The Authentication Reference

Your go-to place for authentication information

Successful Authentication with Incognia

The Authentication Reference

What is a phone as a token? [The five main types]

Phone-as-token is a type of authentication method in which a mobile phone is used as a token to assert a user’s identity. In multi-factor authentication (MFA) schemes that include one of the three authentication factors: something you are, something you have and something you know, the phone-as-a-token qualifies as a "something you have" authentication factor.  The phone-as-a-token authentication method allows a user to prove their identity using their phone, which is a device that is usually near to them most of the time, making it a convenient proof of possession.

Given that online fraud in the US grew by a concerning 25% in the first 4 months of 2021, businesses are looking towards mobile authentication options to protect their users from fraud.

The phone-as-a-token authentication can be used as part of a multi-factor authentication approach for both mobile and desktop authentication. 

What is MFA and Why Does It Matter?

MFA makes it more difficult for fraudsters to take-over accounts since MFA requires users to authenticate with at least two different factors of authentication. The different factors are:

  • Knowledge - Information only the user knows - Example: Passwords, the maiden name of your mother
  • Possession - An item only the user has - Example: A mobile phone, a hardware security key
  • Inheritance - A behavior or biological trait unique to the users - Example: Their fingerprint, the way they type, their location behavior

When deciding which authentication factor to use, risk managers must consider the level of security and friction for users. For instance, assigning a user a unique password is knowledge verification, however, it is not the most secure authentication method since passwords are often easy to guess or are re-used across accounts, and it can be frustrating for users to remember their passwords, leading to friction and password fatigue.

In contrast, using a phone-as-a-token as an authentication factor falls under the category of possession authentication. The user already has the device in their hand, requiring no additional hardware. Moreover, it can offer a higher level of security than traditional knowledge types of authentication, since gaining possession of a user’s phone is a higher bar for a fraudster to overcome versus guessing or gaining access to a password. 

Types of Phone as an Authenticator

There are several phone-as-a-token authentication methods businesses can use, including:

  • Push Authentication
  • One Time Password
  • Authenticator App
  • QR Code Modes
  • Unstructured Supplementary Service Data


Push Authentication

This is when a different device, for instance, a phone, is used to authenticate a login or a transaction on a desktop. Push authentication is mobile-centric, as it sends a push notification to a mobile device, presenting an action the phone holder needs to perform, such as confirming they are the person looking to authenticate at the desktop. ​​This case assumes that the user has installed a special trusted app that can receive the push notification. It should be an app trusted by both parties. When the user receives a push notification on the phone, he/she has to approve or disapprove the authentication by clicking a special button.

One Time Password

A one-time password (OTP) consists of a short sequence of numbers and alphanumeric characters that are auto-generated and delivered by an application service to the user at a previously registered mobile phone number associated with the user account. Once received, the one-time password is then entered by the user to verify their identity.​​ While one-time passwords are one of the most popular forms of authentication factor for use in MFA processes there are security concerns with OTP. NIST in its identity guidelines designated one-time passwords delivered over SMS as a restricted form of authentication because they are vulnerable to interception by fraudsters.

Authenticator App

A more secure way to use OTP is to get the One Time Password through an authenticator app such as "Google Authenticator". in this case it' less likely that the OTP is intercepted by fraudsters, however, it places additional burden/friction on the user who needs to install and trust this additional specialized authenticator app

QR Code Modes

This type of authentication uses a QR code on a printed badge, acting as a contactless card. Rather than a traditional card reader, the mobile phone's camera reads the QR code as a means of authentication. This modality is convenient for the user who only has to read the QR code to authenticate. However, it is insecure given that QR codes can be malicious or lead to malicious websites.

Unstructured Supplementary Service Data (USSD)

This uses mobile networks to send short text messages. They are similar to SMS, but they're instant, so messages are not stored at the user or business end.

An example of this is in banking transactions, where a user might check their account balance, make a bank transfer, or generate a bank statement.

Phone-as-a-Token Authentication Vulnerabilities

Smartphones have many advanced functions. However, it is essential to note that phone-as-a-token authentication can still be vulnerable. Unlike a hardware token such as a security key, mobile phones have an operating system and are constantly connected to a network. This makes them more prone to hacking. One example is if a mobile device’s software is not updated regularly by its user.

Push to Auth has its benefits, primarily when a mobile phone is used to authenticate a transaction being made on a tablet, desktop, or laptop. However, this benefit is lost when all interactions are made on the same smartphone.

Phone-as-a-Token Authentication Benefits

Businesses need to strike the right balance when offering end users customer-focused convenience and the essential reassurance of high security. The benefits of such authentication outweigh the vulnerabilities.

Using a separate mobile device for MFA to desktop transactions introduces a higher level of security, and depending on the type of phone-as-a-token authentication, such as push to auth, the friction can be lower than other alternatives, such as a hardware security key.

Mobile phone authentication is a more cost-effective solution than using hardware tokens that can, for example, connect to a device’s USB port. Although some banks still use this type of hardware, they're increasingly looking towards phone-as-a-token authentication, not least because currently 81% of Americans already own a smartphone device.

Phone-as-a-token authentication is an important way for businesses to introduce MFA, especially for desktop transactions. It presents an interesting balance between security and friction, as all authentication should in today's digital world.