authentication method

Why is the Software Token the best MFA method?

Industry Insight

Why is the Software Token the best MFA method?

A software token is an electronic or digital security token for two-factor authentication systems. It verifies the identity of the users who request access to a system, network or device.

More and more organizations now understand that passwords alone are no longer sufficient to authenticate users. According to ITRC, for Q3 2021, the number of data compromise victims in the U.S alone was 160 million, higher than Q1 and Q2 2021 combined (121 million).

A wide range of authentication technologies and an even wider range of activities require strong authentication methods.

Here, we discuss the different authentication methods on the market today and why we favor software tokens as a multi-factor authentication method?

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a security mechanism that adds a layer of protection to a login process. It is based on the idea that users must provide at least two pieces of evidence (called “factors”) to prove their identity. 

– something the user knows (e.g. a password)

– something the user has (a device that cannot be easily duplicated, such as a phone or hardware key)

– something the user is (a biometric parameter like voice, face, fingerprint)

Access control determines the user’s identity based on credentials such as username and password. The credentials provided are compared to a database of authorized user information stored on a local operating system or an authentication server. If the data matches, the user is authenticated to the system.

Why Is User Multi-Factor Authentication(MFA) Important?

Cybercriminals can access a system and steal information when user authentication is flawed. If a factor is compromised or broken, an attacker will always have at least one more barrier to overcome before successfully penetrating the target.

There are several authentication protocols you can implement to prevent yourself from exposing your user data to attackers, including Oauth, OpenID, SAML, and FIDO.

Types of multi-factor authentication (MFA) commonly used 

Software and Hardware Tokens

1. Software Token

What is Software Token Authentication?

A Software Token is an authenticator application that is installed on an electronic device such as a smartphone, computer or tablet. It produces a one-time password; usually, a string of 6-8 digit code. Generally, the authenticator apps work on a shared secret key known by the server and the authenticator app. The apps support OATH Event-based (HOTP) & Time-based (TOTP). 

The user has to enter the code generated to access the data or application. 

If the software token app has a push notification option, the user can accept or reject the request and not manually enter the code. Preferably choose a software token with mobile push as it is more user-friendly and secure.

Example of free Mobile Authentication app- RCDevs’ OpenOTP Token, Google Authenticator, etc.

Different Software Tokens available in market

2. Hardware Tokens

What is Hardware Token Authentication?

A standard hardware token is a small device, typically in the general form factor of a credit card or keychain fob. The simplest hardware tokens look identical to a USB flash drive, contain a small amount of storage holding a certificate or unique identifier, and are often called dongles.

Many hardware tokens contain an internal clock that, in combination with the device’s unique identifier, an input PIN or password, and potentially other factors, is used to generate a code, usually output to a display on the token. This code changes regularly, often every 30 seconds or the time you set.

Generally, hardware tokens are OATH Token based on HOTP, TOTP, or OCRA. When you are prompted to enter your hardware token code to authenticate using a hardware token, you press on your hardware token to generate your 6-digit code, which you enter manually. 

Examples of hardware tokens – RCDevs RC400, RCDevs RC200, Yubico YubiKey

3. Biometrics Authentication

Biometrics authentication devices rely on physical characteristics such as voice, fingerprint, or facial patterns to verify user identity. Biometrics authentication is becoming popular for many purposes, including network logon.

Using a voice that is unique for authentication is one of the most secure ways to authenticate.

Also, hardware tokens like YubiKeys can handle fingerprints instead of OTPs. Instead of a code being texted to you or generated by an app on your phone, you press a button on your YubiKey. That’s it. Each device has a unique code built in, which is used to generate codes that help confirm your identity.

4. Signed Authentication

Created by the FIDO (Fast IDentity Online) Alliance, Universal 2nd Factor (U2F and FIDO2) is a strong industry standard for two-factor authentication.

FIDO U2F allows online services to increase the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service can also prompt the user to present a second-factor device (such as a FIDO Security Key) at any time it chooses. The strong second factor allows the service to simplify its passwords (e.g. 4–digit PIN) without compromising security.

The user presents the second factor during registration and authentication by simply pressing a button on a USB device or tapping over NFC or BLE. The user can use their FIDO U2F device across all online services that support the protocol leveraging built-in support in web browsers.

Top 3 common Software Token myths – busted by RCDevs Security Solutions

Generally, people have a perception that even if both Software and Hardware tokens are very secure, software tokens are more exposed to the risk of hacking, as they can be duplicated, unlike a hardware token. Let’s take a look at the facts. 

1. Enrollment Procedure

In many cases (e.g. with Google Authenticator), the enrollment procedure is based on a QR code that contains the entire token, which means that at any time (and even long after the enrollment), having the QR code means knowing the cryptographic key. And the fact is that this QR code must have been sent to the user – in an email, for example – so it can be found and copied during the process or after. 

This is why RCDevs’ token enrollment does not work in this manner. The QR code is only used to initiate the procedure, which ends on our servers. Thus, finding the QR code is useless for an attacker.

2. Cryptographic Key

Unlike many software tokens on the market, with RCDevs’ the cryptographic key is not stored in a software container but a hardware keychain. So, the only app that can read it is RCDevs’ OpenOTP Token; no other app on the phone can access it. 

3. Fraudulent Connection Attempt

Geolocation of the smartphone can help detect a fraudulent connection attempt. Example – In the OpenOTP Token App, phishing protection uses your location to prevent phishing attacks. If a phishing attack is suspected, the OpenOTP Token application will prompt you with a screen like the one below. Accordingly, you can approve or reject the request.

Phishing Protection

Why is the software token the best MFA method?

As for the advantages, there are quite many. Let’s take RCDevs’ OpenOTP Token as an example of a convenient software token for one-time password generation. Six reasons we prefer software tokens for MFA:

software token

1. Availability

The smartphone is always handy; available anytime and anywhere. But it brings another advantage, related to security – if an end-user loses his phone, he is much more likely to realize it within minutes, which is not necessarily the case with a Hardware Token.  

And time is key here, the delay realizing the loss of the authentication device and notifying the security teams is crucial.

2. Extra layer of protection

A smartphone comes with an extra layer of protection (PIN-code or biometrics), allowing protecting the software token and its OTP from unauthorized access if your phone, for various reasons, ends up in the wrong hands. If the same thing happens with a Hardware Token, the OTP can be read and used directly.

3. Flexible Configuration

The choice of the password length and algorithm of its generation is something that you can configure as per requirement.

4. Multiple Tokens

You can generate and manage many tokens on one device, thus reducing the hassle of keeping track of many apps and/or devices.

5. Price

Data protection with the help of the OpenOTP Token does not require any expense – the application is free.

Versions available both for Android and iOS.

6. Mobile E-Signature

It supports data signing (both on-premise and SaaS Platform), allowing you to click and directly sign with your mobile, in compliance with international contract law.


So which one to choose? There is no simple answer: all authentication methods have advantages.

But always try to look at your company’s and employees’ needs. Choose an authentication method which is compatible with SAML/ OpenID, Windows, NAC, Unix and Linux, MAC OSX,etc, like RCDevs’ OpenOTP Token. You take a big step towards better security by moving from simple password protection to multi-factor authentication.

For any queries about tokens or MFA, contact our experts.