Hardware or Software Tokens - A comparative review

Hardware or Software Tokens - A comparative review

2
 Hardware or Software Tokens - A comparative review

1. Abstract ........................................................................................................................................... 3
2. Introduction ..................................................................................................................................... 4
2.1. Background ........................................................................................................................... 5
2.2. Purpose/Research Objectives ........................................................................................... 5
2.3. Motivation/Why are you researching the selected topic? .............................................. 6
2.4. Research Problem/Problem Statement/Research Questions ...................................... 6
3. Literature Review .......................................................................................................................... 7
3.1. Latest and Relevant articles on the selected topic ......................................................... 7
3.2. Summary of articles .......................................................................................................................... 8
3.3. Strengths and Limitations of Existing Studies, Comparative Analysis/justifications. 9
3.3.1. Strengths and weaknesses of authentication tokens ......................................................... 9
3.3.2. Software tokens or hardware tokens in online banking ..................................................... 9
4. Identified Problem and Proposed Solution..............................................................................12
4.1. Description ..........................................................................................................................12
4.2. Comparison with existing similar functionality methods /algorithms/ techniques ....12
4.3. Strengths and Limitations .................................................................................................12
5. Research Methodology ..............................................................................................................13
5.1. Procedures / Search Strategy..........................................................................................13
5.2. Tools/Sources/Databases .................................................................................................15
5.3. Organizing Literature .........................................................................................................16
5.4. Limitations/Emerged Obstacles .......................................................................................16
5.5. Summary of Procedures ...................................................................................................16
6. Results ..........................................................................................................................................16
6.1. Software token ...................................................................................................................17
6.2. Hardware token ..................................................................................................................18
7. Discussion ....................................................................................................................................20
7.1. Goal Fulfillment ..................................................................................................................20
7.1.1. RQ1. “What are the strengths and weaknesses of current software-and
hardware-token-based methods for authentication?” ....................................................20
Software tokens .............................................................................................................20
Hardware tokens............................................................................................................21
7.1.2. RQ2. “Which of the two token types should online banks implement to verify a
client's identity?”...................................................................................................................21
7.1.3. Summary....................................................................................................................21
3
 Hardware or Software Tokens - A comparative review

7.2. Analysis of Methodology ...................................................................................................21

8. Conclusions and Future Recommendations ...........................................................................22
9. References ...................................................................................................................................23
10. Time Plan ...................................................................................................................................24
10.1. Risk Analysis ....................................................................................................................25

4
Hardware or Software Tokens - A comparative review

5
 Hardware or Software Tokens - A comparative review

1. Abstract
This literature review examines the benefits and strengths of software and hardware
tokens to identify which token type should be used for authentication purposes in online
banks. An authentication token is a unique one-time-use code generated by different
algorithms that can be used to sign into digital services. The difference between software
and hardware tokens is the physical medium that the token is accessed on; an example of
a software token could be a code sent over SMS, and a hardware token could be a
physical device that internally creates and displays codes periodically. The approach used
to conduct this study was to analyze relevant articles relating to the subject by searching in
academic databases so that arguments for or against each token type could be found. The
results of this research paper suggest several security concerns regarding current
implementations of software tokens, whereas hardware tokens can offer better security.
However, if convenience is considered, do software tokens provide higher useability
compared to hardware tokens? While this study highlights a number of arguments for and
against each token type, for future studies it is suggested that a more comprehensive
systematic literature review is conducted to provide a more extensive view of the strengths
and weaknesses of hardware tokens and software tokens.
Keywords - authentication, software token, hardware token, security, online
banking, one-time password

6
 Hardware or Software Tokens - A comparative review

2. Introduction
Since the popularization of the Internet, banking has evolved to fit the modern
technological landscape. Digital banking's popularity is only growing, making it a target for
attackers and other bad actors [7]. As banks develop and implement countermeasures to
protect their and customers' assets, a vital aspect of this security is validating or verifying
users and managing who gets access to what. Authentication is the link that allows or
disallows such as identity theft or phishing scams. These attacks count on being able to
steal information and use it to access a bank customer's account wrongly [6].

An article published on riksbank.se showcases a ~40% rise in card fraud in 2022 and 2023
and attributes it “mainly related to fraud where the fraudster has stolen card details but
does not have access to the physical card.” [8]. The website further claims that this is
possible due to lacking verification being taken advantage of.

Several verification methods can be used to authenticate the identity of users online. In [9],
the methods are listed: single-level authentication with username and password, two-factor
authentication, and token-based authentication. A token is a computer-generated code
that can be used as a user's digital signature, and this token, which is generated on the
server side of an application, is different each time by utilizing different encryption
methods. Bani-hani et al. [6] discuss the threats to common authentication
implementations: “Passwords and PIN are vulnerable to a variety of insidious threats such
as dictionary attack, brute force attack and password guessing attack.” [6, p. 2].

Token authentication can be implemented via different mediums, such as software and
hardware. An example of a software token could be a server-generated one-time
password sent to a user via SMS or email. This password is single-use, and the user has
to request a new one for each login [20]. A hardware token could be a physical device that
generates codes internally and is displayed on a screen [10] or a smart card that contains
a stored unique value that can verify a user's identity [17].

