Try SecurEnvoy

Soft Tokens

Why use Soft Tokens

Soft Tokens are typically apps that run on phones or laptops:

  • Ideal for smart device users
  • Complimentary to SMS-based authentication
  • Allow the end user the freedom to choose between SMS-based authentication or a Soft Token application and switch between them.

Learn more about SecurEnvoy MFA

SecurEnvoy MFA SoftToken Functionality

  • Soft Token application available for: iPhone, Android, Mac OSX as well as Microsoft Windows 10 and 11 operating systems
  • Seamlessly move between devices securely with no additional cost or helpdesk calls. The previous device is deleted rendering it safe to sell or dispose
  • QR codes speed deployment (Quick Response Code) for rapid user enrolment
  • Automatically handles international time zones changes when travelling
  • Enhanced Copy protection

SecurEnvoy’s Soft Token Application


The latest SecurEnvoy server V9 allows users a far greater choice of security – either tokenless SMS two-factor authentication, a voice call or a soft token downloaded as an application.  SecurEnvoy now supports 2 types of hardware tokens (YubiKey and  an OATH compliant TOTP token in credit card form factor).

Available free of charge add-on to the SecurEnvoy suite of products. Users can elect to use a soft token application from either SecurEnvoy or Google.

Authentication soft tokens are suitable for most types of mobile devices:

  • iPhones, iPads (iOS 12.0 or greater)
  • Android (5.0 and greater)
  • Mac OSX
  • Windows 10 and 11 operating system (PC)

Multiple soft tokens can be enrolled and used within the same app for multiple SecurEnvoy servers eliminating the need to carry multiple hardware tokens or install multiple soft token apps.

Learn about the comprehensive range of authentication methods available from SecurEnvoy >

SecurEnvoy Soft Token – Ease of use and administration


Changing devices

Users can self-migrate to a new phone model by simply enrolling their new phone. They use their old phone app or SMS to make a two-factor authentication to the enrolment portal. Then simply scan the QR Code to provision the new phone with a new seed record at no additional cost. The security server automatically deletes the old phone’s seed record rendering the old phone safe to dispose of or resell.

Simple QR Code Enrolment

End-user convenience of enrolment and a simple process. For the organisation there is nothing they need to do. It is the choice of the user to choose whether they want their two-factor authentication passcode sent via what device and by what method!

Reduced Administration

User Administration is significantly reduced, as SecurEnvoy’s “Deployment Wizard” can automate user deployment and allows the user to be in control of which device they use and the type of authentication method they prefer.

User deployment can be achieved on Group membership, OU or any other LDAP filtering. The SecurEnvoy “Reporting Wizard” provides detailed information about what mode of operation each user is setup for, allowing Administrators to control and monitor their 2FA estate.

Soft Token – at No Additional Cost

All SecurEnvoy customers can utilise the latest Soft Token at no additional cost. This allows users who may have issues with SMS deliverability to use a soft token, or for customers who wish to manage and reduce their existing SMS costs.

Start free MFA trial

Support for Google Authenticator

SecurEnvoy soft tokens for your phone or desktop can be used to generate one-time passcode (OTP) for two-factor authentication that can be checked by your company’s SecurEnvoy server or Google’s cloud login.

Deployment with Quick Response codes 100,000 users can be deployed within one hour

Quick Response codes are an excellent method to display a bar code matrix for the deployment of the “seed record” for the end user’s Soft Token. The user only has to scan the QR code with their phone’s camera to ensure a fully automatic enrolment process to a Soft Token. Either using an app or an SMS deployment capability is 30 per second, 100,000 users per hour.

This is the same for other authenticator apps such as Microsoft Authenticator. While we support the use of 3rd party Authenticator apps, we recommend using the SecurEnvoy Authenticator app as it provides push notification functionality and enhanced copy protection.

Google Authenticator

SecurEnvoy Soft Token – Additional Security Features


Soft Token Security

SecurEnvoy Soft Token, is OATH TOTP compliant, but with additional security enhancements to the OATH specification. These are:

  • Secure Copy protection locks the Seed record for generating passcodes to the phone. The innovative approach allows the SecurEnvoy security server to generate the first part of the seed, the second part of the seed is generated from a “Fingerprint” from the phone when time the Soft Token application is run for enrolment and each time the Soft Token application is run to generate a passcode.
  • Protection of the Seed records. The Seed records are dynamically generated by the Server/phone are and are stored with a FIPS 140 approved encryption algorithm, this encrypted data is generated and stored at the customer premise. SecurEnvoy do not store or keep any sensitive customer seed records.
  • Stored DATA. All stored authentication data is generated and encrypted with AES 256-bit encryption and is kept within the customer LDAP server. SecurEnvoy support all LDAP v2 and v3 compliant directory servers for example Microsoft Active Directory or LDS.
  • Biometric Security.  Additional security can be applied by enforcing PIN or Biometric to accept push notifications or unlock OTP codes.

Security Watermarking

The SecurEnvoy Security Server deletes the used passcode and any previous passcodes from the system, thereby alleviating any replay attacks from any used or any previous unused passcodes. This process is known as “Watermarking”.

Automatic Time Re-sync

When a user travels overseas, typically their phone will sync to the new country time once they have arrived at their destination. The OATH-compliant algorithm then derives passcodes based upon this new time, which could be many hours forward or backward in time. SecurEnvoy has a unique approach that will handle users in this conundrum, where it allows complete unhindered worldwide travel for the user.