Software token

A Software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Unlike hardware tokens that store the user’s credentials on an external device away from a desktop computer, laptop, PDA, or mobile phone, software tokens are designed to operate on a particular electronic device.

Software tokens are considered to be weaker than hardware tokens as they are exposed to threats such computer viruses and other malicious software attacks. However, the benefits of the software token is that there is no physical token to carry, they do not expire (no batteries), and they are cheaper than hardware tokens. ^[1]

There are two primary architectures for software tokens: shared secret and public-key cryptography.

For a shared secret, a administrator will typically generate a configuration file for each user. The file will contain a username, a personal identification number, and the secret. The file is given to the user. However, this can make the system vulnerable due to the potential of having the file is stolen and the token copied. With time-based software tokens, it is possible to borrow an individuals PDA or laptop, reset the clock and generate codes that will be valid in the future. Any software token that uses shared secrets and keeps the PIN (the first factor) with the shared secret (the second factor) in a software client can be stolen and subjected to an offline attacks. Shared secret tokens can be difficult to distribute, since each token is essentially a different piece of software. Each user must get an appropriate secret, which can create time constraints.

Some newer software tokens rely on public-key cryptography, or asymmetric cryptography. This architecture eliminates many of the traditional weaknesses of software tokens. A PIN can be stored on a remote authentication server instead of with the token client, making a stolen software token no good unless the PIN is known as well. If there are attempts made to guess the PIN, it can be detected and logged on the authentication server; which can disable the token. Using asymmetric cryptography also simplifies implementation as the token client can generate its own key pair and exchange public keys with the server. Yet software tokens remain dependent on the integrity of the computer on which they reside.

• RSA's software tokens
• VASCO's Digipass, Authentication tokens
• Deepnet Unified Authentication Platform
• KerPass OTP token for mobile phone.
• Secure Computing's software tokens
• Mega AS Consulting Ltd's software tokens
• PassGo Technologies' software tokens
• Open Communications Security's m-Trusted mobile token

• KerPass UST token for mobile phone and provides ECDSA mobile digital signature.
• WiKID Systems' software tokens
• WiKID's project page at sourceforge

• Multifactor authentication
• security token
• eAuthentication
• Cellular Authentication Token

• Microsoft to abandon passwords,
• Banks to Use 2-factor Authentication by End of 2006
• WiKID System's Sourceforge page