The use of physical security tokens during two-factor authentication has been a fairly common practice in corporate America. It creates a more secure system. An annoyance of this process has been the need to carry the physical token. There are many form-factors, but resemble key fobs. If you forgot or lost the token, you would need to contact the IT administrator to login to your computer. Imagine if you are about to present at a meeting, but unable to login. Awkward…
Citi Bank is now rolling out a soft-token system for their clients. Instead of a key fob, users can download a Citi Bank app to generate login credentials. This has many advantages. One is less likely to lose an essential item like a mobile device than a keychain. Most people have their phones with them constantly, so users have the power to login to their financial systems whenever they want. They will not have to wait to receive a physical token, which can take days if you work in a geographically dispersed company. Finally, less paperwork! The process of getting physical tokens at a company takes signatures. Soft tokens have great advantages that Citi Bank’s clients will benefit from.
Link: https://www.finextra.com/newsarticle/30048/citi-ditches-physical-tokens-for-app-based-login-to-corporate-platforms
I think it will be interesting to see how soft tokens work over physical in reality. While on paper, using soft tokens through an app interface on your phone seems like a much more convenient way of logging into a financial information system, the idea of using a two-step authentication with one piece being physical is the added security the need of a physical key fobs adds.
With software being used to generate previously physical tokens, the question of the possibility of fraud arises as we have been discussing in class, because with the token credentials being created virtually, it adds room for hackers to figure out a way to hack in keys or create phoney keys to login, something that is more difficult to imitate with a physical option.