As The landscape of digital banking continues to grow, the relevance of the methods of
authentication rises as well. Verification is a core principle of digital security, making it a
crucial part of online banking, which can defend against threats such as hackers or fraud.

Due to this importance, this paper aims to analyze software and hardware tokens and
compare them to comprehensively understand their strengths and weaknesses, and which
of them should be implemented in online banking systems.

7
 Hardware or Software Tokens - A comparative review

2.1. Background
The accessibility of paying through an online service and ease of use are arguments
Masihuddin et al. [5] mentioned to motivate the increasing usage of online payment
applications compared to physical money. In the article, they also bring up the main
security concerns for an E-payment system: integrity, accessibility, and confidentiality. By
integrity, it refers to the fact that no money should be moved without the client’s
permission. Accessibility means that “All factions need to have the capacity to make or get
payments whenever the need arises” [5, p. 9]. The security concern for confidentiality only
allows authorized clients to access payment services and bank accounts.
Confidentiality is a significant concern for these types of services regarding trust because
flawed security can hurt users and lessen the acceptance of a product [5]. For the same
reason that a passport is required to board an airplane, a trustworthy method for verifying
the identity of a user is needed to access an online payment application. Without it,
anyone accessing a client’s credentials or device could issue payments or transfer the
money to another account.
One such method for authentication that has been used in banking previously is hardware
tokens that come in the form of physical devices that periodically generate a code that can
be used to verify a user’s identity. With the developments of smartphones and access to
high-speed internet, another form of token authentication has started to become more
widely adopted, software tokens. These come in the shape of mobile applications that
periodically generate codes or codes sent over SMS or email to users.

2.2. Purpose/Research Objectives

This paper aims to do a literature review, documenting the current research on different
implementations of authentication tokens to be used by online banking applications. This
research presents an overview of the topic of the strengths and weaknesses of software
and hardware tokens, to highlight what each method can provide to online banking in
terms of security, usability or other factors for example.

2.3. Motivation/Why are you researching the selected topic?

As physical money becomes less widely used and new digital threats to online
transactions emerge, the banks’ task of protecting people’s accounts becomes more
important. It is, therefore, crucial that there are measures to ensure that a person
attempting to sign in to a bank account is the real owner of that account. Digital banks

8
 Hardware or Software Tokens - A comparative review

today implement several different authentication methods, with their respective benefits
and drawbacks regarding security.
Since bank verification is an essential aspect of digital banking and weak systems can
lead to significant losses for people, this field is a crucial area for discussion and
development to mitigate losses and protect users. Furthermore, this literature review aims
to consolidate and present information regarding digital banking verification. After
reviewing existing studies and literature surveys on online authentication, it is evident that
gaps exist in existing literature when trying to find comparisons between software tokens
and hardware tokens.

2.4. Research Problem/Problem Statement/Research Questions

The research questions guiding this study are:
1. What are the strengths and weaknesses of current software-and
hardware-token-based methods for authentication?
2. Which of the two token types should online banks implement to verify a client's
identity?

9
 Hardware or Software Tokens - A comparative review

3. Literature Review

3.1. Latest and Relevant articles on the selected topic

Article ID Article name and citation Article topic(s)

A1 What are the motivations and barriers for incorporating multi-factor Software token,
authentication among IT students? [10] hardware token

A2 “Revisiting Multi-Factor Authentication Token Cybersecurity: A TLS Identity hardware token

Module Use Case” [11]

A3 “PSD2 Compliant Hardware Token for Digital Banking,” [12] hardware token, software
token

A4 “Bank Application: One-Time Password Generation,” [13] Software token

A5 “Ensuring Trust and Confidence: Safeguarding Online Banking Transactions Hardware token,
with Multi-layered Security in Malaysia,” [14] software token

A6 “Online Authentication Methods Used in Banks and Attacks Against These Software token
Methods,” [15]

A7 “Security Issues of Electronic and Mobile Banking:,” [16] Hardware token,

software token

A8 “Usable and secure? User perception of four authentication methods for mobile Hardware token
banking” [17]

A9 “Usability Testing of Memorable Word in Security Enhancing in e-Government Software token

and e-Financial Systems,” [18]

A10 ‘The application of multi-server authentication scheme in internet banking Hardware token
transaction environments’ [19]

A11 “Assessing the Attacks Against the Online Authentication Methods Using a Hardware token, software
Comparison Matrix: A Case of Online Banking,” [20] token

A12 “Experimental Study on One-Time Password used in Authentication within Hardware token, software
Norwegian Banking” [21] token

Table 1. Shows the list of gathered relevant articles on authentication using tokens.

10
 Hardware or Software Tokens - A comparative review

3.2. Summary of articles

The table below summarizes each article's goal and approach to investigating different
aspects of software tokens and hardware tokens.

No. Summary

A1 [10] This study aimed to identify motivations and barriers to implementing

multi-factor authentication for students. It also aimed to identify areas for
improvement in education and tools used in Multi-factor authentication.
Students from a network and sysadmin program at the University of Skövde
were interviewed to accomplish this.

