The Authentication Reference

Your go-to place for authentication information

Successful Authentication with Incognia

The Authentication Reference

What Is a Security Token?

Security tokens are physical devices that people use as hardware authenticators to securely access a system. The token typically contains cryptographic information that is specific for each user and is used for user authentication into that system. 

Security tokens come in many form factors such as a USB key or a name badge containing a chip inside. Car remotes are examples of security tokens people use regularly.

Security tokens are used to authenticate users, and they can be used either to substitute passwords or other authentication methods or used as additional authentication in multi-factor authentication (MFA) flow. When used in an MFA flow the security token is considered a “possession” factor ie “something the user has”, which can be combined with an inherence or knowledge factor for MFA.

Security tokens contain cryptographic data that uniquely identifies a device owned by a user. The information used for authentication is usually presented in one of  three forms:

  • Static password - A password is stored and transmitted by the token communication protocol. It usually remains unseen by the user for their own security.
  • Dynamic password - Unique one-time codes which expire and rotate, and either should be read and entered by the user or can remain unseen and transmitted automatically.
  •  Challenge-response - The token provides the answer to a question. This is a cryptographic challenge response that is used to prove possession. 

Types of Tokens

Security tokens come in different types. 

  • A connected token is an object that physically connects to the system, this can be a USB device that plugs in or a smartcard that slides on a reader.
  • A disconnected token does not need to physically connect to the system. There is no plugging in of a device or sliding of a card on a reader. Smartphones used for multi-factor authentication are an example of a disconnected token.
  • A contactless token is one where the user doesn't have to physically connect a device or input any additional information to gain access. For a contactless token, the physical device connects wirelessly to the system to gain access, such as via Bluetooth or NFC token.

The Digital Security Token

Because of the increasing levels of social engineering and hacking and the associated costs, companies are increasingly investing in digital security tokens to move beyond passwords and add stronger levels of security.

Digital tokens help protect the entire computer network for a business, no matter how it is accessed. The token becomes part of the security chain of two-factor or multi-factor authentication.

Two-factor authentication, also called two-step verification, requires the user to present another verification beyond the normal password. The second step can use a digital security token as part of the process.

Multi-factor authentication can include two or more steps for verification. These steps can increase or decrease based on the security needed. Security tokens can be included at different steps based on the need.

Security Token Benefits

The benefit of this authentication method is being a physical (not digital) way of bringing security to a digital system. Since physical tokens are not connected to an online network, hackers cannot access them. Security tokens can take many forms, and employ a variety of communication protocols, for interoperability and flexibility.

Security Token Vulnerabilities

The main drawback to security tokens is that they are physical objects. Any physical object can be lost or stolen, and depending on the type of token, bad actors with physical possession can use them to hack into accounts and systems. USB cards and fobs, for example, are tiny and can be easily lost. If a user does not have access to their security token they will need to use a secondary recovery authentication method which can be cumbersome.

The main vulnerability to security tokens is the user. If a user does not protect their security token it can fall into the hands of a bad actor. In addition, the increased volume of social engineering attacks brought on during the global pandemic has increased the vulnerability of security tokens that generate one-time passwords (OTPs). Users are being tricked via social engineering to hand over the OTP generated by a security token, which can grant access to accounts by bad actors making use of stolen credentials.

Technology has opened the door for more options when it comes to security tokens. One of the most popular ways of providing a security token is through something most people have: a mobile phone.

Mobile Phone as a Token

The mobile phone has given app developers and businesses a new option for a physical security token. Since most people have their phones with them at all times, today’s smartphones offer a simple yet powerful device that can be used as a security token to increase security using various mobile authentication methods.

Hard Tokens and Soft Tokens

While hard tokens are physical objects that provide a code used for authentication purposes, soft tokens are software programs that provide the same functionality. An example of a soft token is the Google Authenticator App: it is installed on most Android Mobile Phones and can be used to provide and retrieve a one-time security code n.

While hardware tokens are popular for IT admins that want to have more physical management of keys, software tokens are inexpensive and easier to deploy quickly since users only need to download an App. Software updates for the software token also occur automatically, meaning less maintenance for the organization.

Authenticator apps are a type of software-based authenticator that can implement a two-step verification service using a Time-based One-time Password Algorithm for authenticating users of software applications.

When logging into a site supporting a Software Authenticator, the Authenticator App generates a six- to eight-digit one-time password which users must enter in addition to their usual login details.

Mobile Phone used for “Cross-Device” Journey

In some cases, when users start a journey on the laptop, they are requested to continue the journey on the Mobile Phone. This happens when the phone is used to provide/request additional security signals that are not present on the laptop browser.

For example, in some cases, after the user starts the onboarding journey on the laptop using a browser, then he/she is requested to switch to their Mobile Phone to be able to capture high-resolution pictures of Identity Documents or selfies using the higher quality of Mobile Phone cameras and sensors.

One possible usage model of this “cross-device” journey is to use the Mobile Phone as a Token or as an Identity Signal by leveraging the Device Information contained in the device itself.

Phone with Authenticator App opened and one time codes showing in the screen

With the Phone as Token usage model, the user will receive a push notification on their phone and will approve the login without the need to insert any codes on the laptop. The Device information itself internal to the phone will identify the user to the cross-device journey.Mobile phone screen showing an in-app push notification to authenticate a user with a phone as a token type of authentication


The mobile phone has given app developers and businesses new options for security tokens. Since most people have their phones with them at all times, today’s smartphones offer a simple yet powerful device that can be used as a security token for companies to increase security using various mobile authentication methods.

Every smartphone has a unique set of characteristics that can be used to build a device fingerprint, which can be used as an authentication method for users. Smartphone devices are also equipped with many sensors that can also be used to emit signals and capture behavior that can uniquely identify users. A user's location behavior, for example, can be captured by on-device motion and network sensors, thus, making the mobile phone into an authentication token.