometric authentication is used, a physical token that can take a thumb or eye scan is needed. In MFA, if one or both initial authentication factors are disabled or compromised, a hard token option might be used as backup.
Users logging into a soft token-based application follow much the same process as with a hard token. They enter their ID and password, and then must enter an OTP sent to their phone or email to complete the authentication process.
The security technology in a system generates a one-time passcode or password that's entered to complete the authentication process. New tokens are created for each access request, making them quite secure.
Because software tokens are something one does not physically possess, they are exposed to unique threats based on duplication of the underlying cryptographic material - for example, computer viruses and software attacks. Both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or to simple phishing attacks in which the one-time password provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens.[2]
The shared secret architecture is potentially vulnerable in a number of areas. The configuration file can be compromised if it is stolen and the token is copied. With time-based software tokens, it is possible to borrow an individual's PDA or laptop, set the clock forward, and generate codes that will be valid in the future. Any software token that uses shared secrets and stores the PIN alongside the shared secret in a software client can be stolen and subjected to offline attacks. Shared secret tokens can be difficult to distribute, since each token is essentially a different piece of software. Each user must receive a copy of the secret, which can create time constraints.
Some newer software tokens rely on public-key cryptography, or asymmetric cryptography. This architecture eliminates some of the traditional weaknesses of software tokens, but does not affect their primary weakness (ability to duplicate). A PIN can be stored on a remote authentication server instead of with the token client, making a stolen software token no good unless the PIN is known as well. However, in the case of a virus infection, the cryptographic material can be duplicated and then the PIN can be captured (via keylogging or similar) the next time the user authenticates. If there are attempts made to guess the PIN, it can be detected and logged on the authentication server, which can disable the token. Using asymmetric cryptography also simplifies implementation, since the token client can generate its own key pair and exchange public keys with the server.
df19127ead