A2 [11] This article proposes a new design for a hardware token. The motivation is
that current manufacturers of hardware tokens rely on security by obscurity to
varying degrees in how security measures are implemented. To accomplish
this, a model for a hardware token was created using open-source hardware.

A3 [12] This study proposed a design for hardware tokens that comply with the EU
Payment Services Directive 2 (PSD2). A proof-of-concept model was created
to support the validity of the proposed design.

A4 [13] This paper aimed to propose a model for designing one-time passwords
(OTPs). This model addresses OTP vulnerabilities such as phishing and
spyware attacks. A literature survey was conducted on articles mentioning
OTP vulnerabilities in designing this model.

A5 [14] This article evaluated the authentication measures implemented in online

banks in Malaysia to provide insights into how multi-factor security is used in
digital banking. To investigate this, several existing bank applications were
tested to identify authentication measures.

A6 [15] This study aimed to evaluate the authentication methods used in Dubai's
online banks and assess their security. To accomplish this, a literature survey
was conducted to identify current authentication methods and determine
whether each has vulnerabilities.

A7 [16] The study aimed to identify and draw attention to security concerns in
electronic banking systems. The methodology used for this paper was to
conduct interviews with 60 people with varying degrees of knowledge of digital
threats.

A8 [17] This research paper investigated the user perception of mobile banking
applications to identify the usability and security of current implementations.
To accomplish this, two separate surveys were conducted with different age
groups.

11
 Hardware or Software Tokens - A comparative review

A9 [18] This paper aims to evaluate OTP (One Time Password) and MW (Memorable
Word) through a study of 60 participants. The study consisted of a mock
application testing the approaches and a questionnaire for the participants.

A10 This paper aims to propose a new method of multi-server authentication and
[19] explain how and why it should be used by addressing flaws in other
approaches.

A11 This article aims to assess authentication methods using comparison

[20] matrices. through these comparisons, the article highlights the strengths and
weaknesses of various data-based methods.

A12 This paper aimed to explore and highlight security flaws regarding OTPs
A12 through a study of Norwegian banks. The study was executed by manually
[21] timing and recording the Generations.

Table 2. Summaries of reviewed articles that discuss authentication tokens.

3.3. Strengths and Limitations of Existing Studies, Comparative

Analysis/justifications
This section will analyze the strengths and limitations of the collected articles based on
their suitability for this study. The analysis will focus on two key topics related to this
literature review's proposed research questions: strengths and weaknesses of
authentication tokens, and software tokens or hardware tokens in online banking.

3.3.1. Strengths and weaknesses of authentication tokens

The strengths and weaknesses identified in Table 5 convey that several articles discussed
different token authentication methods [12, 13, 16]. This is valuable when providing an
overview of the subject's current state.

A limitation of the reviewed papers could be that not all focus mainly on token
authentication, as seen in [10, 11, 14]. This means that the results and conclusions from
these studies may not contain as much relevant material for this literature review as
others. However, they may help by providing a picture of the state of authentication in
online banking, which could prove relevant for RQ2.

3.3.2. Software tokens or hardware tokens in online banking

Most of the gathered articles focus on the online banking perspective when discussing the
real-world application of authentication methods. This is relevant for this study to answer
RQ1. The articles that do not bring up the topic of online banking [10, 11] are still
applicable to this study because of RQ2, which aims to argue for how token authentication
should be implemented in online banks, supported by the findings from RQ1 and relevant
research.
12
 Hardware or Software Tokens - A comparative review

Article ID Strengths Weaknesses

A1 [10] The one-to-one interviews with the The sample size of 10 students may
IT students are thorough, be insufficient to form conclusive
mentioning that each interview took opinions.
30-40 minutes.

A2 [11] Explains how different threats are Focuses mainly on the construction
addressed in the design of the MFA of a hardware token.
device.

A3 [12] A proof-of-concept token device is The testing results for the designed
created to support the proposed hardware token can be considered
solution to the security concerns limited to 30 participants.
listed in the article.

A4 [13] To identify and address OTP The proposed model is evaluated

shortcomings, the proposed OTP based only on the program's
model in this article is based on the performance (encryption speed,
findings from a literature survey on token generation).
known attacks on OTP methods.

A5 [14] To evaluate the authentication Six banks in Malaysia were

methods used in Malaysian online analyzed. May be insufficient to
banks, this article performed form conclusive opinions.
thorough experiments on the
functionalities of each respective
bank.

A6 [15] This is a systematic method for The limited selection of banks

analyzing authentication methods analyzed (6) does not show/include
used in online banking. By first all the comparison matrices used in
listing common methods and the article to compare the different
potential threats to each one, these banks’ security.
findings can then be used to
evaluate the security of existing
banks.

A7 [16] The article examines threats tied to The study is limited in scope to only
SMS-based token authentication SMS-based tokens, which could
providing insights into the make comparisons difficult. It is also
vulnerabilities of the authentication a Poland-centric study on only 60
approach. Polish banking service clients.

