.png)
Mobile tokens, also called mobile authenticators, software tokens, or soft tokens, are mobile apps for iOS and Android that supplement two-factor authentication (2FA) for various online applications, both on the web and in mobile apps.
In this quick overview, we’ll elaborate on the two main approaches to mobile tokens that we see on the market and compare their pros and cons.
Code-Based Mobile Tokens
Code-based mobile tokens generate temporary one-time passwords (OTPs) that allow users to authenticate by rewriting the OTP in an application. OTPs generated by code-based mobile tokens are typically 6-8 digits long and are valid for 30 seconds.
The most well-known example of a code-based mobile token is Google Authenticator, but many more alternative apps exist. The apps usually focus only on authentication and don’t include any additional advanced security features. However, some variants do provide additional security features, including:
- Access protection via PIN code or local device biometrics (such as Face ID and Touch ID)
- A QR code scanner or data entry linking the OTP with current transactions
These tokens typically use simple hash-based OTPs (HOTP) or time-based OTPs (TOTP) protocols with possible minor variations that enable the following use cases.
Pros of Code-Based Mobile Tokens
- Standardized implementation
- Universal usage: Code-based mobile tokens can be used anywhere an OTP can be entered
- A familiar approach for the end user
- One app for multiple accounts, which leads to easier adoption
Cons of Code-Based Mobile Tokens
- Manual rewriting is inconvenient
- Not resistant to phishing or social engineering
- OTPs can be stolen by Android malware or remote desktop apps
- OTPs aren’t usually linked to a specific operation
Codeless Mobile Tokens
In contrast to the code-based approach, codeless mobile tokens utilize strong cryptography under the hood and data channel connectivity for operation fetching and approving operations.
From the user's perspective, there are no codes to rewrite or data to enter. For example, a user can initiate payment approval by scanning a QR code or via push notifications. The token app instantly displays operation details on the screen, and the user can approve or reject it after using the device's local biometrics (such as Face ID or Touch ID) or a PIN code.
As codeless mobile tokens are often highly specialized, they often include extended security features, such as:
- In-app protection that complies with OWASP MASVS resilience requirements
- Resilience against mobile malware and remote desktop attacks
- Added resistance to complicate various phishing scenarios
Codeless mobile tokens often leverage proprietary protocols, although there is a growing trend towards standardization with protocols like OAuth 2.x CIBA, FIDO2, or Verifiable Credentials/Verifiable Presentations (decentralized identity).
Pros of Codeless Mobile Tokens
- Better user experience and faster approvals
- Supports dynamic linking and WYSIWYS
- Often includes phishing and social engineering protection features
- Resistant to malware, remote access tools, and other tampering
Cons of Codeless Mobile Tokens
- Still susceptible to social engineering
- Less standardized implementation options
- Requires online access
- One app for one account
Summary
Both approaches to mobile tokens — code-based and codeless — have merit and are suitable for particular applications.
A code-based approach may be the faster way of adding 2FA for applications with lower security requirements. Moreover, users can use a single familiar app, such as Google Authenticator, for multiple services.
However, codeless mobile tokens that are tailor-made for a specific service are typically better for security-sensitive and regulated applications, like banking or government apps. In addition to improved security, they also provide a more positive user experience. And while these tokens usually can’t be used to store multiple accounts, solutions like identity federation allow them to be used across multiple applications through a single provider.
.webp)
