ALL BLOG POSTS

AUTHENTICATION

MARKET INSIGHTS

Exploring Hard Token Types: Which Is the Best for Your Business?

Grace Macej
January 31, 2025
Illustrations of hard token types and an outline of a person on blue background

When exploring the various hard token types on the market, here’s why Talisman stands out as the top choice for banks and fintech companies.

Hard tokens are physical authentication devices that provide a secure authentication method without relying on a mobile device or dedicated software.

We’ve written more about how hard tokens work in a previous blog post. Check it out to understand why, although hard tokens are hard to beat in terms of security, the popularity of traditional hard tokens has declined in recent years. 

FIDO2: Paving the Way for the Comeback of Hard Tokens

With the introduction of the FIDO2 standard, hard tokens have been transformed — and today, there are many opportunities to use them for secure authentication. 

FIDO2 technology makes hard tokens a reliable, future-proof method to safeguard against a range of threats, including mobile malware, remote access attacks, and even advanced AI deepfakes.

Comparing Hard Token Types

Hard tokens come in many forms: Some of the leading device types include USB keys, smart cards, and OTP generators. In addition, our own Talisman brings a modern approach to hard tokens, combining secure access with the simplicity and convenience of a mobile app.

Given the unmatched level of security that hard tokens provide, it’s clear that banks and fintechs should consider a hard token solution as a reliable method for providing users (especially business banking clients and an organization’s workforce) with secure authentication.

To simplify the process of choosing the right hard token, we’ve created an overview that outlines the pros, cons, and key details of the best options. Our comparison takes key factors into account, including user experience, hardware requirements, protection against phishing and malware, FIDO2 compatibility, PSD2 compliance as well as PSD3 readiness, and more. 

More specifically, we will explore the following most popular hard token variants used in banking:

  • FIDO2 security keys
  • Smart cards with X.509 certificates and external card readers
  • OTP generators
  • Talisman by Wultra

Make an informed decision for your business – check out our hard token comparison chart.

To summarize the above comparison, here’s what you should know about each type of hard token.

FIDO2 Security Keys

FIDO2 security keys are leading the way in modern hardware authenticators, as they provide phishing and malware resilience by being built-in to hardware, operating systems, and web browsers. These hard tokens connect to smartphone browsers and apps or desktop devices via NFC, USB, or even Bluetooth, and they verify user presence via the touch of a button or authenticate users using a fingerprint scan for app- or browser-initiated transactions. 

FIDO2 security keys are a reliable and commonly available option, especially for personal use without strict compliance requirements. These standalone devices, which often come without displays, are easy to set up. However, they aren’t inherently PSD2 compliant (and aren’t ready for PSD3) due to limitations such as uncertainties related to dynamic linking — for example, they’re missing the What You See Is What You Sign (WYSIWYS) principle — or their inability to ensure that a maximum of five failed authentication attempts block an element.

Highlights:

  • Seamless user experience.
  • Easy integration: Compatible with systems supporting FIDO2.
  • Lack of compliance: No inherent compliance with PSD2 and not prepared for PSD3.
  • Highest level of security.

Smart Cards with X.509 Certificates and Card Readers

Smart cards offer secure authentication by requiring users to insert the smart card with an X.509 certificate into a reader and authenticate using a PIN code. They depend on external card readers or compatible hardware and often require installation and setup, which can be complicated by hardware or software compatibility issues. 

While phishing-resistant, they aren’t inherently PSD2 compliant or PSD3-ready for similar reasons as FIDO2 security keys. In a nutshell, smart cards serve as a functional and highly secure, yet rather inconvenient choice.

Highlights:

  • Poor user experience: Extra hardware (smart card reader) and software required.
  • Complicated setup: Lengthy and complicated to configure.
  • High level of security.

OTP Generators (Hardware Tokens)

OTP generators provide authentication by generating one-time passwords (OTPs) that users manually input for each transaction. These devices are easy to set up since they don’t require additional software.

OTP generators generally fall into two categories:

1. Single-button authenticators: Devices that generate an OTP code only when the user presses a dedicated button.

2. OTP calculators with PIN entry: Devices equipped with a display and PIN keyboard that allow users to securely enter data and generate OTP codes linked to specific operations.

Single-button authenticators are convenient mainly because of their compact size and ease of use. However, they only add one additional factor to the authentication flow. OTP calculators often have support for three operation types: Logins, payment approvals, and generic challenges. Users can enter the operation data via the PIN keyboard and confirm the operation via PIN. Since inconvenient manual entry is required, the processes, while compliant, are not very user-friendly.

Importantly, no matter which type of OTP generator we examine, they’re vulnerable to phishing attacks that capture OTPs via a fraudulent website. For this reason, we consider them to be an outdated, insecure, and inconvenient choice.

Highlights:

  • Poor user experience: Involves manual data and OTP entry.
  • Easy to integrate.
  • Low level of security.
  • Only OTP calculators can offer PSD2/PSD3 compliance.

Talisman by Wultra

Talisman is a specialized FIDO2 security key tailor-made for banking and financial apps. It lets your users experience seamless and secure app-like authentication with app or browser-initiated transactions. Logins and payments are confirmed via PIN on a USB-connected device — no external readers, installations, or extensions are required. 

Talisman leverages the FIDO2 protocol to protect against phishing and malware, and it combines the use of a PIN and a built-in display to introduce dynamic linking as well as the WYSIWYS principle for trusted transactions. Importantly, Talisman is fully PSD2 compliant and ready for PSD3.

Highlights:

  • Guided authentication: Delivers a user-friendly app-like experience with no need to transcribe anything from the device.
  • Easy integration: Works with existing systems using FIDO2/WebAuthn.
  • First-rate security and compliance with both PSD2 and PSD3.

For banks and fintech companies facing advanced threats like AI deepfakes, it’s crucial to select a robust hard token solution. Talisman by Wultra provides compatibility via FIDO2 standard support, and comprehensive protection while offering a user-friendly experience, making it the clear winner for financial institutions that prioritize both security and usability. 

Related articles

CONTACT US

get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Ondřej kupka
ACCOUNT EXECUTIVE
ondrej.kupka@wultra.com
Picture of Account Executive Ondrej Kupka
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Terms of UsePrivacy PolicyCookie Policy