A8 [17] 468 participants give a Focuses mainly on the user

comprehensive study of the experience of using different types

13
 Hardware or Software Tokens - A comparative review

perception of the authentication of authentication implementations.

methods,

A9 [18] Directly compares methods giving The scope is limited to Saudi

insight using empirical data Arabia, which might limit
showing attitudes, knowledge and applicability. only 60 participants
thoughts clearly. were used.

A10 [19] Showcases a new cost-effective The implementation presented is

multi-server authentication model, very complex and only theoretical
which allowed further in-depth without real-life testing/verification
discussion on its security ties to making comparisons less grounded
other systems in reality.

A11 [20] The article uses a tested survey to The data collected is limited to 16
try to ensure unbiased results. It banks which is a lot but might not
also covers and analyzes many fully represent banks globally, and
authentication methods and results and conclusions might be
showcases findings using matrices skewed.
and tables.

A12 [21] The article presents found Limited to 4 Norwegian banks, data
weaknesses using empirical data was gathered manually using a
gathered and further explains how stopwatch.
the weakness could be exploited.

Table 3. Describes the strengths and weaknesses of the gathered articles.

14
 Hardware or Software Tokens - A comparative review

4. Identified Problem and Proposed Solution

4.1. Description
Cybercrime is one of the main threats to online banking services and their users; therefore,
security measures must ensure that only authorized users can access their accounts. As
seen in [14, 15], several different authentication methods are currently implemented in
banking systems, bundled with their own advantages and disadvantages. Our proposed
solution to the problem of online authentication is to analyze the advantages and
disadvantages documented in academic research on token authentication methods.

4.2. Comparison with existing similar functionality methods

/algorithms/ techniques
The topic of online authentication has been discussed in previous studies. There are
multiple suggested methods for this, such as using biological features (face, iris,
fingerprints), knowledge-based (passwords, PIN), and possession-based methods
(smartphone, card, device) to verify the identity of a user.

The advantage of knowledge-based authentication methods is that they are easier to

implement than the previously mentioned ones. However, a weakness of these methods is
that they are vulnerable to threats such as guessing attacks, brute force attacks, and
dictionary attacks.

Due to the developments in both hardware and software in the past 10 years, a new
authentication method of using biometrics to verify the identity of a user has started to be
implemented in smartphones, for example. A key strength with this method is that the user
does not have to remember a code, or carry an external device to authenticate. The main
downside of this approach is that it is more advanced to create, allowing it to recognize a
user even if there is ‘noise’ obstructing the face or finger. Such noise is made by wearing
sunglasses or not having the entire finger on the scanner.

4.3. Strengths and Limitations

The strength of this literature review is that although articles discuss various authentication
methods in online services, none have tried to analyze the benefits and disadvantages of
each type of authentication token. The purpose of this study is to fill this research gap.
The limitation of this study and the theoretical approach used is the vast number of articles
on the subject; due to the time constraints of this project, it would be impossible to
examine each one. Therefore, it is proposed that a future systematic review of
authentication tokens be conducted to gain a more comprehensive overview of the
benefits and strengths of using tokens.

15
 Hardware or Software Tokens - A comparative review

5. Research Methodology
This section covers the approach to gathering information through relevant articles and
other literature on bank cybersecurity, specifically verification. The methodology is
designed to be reproducible, providing detailed procedures, tools used, and justifications
for choices made during the research process.

5.1. Procedures / Search Strategy

The first step involved finding and deciding keywords. A preliminary search could be done
using an initial set of keywords (software development, authentication, token) using
Google Scholar. Articles related to authentication could be found in the search results.
Additional keywords could be collected by reading the keywords section of these articles.
These keywords were decided upon based on relevancy to the topic and the results found
when using them. These were the keywords found:

software development, software engineering, literature review, cybersecurity, online banks,

digital banks, preventive measures, countermeasures, risk management, Verification,
authentication, bankID, identity confirmation, safety, finance, transactions, payment
solutions, payment methods, E-payment, token, one-time password, trusted token
authentication service, tokenization, hash, JSON web token, hardware security token,
smart card

Cluster 1: Cluster 2: cluster 3: Cluster 4: Cluster 5: cluster 6:

Software cybersecurit online banks verification token

development y

Software safety digital finance authenticatio One-time

engineering n password
(OTP)

risk transactions Identity trusted token

management confirmation authenticatio
n service
(TTAS)

preventive Payment bankID tokenization

measures solutions

countermeas E-payment eIDAS hash

ures

16
 Hardware or Software Tokens - A comparative review

payment eID JSON web

methods token (JWT)

hardware
security
token (HST)

smart card

Table 4. Shows how keywords could be clustered/organized.

