Home / server / Questions / 1033879
In Process
ScottStonehouse
Asked: 2020-09-15 10:21:14 +0800 CST

Security of a hardware token vs software token for two-factor authentication

  • 772

Surprisingly I don't see this question on ServerFault already. I'm wondering about the pros and cons of hardware token vs software token for two-factor authentication - only in the context of security, not convenience. I am referring only to the time-based one-time password generators.

Is there a clear winner in terms of security? Does it vary according to the platform the software token (app) is installed on?

two-factor-authentication two-factor

1 Answers

  1. Advantages of Hardware Tokens;

    • Physically small
    • Do not require any other expensive devices (like smartphones)
    • Self-Powered (so no issues if the battery on your mobile device fails)
    • Durable (typically these devices will survive quite a bit of pubishment)
    • Require no physical or wireless connections to other devices
    • Do not require the user to be in possession of a mobile device
    • Very resistant to copying
    • Not internet connected, and need no internet connection in order to operate
    • No risk of virus or hacking compromising the devices (unlike mobile phones)

    Advantages of Software Tokens;

    • The apps they use are free and readily available on the internet
    • Apps may store multiple tokens whereas most hardware tokens only have one seed
    • Can be used on multiple devices at the same time (seed sharing)
    • May utilise biometric features of the smartphone to enhance security
    • Authentication apps can be updated

    Besides hardware and software tokens there are also reprogrammable hardware tokens that offer some of the advantages from both camps (for an example see safeid diamond programmable token). This type of token works by receiving seed data (typically via an NFC connection), then once programmed the physical token can then act as a direct replacement for google authenticator.

    Advantages/disadvantages of programmable hardware tokens

    • Can be used wherever google or microsoft authenticator apps are used
    • Offers a solution for Azure/office 365 when no P1/P2 license is held
    • Can act as a backup to existing authenticator apps (say when mobile battery flat)

    Not meaning to complicate the issue further, but there are also Fido Keys. This type of hardware token tends to be more expensive, usually needs to be connected by USB ports, and being newer is less supported, but it also has specific advantages;

    Fido Key Advantages

    • Newer technology solution than standard hardware tokens
    • Strong anti-phishing features not found on most other solutions
    • Retains many of the advantages of standard hardware tokens (eg still sturdy)
    • 0