Software tokens (also known as soft tokens) are stored on an electronic device, such as a desktop computer, laptop, PDA, or mobile phone, and can be duplicated (unlike hardware tokens, where credentials cannot be duplicated unless one physically enters the device). The counterpart of software tokens is hardware security tokens.
Because software tokens are something you don’t physically own, they are exposed to special threats based on the duplication of the underlying cryptographic material, such as computer viruses and software attacks. Both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or simple phishing attacks where the one-time password provided by the token is requested and then transmitted to the real website in a timely manner. Software tokens have advantages: you don’t have to carry a physical token with you, they don’t contain batteries that eventually run out, and they’re cheaper than hardware tokens.
There are two primary architectures for software tokens: shared secret and public-key authentication.
---
In a shared secret, an administrator typically creates a configuration file for each end user. The file contains a username, a personal identification number, and the secret. This configuration file is passed on to the user.
The shared-secret architecture is potentially vulnerable in a number of areas. The configuration file can be compromised if it is stolen and the token is copied. With time-based software tokens, it is possible to borrow a person’s PDA or laptop, imagine the watch, and generate codes that will be valid in the future. Any software token that uses shared secrets and stores the PIN along with the shared secret in a software client can be stolen and exposed to offline attacks. Tokens with shared secrets can be difficult to distribute because each token is basically a different piece of software. Each user must receive a copy of the secret, which can lead to time restrictions.
Some newer software tokens are based on public-key cryptography or asymmetric cryptography. This architecture eliminates some of the traditional weaknesses of software tokens, but not their main weakness (the possibility of duplication). A PIN can be stored on a remote authentication server instead of on the token client, so a stolen software token can only be used if the PIN is also known. However, in the event of a virus infection, the cryptographic material can be duplicated and the PIN intercepted the next time the user authenticates (via keylogging or similar). If attempts are made to guess the PIN, it can be detected and logged to the authentication server, which can disable the token. The use of asymmetric cryptography also simplifies implementation, as the token client can generate its own key pair and exchange public keys with the server.
Software tokens are commonly available as mobile applications that can be installed on smartphones and tablets. These apps generate OTPs directly on the user’s device, providing convenient access to secure systems and resources. Some software tokens are available as desktop applications that can be installed on computers and laptops. These applications generate OTPs locally on the user’s device, similar to mobile apps.
Benefits of Software Tokens
Convenience: Software tokens offer convenience and flexibility, as users can generate OTPs directly on their device without the need for a physical token or additional hardware.
Portability: Software tokens are portable and can be installed on multiple devices, allowing users to access secure systems and resources from anywhere, using their preferred device.
Cost-Effectiveness: Software tokens are often more cost-effective than hardware tokens, as they do not require the purchase of physical devices and can be distributed easily via digital channels.
Security: While software tokens may be vulnerable to malware attacks and device compromise, they offer a higher level of security compared to traditional static passwords. OTPs generated by software tokens are valid for a short period of time and cannot be reused, reducing the risk of unauthorized access and replay attacks.