Then, after gathering the keywords, search strings using the words were formulated and
tried in different databases. The search strings made use of AND and OR operators to
narrow down and widen the searches;

● "software development" OR "software engineering"

● ("software development" OR "software engineering") AND "literature review"

● "cybersecurity" AND "online" AND ("bank" OR "banks") AND "preventive measures"

● "cybersecurity" AND ("online" OR "digital") AND ("bank" OR "banks") AND

"preventive measures"

● “Bank” AND “security” AND “digital”

● "cybersecurity" AND ("bank" OR "banks") AND ("verification" OR "authentication")

● “cybersecurity” AND (“verification” OR “authentication”) AND “token”

● “cybersecurity” AND ("bank" OR "banks") AND (“verification” OR “authentication”)

AND “token” AND (“one-time password” OR “trusted token authentication service”
OR “TTAS” OR “hash” OR “JSON web token” OR “hardware security token” OR
“smart card”)

These search strings cover many aspects of the cybersecurity of banks, in order to narrow
in further on the specific field of verification, the “verification” and “authentication”
keywords play an important role. They can be added to all search strings to narrow the
search further.
The inclusion criteria used to gather research papers for this study were:
● Articles written in English

17
 Hardware or Software Tokens - A comparative review

● Peer-reviewed articles/journals
● Articles discussing authentication methods used in digital banking/finance
applications
● Articles that focus on token-based authentication methods
To limit the search results further and find relevant research, the following exclusion criteria
were used:
● Articles published before 2019
● Duplicates
● Articles not available in full-text
● Articles about the subject of ‘authentication,’ that only discuss other methods of
authentication aside from the use of tokens

5.2. Tools/Sources/Databases
For databases, the following four were utilized:
1. Google Scholar
Google Scholar was chosen because it can aggregate many different sources, allowing for
very wide and encompassing searches. This means using Google Scholar could reduce
workload compared to browsing multiple databases separately.
2. IEEE Xplore
IEEE Xplore was chosen due to the relevant sources found when testing the search
strings. this meant the database could be useful for even more relevant sources
3. ResearchGate
ResearchGate is similar to IEEE Xplore; ResearchGate was chosen based on the number
of hits generated when testing the search strings, which made the database seem relevant
to the search
4. DiVA Portal
DiVA Portal did not offer as many results as other databases. Still, the papers returned
seemed very relevant to the search terms used and were therefore added to bolster the
selection of search methods.

18
 Hardware or Software Tokens - A comparative review

5.3. Organizing Literature

Using the chosen databases, sources were selected and added to Zotero to manage and
later cite the sources. Using Zotero, the sources can be viewed, cited, and managed
synchronously by team members. A shared library in Zotero can avoid duplicate papers
when conducting research in a group and helps organize the gathered articles when
stored in one place. With Zotero, citations for articles could be automatically generated,
which conforms to the IEEE citation style.

5.4. Limitations/Emerged Obstacles

Access Restrictions: Especially through IEEE Xplore, many articles were locked behind
paywalls or inaccessible institutional access.
Irrelevant results: Many sources on bank cybersecurity were encountered, but sources
on verification and validation were sometimes difficult to sift out. This was mitigated by
altering and narrowing the search using the search strings. Some databases allowed more
advanced searches targeting the body of the text, which could be used to ensure the
source contained specific information.

5.5. Summary of Procedures

The search methodology involved a literature search using multiple databases and a
collected batch of keywords used in various search strings across the selected databases.
The collected sources were then organized collaboratively in the Zotero software, where
they were managed and cited.

6. Results
After examining the gathered articles, could two general types of authentication tokens be
derived from the literature using a bottom-up strategy: software tokens and hardware
tokens. These two groups encapsulate several different types of tokens that are used for
authentication. Grouping these methods together in separate groups could highlight
shared strengths and weaknesses for later discussion. Each token category includes a list
of articles from Table 1, summarizing their findings and conclusions regarding the benefits
or drawbacks of a token type.

19
 Hardware or Software Tokens - A comparative review

Category Description No.

Software token A token is generated and sent to users via digital 9

applications.

Hardware token A physical device that either contains a unique key code or 8
generates a unique token internally.
Table 5. An overview of the two categories and the number of articles that discuss each topic.

6.1. Software token

No. Findings

A1 [10] Convenience. Using an authenticator application on a mobile phone is more

convenient than a physical hardware token.
Vulnerability. A phone can be vulnerable to malware that can access tokens
and get lost or stolen.

A3 [12] Interceptability. A one-time password can be vulnerable to man-in-the-middle

attacks.

A4 [13] Security. A software token like OTP lowers the risk of attackers gaining access
to an account, whereas static passwords, for example, are vulnerable to
brute-force methods.

A5 [14] Security. A software token like OTP lowers the risk of attackers getting access
to an account, as each generated password can only be used once.

A6 [15] convenience. A problem with static passwords is that strong passwords can
be hard to remember. Implementing an OTP removes the need to keep track
of strong passwords.

A7 [16] Interceptability. Sending tokens via SMS can be intercepted by SIM card
swapping.
Vulnerability. A phone can be vulnerable to malware that can access tokens
and get lost or stolen.

A9 [18] Interceptability. Sending tokens via SMS can be intercepted by SIM card
swapping.

A11 convenience. A problem with static passwords is that strong passwords can
[20] be hard to remember. Implementing an OTP removes the need to keep track
of strong passwords.

