Security Encyclopedia

Phone-as-a-Token Authentication

Phone-as-a-Token Authentication includes methods of asserting one’s identity using their mobile device rather than a dedicated hardware token. A popular implantation, though not the only one, is that the phone serves as a One-Time Password (OTP) security token.

Phone-as-a-Token authentication takes different forms. Out-of-band (OOB) authentication uses a different communication channel than that of the endpoint-server vehicle. Other forms feature robocalls or SMS text messages to the device, or Unstructured Supplementary Service Data (USSD) communication (emerging). Quite popular among Phone-as-a-Token products are OTP apps that enable the smartphone to double as a hardware token. Often, smartphone biometrics are used to enhance phone-as-a-token authentication by enhancing security and providing the user with a familiar passwordless experience. Still others employ QR Code scanning.

Some phone-as-a-token solutions are based on public-key infrastructure (PKI), and within this group are Fast Identity Online (FIDO) Authenticators built upon a FIDO standard. Phone-as-a-token authentication is thought to have security and usability limits when the authentication is to apps on the mobile device rather than a desktop app using a smartphone.


"The usability and employer upkeep on hard tokens is a reason a lot of firms our size are moving to phone-as-a-token authentication. Basically, an authentication app on your phone presents the OTP or the proof of possession, inherence, etc. without the needless added hardware."