In cybersecurity, a Token is usually a small hardware device that displays additional information (e.g. number string) that the user inputs as added security when they authenticate to a service or resource. Tokens also take the form of “soft tokens”, or mobile device apps that display similar information for the same purpose.
Passwords, while the dominant authentication method, are flawed since users often recycle passwords across different services leading to credential-stuffing and other attacks. In response, enterprises deploy hardware security tokens to display information as additional possession factor, which the user inputs into an additional login field. Hardware tokens typically make use of One-Time Passwords (OTPs), or Time-Based One-Time Passwords (TOTPs), for two-factor authentication (2FA) or multi-factor authentication (MFA). The numbers are usually six-digit codes that expire every 30 seconds. If the secret seed generating the dynamic codes isn’t compromised and if the communication protocol in use to convey codes is secure, many enterprises have accepted the use of hardware tokens as a readable tradeoff between security and usability.
With the rise of the smartphone, hard tokens for 2FA and MFA are being challenged by mobile apps that replicate their hardware antecedents. This phenomenon, the use of mobile devices in such a way, is referred to as Phone-as-a-Token authentication.
“Our security team is deploying hardware authentication tokens to all remote workers. They feel it’s a step in the direction of knowing that the person logging into our network. This is because the person working from home or a coffee shop needs to input the information on the token as another kind of proof, besides just their password.”