What is a soft token?

Advantages of soft tokens

Soft token applications are available for all major mobile and desktop operating systems, including iPhone, Blackberry Android, Mac OSX, Windows Phone 7, 8, 10, and more. They allow users to move seamlessly and securely between devices, with no additional cost or helpdesk input required. Any previous device can be deleted, rendering it safe to sell or dispose of.

What’s more, multiple soft tokens can be enrolled and used in the same app for multiple servers – eliminating the need to carry several hardware tokens or install numerous soft token apps.

Users can even self-migrate to a new phone by simply enrolling their device. The previous phone is used to make a two-factor authenticated enrolment of the new device – via SMS, or an app. Once the new phone is provisioned (with a new seed record) the security server automatically deletes the old phone’s seed record.

Eliminating administrative strain

The simplified management capabilities offered by soft tokens mean IT administration demands are significantly reduced. Not only does automated user deployment make enrolment easier, it also lessens the ongoing burden for IT. This places the user in control of which device they use and the type of authentication method they prefer.

User deployment can be achieved on Group membership, OU or any other LDAP filtering. Advanced soft token solutions (like ours) will also have a reporting function, providing detailed information about what mode of operation each user is set-up for, allowing administrators to easily control and monitor their two-factor authentication estate.

In addition, soft tokens can automatically handle international time zone changes when travelling – a critical consideration for global businesses, or those with a mobile workforce.

Steadfast soft-token security

Most soft tokens systems will offer OATH TOTP compliance. But some advanced authentication vendors will also offer additional security enhancements. One example of this is secure copy protection – which locks the seed record to the phone. This innovative approach allows a security server to generate the first part of the seed, with the second part generated via a “fingerprint” from the phone each time the soft token application is run.

Advanced authentication solutions will also encrypt seed records using FIPS 140-2, and they’ll ensure they do not store or keep any sensitive customer seed records. Finally, OATH TOTP compliance can be further improved on with AES 256-bit encryption and storage on the customer’s LDAP server.