Hard Tokens vs. Soft Tokens

A hard token allows you to access software and verify your identity with a physical device rather than relying on authentication codes or passwords, but still uses multiple factors in authorizing access to software. You may have also heard hard tokens called key fobs, security tokens or USB tokens, among other names. The key is that hardware is used instead of software to increase security. 

A core feature of hard tokens is a screen for inputting and requesting access. This action can be done through an authentication code, biometric data, fingerprints, cryptographic keys or a secure PIN. The types of tokens used can include USB tokens, Bluetooth tokens, smart cards and more. In general, hard tokens are small and designed to be easily carried on a keychain or in a pocket or purse.

Other types of hard tokens include connected tokens, which need a physical connection to automatically connect or transfer data and require host input services installed on the intended device. USB tokens and smart cards are common connected tokens that are still popular today. 

Disconnected tokens are the most common types of hard tokens. They require two-factor authentication, usually including a PIN, before allowing access. While disconnected tokens don't need to be plugged into their intended device, authentication is manually entered through a small screen on the token itself. 

Soft tokens don't so much have "types" in the same sense as hard tokens, as they perform a variety of authentication options based on the program or app you choose for your authentication method. This process usually incorporates two or more steps to ensure maximum security, and can include one-time passwords that last a limited time (often associated with RSA SecurID soft tokens, which allow for approximately one minute before generating a new one-time password to use). Authentication codes can also be sent to your smartphone or other connected device, or even use biometric data. 

Hard tokens, while considered incredibly secure, do have their downsides. Carrying a small physical "key" for your access can lead to problems if it gets lost, for example. Also, hardware token batteries have a limited life and cannot be recharged, with the typical lifespan being between three and five years. For small businesses, this expense can add up: after all, hard tokens, being a physical object, are a monetary investment in terms of their procurement.

Soft tokens have some benefits and drawbacks worth considering as well. They tend to rely on apps on devices such as smartphones to work, so you have to make sure to always have your phone with you when you want to use these devices. Smartphone batteries tend to die much faster than hard token batteries, but your authentication needs can often be transferred between devices as needed.

Another consideration is the price. While hard tokens have come a long way in both convenience and security, they're an investment and one that may not be the most convenient for small businesses. However, that price gets you high-quality security and reliability without the security concerns of hacked devices or compromised software. Soft tokens, on the other hand, are usually free to use and compensate for potential security issues through multi-factor authentication methods that are often time-based.

In short, it depends on your business needs. To answer this question, you have several considerations to keep in mind: price, ease of use and confidentiality. For little to no cost, a simple SMS authentication or RSA soft token is the way to go, especially if there's not much need for securing private data. However, if the need for security of confidential information is high, contactless hard tokens are easily the best bet, as they do not store any of the user's data and are not subject to hacking.

If you're considering the use of biometric information in your security tokens, keep in mind that it's still quite costly to implement, though worth it if your business handles highly sensitive information. In many cases, two-factor authentication is a reliable solution for accessing software as needed. However, in case one or both authentication factors are compromised, a hard token backup is very secure and reliable.

Whether you're considering products like RSA soft tokens vs. hard tokens for your company's security needs, our experts are available to advise and help you with in-depth information about choosing security or authentication tokens that best suit your needs.