A software token, or soft token, is a digital security token for two-factor authentication systems. Software tokens attempt to emulate hardware tokens, which are physical tokens needed for two-factor authentication systems, and there are both advantages and disadvantages to this security measure. With a software token, an employee can be given a new token within seconds, but the token can be intercepted by a hacker or business adversary. Most of the time, the second authentication method used with soft tokens is the employee’s password or a combination of a username and a password.
Businesses and secure networks use two-factor authentication to secure private information. The definition of a two-factor authentication is that two forms of identification are required to enter the system. In terms of software tokens, the token is one of the factors needed to access the system, and it acts like the first of two passwords.
With a software token, an employee first requests a token from the server or administrator. If this request is granted, based on the employee's level or other security factors, the software token is digitally transported to the computer or mobile device. It is not a hardware token, so the token is stored in the device’s virtual memory. Tokens take up very little memory, usually half of 1 megabyte (MB) or less.
After receiving the token, the employee satisfies one of the authentication factors. The second factor is usually the employee’s username, password or both. When both of these security measures are satisfied, the employee is granted access.
Although a software token does limit access and increases security, it is not quite as secure as a hardware token. With a hardware token, the token itself has to be physically stolen, and if someone attempts to duplicate the information, the token is programmed to wipe its memory. If the digital transport channel is not secure, or if the employee’s device has a virus, then a hacker or business adversary can steal the software token. Some soft tokens have security constraints, such as being available for only a short amount of time, but this can still be used to grant access to non-employees.
The advantage of using a software token is flexibility and ease of removal. If an employee needs a new token, either because it was erased from memory or because the time constraint invalidates the current token, a new token can be granted within seconds. When an employee is terminated from a company, a soft token can be easily invalidated, whereas retrieving a hardware token can be more difficult.