Tokens form an important part of the authentication process. In our previous post, we looked at how tokens fit into this process, and the different types of tokens available. In this piece, we’ll take a closer look at hardware tokens versus software tokens, and take a glimpse into the future of which token is likely to be the most widely adopted authentication method going forward.
Hardware Tokens Used To Be The Standard
Hardware or “hard” tokens have had the reputation of providing the highest level of security. With organizations moving towards multi-factor authentication, a simple password is just not enough when it comes to security.
Thus many companies, especially those requiring an elevated level of security or those in highly regulated industries, have been using hard tokens for their security needs, making a secured system significantly more difficult to compromise than one protected by an ordinary password. Hard tokens can be provided in the form of a Smart Card, USB key, or another physical device. Hard tokens became popular mainly because of the extra security they provide, as well as the fact that they are compact and can be transported easily.
The Limitations Of Hard Tokens
Hardware tokens suffer from a number of limitations. They become expensive to roll out to all users, they can break or get lost or stolen, they are difficult to distribute to teams that are not in the same geographic location and require a significant amount of IT resources to manage.
Most hard tokens are not secure enough to be used alone and are therefore used in conjunction with passwords. Not only does this result in increased overhead, but as long as passwords remain an authentication credential – alone or in conjunction with another factor of authentication – they can be phished, cracked, or stolen after being hashed.
Specific hard tokens have their own drawbacks. OTP (One-time password) tokens that are hardware-based require typing (the user needs to actually enter OTP codes), In most cases, hard tokens are used as an additional factor, rather than a replacement of passwords, some have no support for enterprise network access, and they can incorporate static passwords that remain a vulnerability once inside the network.
PKI hard tokens, for example, provide no support for access to web/cloud services, access is enabled only from hosts running device interface software, and they require client software which can be hard to install and maintain.
Rise Of The Soft Token
Software or “soft” tokens, instead of using actual physical tokens that need to be separately carried by the user, make use of a software application that can run on a variety of devices. This includes smartphones, which are carried by most people almost all the time; in fact Deloitte, in their Global Mobile Consumer Trends study, report that “More than one-third of consumers worldwide said they check their phone within five minutes of waking up in the morning, and 20% of them check their phone more than 50 times a day. The reliance on smartphones seems likely to increase”. This makes forcing users to carry separate hard tokens seem significantly more burdensome.
Another factor that has really boosted the popularity and speed of adoption of software tokens, is that there is no reliance on a piece of hardware. The software can be integrated into the latest platforms, meaning that it can easily be adapted and scaled, and improvements can be distributed to users immediately.
The Future is Software Tokens
Soft tokens offer a number of advantages over hard tokens. As environments become more mobile and cloud-based, soft tokens are able to adapt and keep the balance of user experience and security. They are cost-effective (there is no additional cost of rolling out each new token), can be distributed quickly and easily, can be updated remotely so that they are always up to date; there are no hardware enrollment and logistics costs, they are less likely to be lost or forgotten like hard tokens, and they simplify things significantly for IT teams providing a better user experience than hard ones.
Another Deloitte report, “Transforming Authentication For A Digital Age”, which looks at digitization in Singapore, notes this explicitly: “Hardware tokens, which are widely deployed for internet banking in Singapore have shown long-term disadvantages that argue against its feasibility.” The report goes on to note the advantages of soft tokens and their increasing use.
The leading software token providers can even provide uniform, password-free authentication to the enterprise network. Being password-free also means less password-related overhead (forgotten passwords, enrolling new users), new levels of security, no need to enter one-time code-strings that lead to errors and delays, and delighted and productive users.
Security – Onwards and Upwards
Hard tokens have had their day, and soft tokens are the future. Hard tokens cannot keep up with the rapid pace of technological improvements, and their disadvantages far outweigh their advantages, especially when compared to everything that soft tokens have to offer.
Circumventing The Single Point of Failure – Goals in Authentication