A12 predictability. If the system responsible for generating a token is not random
[21] enough, it can lead to a predictable pattern that may be vulnerable to

20
 Hardware or Software Tokens - A comparative review

No. Findings

A1 [10] Convenience. Using an authenticator application on a mobile phone is more

convenient than a physical hardware token.
Vulnerability. A phone can be vulnerable to malware that can access tokens
and get lost or stolen.

A3 [12] Interceptability. A one-time password can be vulnerable to man-in-the-middle

attacks.

A4 [13] Security. A software token like OTP lowers the risk of attackers gaining access
to an account, whereas static passwords, for example, are vulnerable to
brute-force methods.

A5 [14] Security. A software token like OTP lowers the risk of attackers getting access
to an account, as each generated password can only be used once.

A6 [15] convenience. A problem with static passwords is that strong passwords can
be hard to remember. Implementing an OTP removes the need to keep track
of strong passwords.

A7 [16] Interceptability. Sending tokens via SMS can be intercepted by SIM card
swapping.
Vulnerability. A phone can be vulnerable to malware that can access tokens
and get lost or stolen.

A9 [18] Interceptability. Sending tokens via SMS can be intercepted by SIM card
swapping.

A11 convenience. A problem with static passwords is that strong passwords can
[20] be hard to remember. Implementing an OTP removes the need to keep track
of strong passwords.

guessing-based attacks.
Table 6. The highlighted strengths and weaknesses of software tokens found in the articles.

Convenience: Majdalawieh et al. [20] bring up convenience for users when discussing
software tokens, specifically one-time-passwords. This is also reinforced in [15], that a key
strength of a software token is that users do not need to remember a strong password,
which is a security concern when discussing static passwords as a means for
authentication. Henriksson [10] argues that a user is more likely to carry a smartphone
than a hardware token device; therefore, they conclude that a software token sent to a
phone can be more convenient to use from a client perspective.

Security: Using software tokens such as OTPs protects against known threats such as
brute-force attacks or guessing attacks [13]. The authors motivate this by claiming that
since each token is unique and can only be used once, the chance of guessing the correct
password becomes more difficult in comparison to static passwords. Yong and Kasiran

21
 Hardware or Software Tokens - A comparative review

[14] also, OTPs are more secure than traditional passwords because they are limited to
one use and are often only valid for a specified time.

Vulnerability: As with any device connected to the internet, smartphones may be

susceptible to malware [10, 16]. Henriksson states that: “Software authentication tokens
are convenient as they are generally carried on hand since they are installed on the phone
but can be targeted by specific malware designed to steal codes generated by a software
authentication token like the Cerberus malware.” [10, p. 4]. In [16], it is mentioned that
vulnerabilities of software tokens could be malware and that a smartphone carries a risk of
getting stolen, which allows an attacker to gain access to authentication codes and
passwords.

Interceptability: When discussing interceptability in regard to software tokens, it refers to

the risk of an authorized middleman getting access to tokens sent to a user. Both [16, 18]
mention that attackers can try to get a duplicate SIM card from telecom providers, in which
case they could access the SMS codes of a user without requiring possession of their
device. Wodo and Stygar [12] describe a different vulnerability with software tokens, such
as mobile authenticator applications, that malicious websites may try and initiate a
transaction. At the same time, a bank prompts a user to authenticate themselves using a
mobile authenticator.

Predictability: To generate a token, different parameters are used; an example could be a

timestamp of when a token request from a user is received or a randomly generated value.
Naguleswaran [21] argues that for tokens to be secure, they must be random without
following a pattern of some kind. This is because faulty token generation may introduce a
risk of being susceptible to guessing attacks.

6.2. Hardware token

No. Findings

A1 [10] Inconvenience. A hardware token may be lost or stolen, which can be difficult
or costly to replace.

A2 [11] Tamperability. Hardware tokens usually include a physical tamper-resistant

microcontroller to protect confidential data from unauthorized access.

A3 [12] Inconvenience. Users must maintain and handle a separate device when
authenticating, which can be difficult or costly to replace.
Security. An authentication device is less likely to get intercepted than tokens
sent online, as it is not connected to Wi-Fi.

A5 [14] Security. A physical hardware token provides an additional layer of security, as

a physical device is needed to authenticate when verifying a user’s identity.

A7 [16] Security. An authentication device is less likely to get intercepted than tokens
sent online, as it is not connected to Wi-Fi.

A8 [17] Inconvenience. Users must maintain and handle a separate device when

22
 Hardware or Software Tokens - A comparative review

authenticating, which can be difficult or costly to replace.

A10 inconvenience. A hardware token may be lost or stolen, which can be difficult
[19] or costly to replace.

A11 Tamperability. Hardware tokens like smart cards and USB tokens include a
[20] tamper-resistant microcontroller to protect confidential data from unauthorized
access.
Inconvenience. Requires users to maintain and handle a separate device
when authenticating. This device can be difficult/costly to replace.
Table 7. The highlighted strengths and weaknesses of hardware tokens discussed in articles.

