What is a bank token?
A bank token can be an easy-to-use device such as a hardware token, like a key fob, USB key, or a smart card. It can also be a soft token, such as a standalone authentication app from an app store, that is installed on a mobile device or integrated into a mobile banking application. Bank tokens deliver one-time passcodes (OTP) to authenticate a digital banking user when they are logging in or doing financial transactions. Bank tokens, hard and soft, can be used as part of a two-factor authentication (2FA) or multi-factor authentication (MFA) process.
- Something you know, such as an OTP or the answer to a secret question
- Something you have, such as your mobile device
- Something you are, such as a fingerprint or facial scan
For example, your mobile phone can be used to authenticate your login because it’s something you have that can be combined with another means of authentication such as a soft token, which could be an authenticator app where you are prompted to tap on a button and an OTP is generated on your device to achieve 2FA. A hardware bank token can also be used and would generate a one-time passcode, which is something you know, to login to your device, which is something you have. Bank tokens make it more difficult for criminals to carry out fraudulent transactions on someone else’s bank account.
How bank tokens enhance security
Bank tokens provide strong protection for online and mobile banking customers because they link an authorized user to their registered devices to help prevent fraud. If a customer loses their smartphone, they usually know almost right away. If they use a soft bank token, the customer and the bank have the ability to shut down the device quickly to prevent unauthorized access and fraudulent activity. If the hardware bank token is lost, the customer can report it immediately, too.
Hardware tokens (also known as hardware authenticators) also help prevent social engineering attacks such as phishing, which use emotional appeals in emails or texts to convince customers to click on malicious attachments or links.
Many banks use hardware and software bank tokens to replace usernames and passwords. Relying only on usernames and passwords is not enough to keep customers’ accounts secure due to the regular occurrence of data breaches, leaked personally identifiable information (PII), and account takeover attacks. In addition, software tokens, too, can help prevent phishing attacks that lead to account takeover.
How bank tokens improve customer experience
Bank tokens provide a secure customer experience because customers no longer need to keep track of passwords, reducing unnecessary friction for them. First, soft tokens are simple and user friendly; they are expected to grow in use due to smartphone and mobile app adoption. Second, some customers may be more comfortable using hard tokens because they aren’t as tech savvy. Overall, many customers want both hard and soft tokens. They like and want the convenience of using their mobile device, knowing that if something goes wrong, such as the phone getting lost or stolen, or if its battery dies, they have a hardware backup.
Banks are migrating to software tokens
Case Study #1: Modernizing Authentication with a Bank Token App
The Challenge: U.S.-based EagleBank has been moving to soft bank tokens as customers increasingly prefer to use their mobile devices for banking services. Since 2017, EagleBank has been migrating away from hardware bank tokens that generate an OTP, or a token code, for activities such as a wire transfer or ACH initiation for electronic payments and deposits. The bank, which offers commercial banking services, rolled out soft tokens in 2018.
EagleBank decided to launch an independent software authentication app, called the “EagleBank Soft Token App,” featuring the bank’s logo and brand colors to help with customer recognition. As a result, customers no longer need to memorize and manually key in a number when authenticating, as they do with a hardware bank token. New customers are now onboarded with the EagleBank Soft Token App.
Result: In the first nine months after launch, 95% of new EagleBank customers signed up to use the soft token app. The bank also reduced the time required to onboard new customers from days to minutes, as a result of the soft bank token.
Case Study #2: Authenticating with Software and Hardware Bank Tokens
The Challenge: The Bank of Cyprus had been distributing hardware tokens to their customer base for years. However, as customers began shifting to mobile transactions, the shift to soft bank tokens had become more pressing. The bank started using soft tokens and transaction-specific OTPs in compliance with the European Union’s revised Payment Services Directive (PSD2) for electronic payment services to provide the highest level of security possible.
As the leading banking and financial services group in Cyprus, the bank provides retail and commercial banking, investment banking and insurance. For account login and dynamic linking, the bank decided to introduce software authentication integrated directly into the Bank of Cyprus mobile banking app. For customers who do not use the mobile banking app, but still make online payments, the bank offers the ability to receive the OTP authentication code via SMS (online) or scan a Cronto® code (offline). While the bank recommends that customers replace their hardware banking tokens with soft bank tokens, many transactions are still authorized (i.e. dynamically linked) using the OTP from hardware authenticators.
Result: Bank of Cyprus has noted that people who purchased the soft bank token don’t want to go back to using a hardware authenticator.
Bank tokens, hard and soft, help provide a secure digital banking experience. While some customers may prefer soft tokens, hard tokens can still be used as a backup, or in a case where there is no network coverage. Bank tokens can increase customer loyalty and growth because of their easy, yet secure experience in providing strong customer authentication. These security tokens use can also give customers the confidence to do higher value banking transactions online.