IT Multi-Factor Authentication: Hard Vs. Soft Token
Thinking of implementing a multi-factor authentication (MFA) solution for your business? You likely have a lot of questions.
If you are just beginning the process of exploring MFA options you may have heard people talk about hard and soft MFA tokens. What’s the difference? How do they work? Is one better than another? Does it matter?
Although it’s a rather simple topic for some people, I’m writing this article because it’s a question I hear a lot in my job as an IT service engineer.
In this article, we’ll explain what a token is and why it’s used. We’ll also explore the differences and similarities between hard and soft tokens as well as the advantages and disadvantages.
Prepared with this information, you’ll be able to decide which option will work best for your business.
What Is MFA?
We’ll start at the beginning. For those who may not know, MFA is a security method that requires people to provide multiple pieces of identification before accessing an application, website, or other IT service.
Related article: What Is Multi-Factor Authentication? Do I Need It?
What Is An MFA Token?
An MFA token is one of the identification and authentication tools used to differentiate authentic users from other people who may be trying to gain unauthorized access to an organization’s infrastructure, tools, and devices.
What Do Tokens Do?
Along with a username and password, MFA tokens help validate the identity of people trying to access networks, systems, and devices. As we’ve mentioned, there are two kinds of tokens: hard and soft.
What Is A Hard Token?
The term “hard token” (an abbreviation of “hardware token”) typically refers to a badge, key fob or other physical device that users may need to swipe or provide information from to gain access to the internal IT infrastructure and devices.
Advantages Of Hard Tokens
Hard tokens offer advantages when compared to soft tokens including:
Hard tokens can’t be hacked, so they provide an impenetrable level of security.
Because they last for 3-5 years, hard tokens are a cost-effective tool.
Hard tokens last and are resilient. Since they aren’t easily broken, they are a reliable, high-quality MFA solution.
4. Ease Of Use
Hard tokens are easy to use and typically require users to simply swipe a badge or type in a numeric password.
5. Standalone Functionality
Hard tokens do not require network connectivity or secondary device to function.
6. Ease Of Setup
Since they do not require software installation or account activation, the setup for hard tokens is easier than that of soft tokens.
Disadvantages of Hard Tokens
As with all things in life, there are disadvantages to hard tokens as well.
Since hard tokens are in physical form, they can be lost, misplaced, or stolen.
While they aren’t inherently expensive, hard tokens must be replaced after 3-5 years, which can lead to a considerable cost especially for small businesses.
Which Businesses Are A Good Fit For Hard Tokens?
In general, larger businesses that have moderate to high security risk are a good fit for hard tokens.
Because of the size of these organizations, replacing the tokens every 3-5 years won’t present a huge financial impact and they have the resources track and lock down lost or stolen credentials and issue replacements.
Related article: Conduct A Cybersecurity Risk Assessment For Your Business: 6 Steps
Which Businesses Are Not A Good Fit For Hard Tokens?
Small businesses with lower security risk typically don’t have the financial and human resources necessary for managing hard tokens.
What Is A Soft Token?
A soft (or “software”) token is a type of software app that requires users to confirm they are the person requesting access.
Because soft tokens rely on apps, the only requirement is that you have your smartphone with you, which most of us do 24/7. Typically, all that is required is to respond to a push command to verify your identity, no messing with entering additional passwords or looking for your fob.
Many soft tokens are available at low or no cost and, because they are application based, there is no cost to update to the latest version of the software.
1. Ease of Use
Soft tokens rely on apps, so you need to always have your phone with you when gaining access.
Having said that, some soft tokens have an option to remember a user for up to 8 hours, reducing the number of times the user needs to re-engage the soft token.
2. Work/Life Balance
People who aren't issued company cell phones often object to installing a work-related app on their personal device.
As with other types of software, soft tokens can be hacked.
Developers compensate for this potential hazard by giving users a limited amount of time to verify their identity before timing out and requiring users to start the login/verification process again.
Because they rely on verification via another device, soft tokens rely on internet or cellular connectivity to work.
Which Businesses Are A Good Fit For Soft Tokens?
Due to their low cost and convenience, soft tokens are a good choice for smaller organizations with minimal security risk.
Which Businesses Are Not A Good Fit For Soft Tokens?
Large businesses with moderate to high security risk are not a good fit for soft tokens due to the potential hacking risk.
What’s The Bottom Line?
Now you have the information you need to decide which MFA token will work best for your organization.
You understand the difference between hard and soft tokens as well as the advantages and disadvantages of each option. You know which businesses are a good and bad fit for the two types of tokens.
The next step is to decide which tool is best for your organization and implement MFA throughout your organization.
You may have an internal IT staff that can handle this project for you or you may need help from an external IT provider.
At Kelser, we include MFA and tokens as part of our comprehensive managed IT solution, but we know that isn’t the right answer for everyone (and besides, we aren’t here to convince you to work with us).
Whether you decide on soft or hard tokens, the important thing is to implement an MFA solution that works for your organization. A security tool like MFA is only going to work if people use it!
Heard horror stories about MFA? Read this article to learn the truth about 3 common MFA concerns.
And, if you are considering working with an external IT provider to implement MFA or for any project or long-term partnership, I encourage you to check out several options. I know many IT providers will come in and promise to solve all of your problems without even asking what problems you are having. Beware!
Our philosophy is that you know your business best, so to help you, we need to understand your business goals, strategy, and technology pain points before we can begin to recommend solutions.
The truth is that IT providers use different approaches. It’s important to find one that is the right fit for your business.
We take this advice so seriously that we’ve even published articles on our website that compare our offering with that of several of our competitors (based on publicly available information on the web). Each provider has strengths and weaknesses.
Check out this article to learn how Charles IT and Kelser measure up to each other.
If you are in the market for an external provider, we hope that you’ll consider Kelser, but we also will be honest with you if we don’t think we’re a good fit to work together.
Our 40 years in business have taught us that there is enough business for everyone and that it doesn’t help your business to work with us if we aren’t the right fit for you.
Whether we work together or not, we are committed to providing the information you need to make smart IT decisions for your organization.
And, if you are interested in learning more about Kelser or would like to talk with a human about your IT pain points, click the link below and one of our IT solutions experts will schedule a call at your convenience.