Tamperability: As mentioned by [11, 20], a key security measure of a token device is the
tamper-resistant components within the hardware. This component ensures that
confidential information is secured even if the device is stolen. Such confidential
information could be the code stored inside smart cards or the embedded system within a
hardware token. This aspect also protects against attackers attempting to create
duplicates; even if a factory employee, for example, has access to these hardware tokens,
duplicate versions cannot replicate the secure component [11].

Security: Unlike software tokens, a hardware token is less likely to get targeted by
malware and middleman attacks, as they do not connect to Wi-Fi, unlike smartphones [12,
16]. Vulnerabilities to authentication caused by users unintentionally clicking on links to
malicious websites or downloading a falsified copy of a mobile app are avoided when
using a hardware token. Yong and Kasiran [14] reinforce that since the authentication is
encapsulated in a tamper-resistant separate device, it provides additional protection
against remote attacks. For example, a user must have a hardware token to access a
bank account.

Inconvenience: Henriksson [10] mentions that a drawback with using hardware tokens for
authentication is that a user needs to keep track of this device, may need to be replaced
every few years, and can be costly and difficult to replace if damaged or lost. The risks
with hardware tokens are also brought up by Tsai and Su: “If the smart card is lost or
stolen, an unauthorized adversary A could impersonate the victim or launch a cyberattack
on the corresponding bank, for example by draining accounts, deleting credit card records,
and placing unauthorized purchases.“ [19, p. 18]. Hardware tokens being an
inconvenience was part of the findings in [17], where a survey was conducted in which
participants got to try different authentication methods; the motivation was that users were
worried about forgetting the device. Both [12, 20] address this aspect of needing a
hardware token in close possession, as well as the cost or need of replacing it in case the
battery runs out or if the unit is lost or stolen.

7. Discussion
The aim of this study was to investigate the different benefits and drawbacks to software
tokens and hardware tokens and attempt to conclude whether one implementation is more
secure than the other when used in digital banking systems. The significance of the

23
 Hardware or Software Tokens - A comparative review

findings in this report is to provide an overview of the strengths and weaknesses of

authentication tokens, as well as a recommendation for which to implement.

7.1. Goal Fulfillment

From the findings of this literature survey, the benefits and drawbacks of hardware and
software tokens can be found. In order to evaluate the goal fulfillment of this study, the
results associated with each category are analyzed in the subsequent discussions from
the viewpoint of both research questions guiding this review.

7.1.1. RQ1. “What are the strengths and weaknesses of current

software-and hardware-token-based methods for
authentication?”
Software tokens
Findings regarding RQ1 highlight several strengths and weaknesses associated with
software tokens. One of the main arguments favoring software tokens is the convenience
aspect. It refers to the fact that having tokens sent to a smartphone or email address can
be more convenient for users than using a separate hardware token or the need to
remember a strong password.
While this is an advantage from a useability standpoint, other results argue that having a
token sent to a phone may threaten the validity of the authentication method if the device
is stolen or hacked, for example. This interceptability aspect, or the risk of messages
unintentionally being seen by a third party, is a risk factor that stems from communication
channels used by a smartphone, internet, and SMS. Malware from malicious websites or
applications and attacks such as SIM-card swapping means an attacker could access a
user’s accounts, for example. While these issues with software tokens occur on the client
side, does not mean the server side has no flaws. Token authentication relies on the fact
that a token is difficult to guess and that each is unique. However, if the token generation
mechanism shows predictable patterns in how it creates tokens, it could impact the degree
of protection it provides.

Hardware tokens
Regarding the benefits of using hardware tokens, the resistance is one aspect highlighted
in academic articles. While a physical device can be stolen, the confidential data stored is
protected from tampering by components or software. As mentioned in the discussion of
software tokens, online connectivity can be a security flaw; hardware tokens can be
targeted by remote attacks. While it may be more convenient to access tokens via a
smartphone or email as it is more accessible for users, being required to be in close
possession of a hardware token to authenticate a user raises the hurdle of an attacker
being able to access an account.
Out of the eight articles collected on the topic of hardware tokens, five mention the
inconvenience of needing to use a separate device for authentication from a user
perspective. This also includes the need for users to maintain or replace the token and the
additional costs, timewise and monetary.
24
 Hardware or Software Tokens - A comparative review

7.1.2. RQ2. “Which of the two token types should online banks
implement to verify a client's identity?”
After reviewing 12 recent articles on the topic of authentication tokens, the results of RQ1
show that it is possible to argue for or against either type of authentication token.
Regarding security, however, the findings point toward using hardware tokens such as
USB tokens, hardware authenticator devices, or smart cards being less vulnerable to
remote attacks than software tokens.
On the other hand, if one were to factor in useability, implementing software tokens like
one-time passwords or an authenticator application offers better protection against brute
force attacks than static passwords.

