Two-Factor Authentication (2FA) Explained: One Time Password Hard Tokens


MFA One Time Passwords Soft Tokens

One time passwords (OTPs) are a popular choice for organizations looking to increase their security posture with two-factor authentication. As a refresher, OTPs are unique passwords that are only valid for a single login session and a defined period of time.

When considering OTPs as an authentication option, organizations must navigate which delivery option best meets their needs—OTP soft tokens, OTP hard tokens, or OTP on-demand methods.

We recently took a closer look at the benefits and drawbacks of OTP soft tokens, so today we will focus on hard tokens.

How OTP Hard Tokens Work

OTP hard tokens are exactly what they sound like: hardware tokens, often in the form of a key fob that can be carried on a user’s keyring.

The hard token generates a random number—which expires after one use and can only be used during a specific period of time—at fixed intervals. When a user needs to log in, they simply enter the number, along with their username and optionally, a PIN or password.

Behind the scenes, the server that is authenticating the user also has a copy of the hard token’s seed record, the algorithm used to generate the numbers, and the correct time. Once validated to match, the user is permitted to access the website, application, or operating system.


Not Vulnerable to Replay Attacks

Using OTPs helps organizations to overcome a shortcoming of traditional (static) passwords: OTPs aren’t vulnerable to replay attacks. Because OTPs are not reusable, even if a potential intruder managed to record an OTP, they wouldn’t be able to abuse it, since the OTP is no longer valid after its initial use.


While soft tokens are installed on mobile devices with operating systems that are vulnerable to attacks and viruses, this isn’t the case for hard tokens. Each hard token is a standalone, factory-sealed device that does not perform any other function. As such, hard tokens are isolated from any network and cannot be externally accessed.

This isolation makes OTP hard tokens more reliable than SMS or email-based OTPs because the OTP isn’t sent to the user over the internet, where it could be intercepted. Additionally, with SMS or email-based delivery methods, the OTP could be visible even on a locked screen if the user has notifications turned on—a non-issue with token-based OTPs.

Better Battery Life

The OTP hard tokens have batteries that typically last 5-7 years. This level of battery life is drastically different than that of the smartphones upon which OTP soft tokens are installed. Smartphone batteries need to be charged daily. If a user’s smartphone battery dies, the user cannot authenticate using a soft token OTP.

Considered a “Tried and True” Method

While OTP soft tokens are a relatively new method, hard tokens have been around for decades. Many organizations already use OTP hard tokens and are comfortable with their long history of reliability due to their self-contained nature and long battery life.



Many OTP soft tokens are mobile apps that can be downloaded for free onto a user’s existing mobile device, but hard tokens are physical devices that must be bought for every user. Replacements must also be purchased as needed.

Can Be Lost or Stolen

Hard tokens are small devices that can be lost, stolen, or forgotten. If this happens, users will not be able to authenticate with this method. Hard tokens are also not protected by PINs or TouchIDs like mobile devices are, meaning others can generate and view passwords if they obtain the token.

More Difficult to Administer

Hard tokens have to be registered by an administrator and physically given to each user. If a user is remote or in another location, this means additional shipping costs. For an organization with a large global or remote workforce, this can be inconvenient and expensive. Plus, if a token is lost, the process of registration and delivery must be repeated.

Less Convenient

Whereas soft tokens utilize users’ existing smartphones and are very easy to install and access, hard tokens are separate devices that must be carried by users every time they need to authenticate.

Susceptible to Man-in-the-Middle Attacks

Unsuspecting users can be tricked into entering a valid OTP into a fraudulent, phishing site, which would then forward the OTP on to the official site, allowing an intruder to successfully gain illicit access to a user’s account.


Are OTP Hard Tokens Right for Your Organization?

While there are many newer authentication methods on the market today, hard token OTPs are a tried-and-true method for organizations to introduce an additional layer of security to their operations. While they are more costly and difficult to administer than smartphone-based authentication methods, hard tokens are still considered highly reliable due to their self-contained nature and long battery life.

Keep reading our Two-Factor Authentication Explained series for a look at the benefits and drawbacks of commonly used authentication methods, including our upcoming blog post about on-demand OTP delivery methods.

Download our guidebook to learn which authentication methods are recommended for different user scenarios.


Subscribe Here!