7.1.3. Summary
Due to the limited number of sources examined in this literature review, the results may not
be able to provide a comprehensive overview of the strengths and weaknesses of different
token types, which also affects the possible conclusions of RQ2. The findings of this study
do offer a degree of satisfaction in answering the stated research questions, but they are
insufficient to draw concrete conclusions. To gain a deeper understanding of the subject
and account for future developments in software and hardware, the proposed solution of
this study is to have a more comprehensive systematic literature review.
The significance of this report is that it contributes to research on authentication methods
in online banking, improves the security of these services, and better protects users'
accounts from attackers. As the use of digital banks increases, research on this subject is
crucial to ensure that the protective measures for bank accounts are effective.

7.2. Analysis of Methodology

The approach for gathering relevant sources using an initial set of keywords and refining
them further using the keywords used by the sources gathered worked well and allowed
for the collection of accurate and relevant sources. Using binary operators throughout the
search allowed for more narrowed searches helping the search for more relevant
literature.

A possible improvement to the search process would be to leverage the academic access
granted through MIUN and MIUN library further. Normally, the paywalls encountered
through IEEE Xplore could have been bypassed by accessing the source through the
MIUN library, which directly links to the IEEE PDF. This would speed up article gathering
and initial analysis as it could remove the step of finding an available version of the locked
literature. Another improvement could be the further use of synonyms based on the
keywords that could have been used with the boolean operators to create even more
comprehensive search strings leading to a wider net being cast, which could have led to
more relevant literature being found.

As most of the collected articles discussed authentication tokens in the context of online
banking, viewpoints from studies analyzing tokens in other sectors may have been left out
of this research paper. However, this does not account for the different needs and the

25
 Hardware or Software Tokens - A comparative review

suitability of tokens in areas outside of digital banking, which may favor other types of
tokens.

8. Conclusions and Future Recommendations

Authentication in online banking is crucial for protecting users' accounts from attackers,
and as digital banking continues to rise, implementing effective identity verification
methods becomes increasingly important. Authentication tokens, which have been used in
this context for years and come in many forms, must be evaluated regarding the security
they provide as new methods are developed. Tokens generally come in two forms:
software tokens and hardware tokens. Software tokens offer the advantage of
convenience from a user perspective, accessible through email or smartphone
applications. In contrast, hardware tokens provide additional protection at the cost of
usability, requiring the user to have the token in close possession. This literature review
provides insight into the benefits and drawbacks of authentication tokens; however, a
limitation is the sparse number of articles analyzed, impacting the possible conclusions
drawn. For future studies, a more comprehensive systematic literature review is needed
further to explore authentication tokens and their impact on online banking as new
technologies develop.

26
 Hardware or Software Tokens - A comparative review

9. References
[1] “Payment habits of Swedish people,” Sveriges Riksbank,
https://www.riksbank.se/en-gb/statistics/statistics-on-payments-banknotes-and-coins/payment-patterns/

(accessed Sep. 13, 2024).

[2] “Payments statistics: First half of 2023,” European Central Bank,

https://www.ecb.europa.eu/press/stats/paysec/html/ecb.pis2023~b28d791ed8.en.html

(accessed Sep. 13, 2024).

[3] “Så fungerar en betalning,” Sveriges Riksbank,

https://www.riksbank.se/sv/betalningar--kontanter/sa-fungerar-en-betalning/

(accessed Sep. 13, 2024).

[4] B. Ul, R. F., A. Mehraj, A. Ahmad, and S. Assad, “A Compendious Study of Online Payment Systems: Past
Developments, Present Impact, and Future Considerations,” ijacsa, vol. 8, no. 5, 2017, doi:
10.14569/IJACSA.2017.080532.

[5] M. Masihuddin et al., “A Survey on E-Payment Systems: Elements, Adoption, Architecture, Challenges and
Security Concepts,” Indian Journal of Science and Technology, vol. 10, no. 20, pp. 1–19, Jun. 2017, doi:
10.17485/ijst/2017/v10i19/113930.

[6] A. Bani-Hani, M. Majdalweieh, and A. AlShamsi, “Online Authentication Methods Used in Banks and Attacks
Against These Methods,” Procedia Computer Science, vol. 151, pp. 1052–1059, Jan. 2019, doi:
10.1016/j.procs.2019.04.149.

[7] N. A. Karim, O. A. Khashan, H. Kanaker, W. K. Abdulraheem, M. Alshinwan, and A.-K. Al-Banna, ‘Online Banking
User Authentication Methods: A Systematic Literature Review’, IEEE Access, vol. 12, pp. 741–757, 2024, doi:
10.1109/ACCESS.2023.3346045.

[8] ‘Fraud is the fastest growing type of crime in Sweden’. Accessed: Sep. 17, 2024. [Online]. Available:
https://www.riksbank.se/en-gb/payments--cash/payments-in-sweden/payments-report--2024/safety-efficiency-and-a
ccessibility/are-payments-in-sweden-safe/fraud-is-the-fastest-growing-type-of-crime-in-sweden/

[9] “How does the token-based authentication work ?,” GeeksforGeeks,

https://www.geeksforgeeks.org/how-does-the-token-based-authentication-work/

(accessed Sep. 25, 2024).

[10] A. Henriksson, What are the motivations and barriers for incorporating multi-factor authentication among IT
students? 2022. Accessed: Sep. 27, 2024. [Online]. Available:
https://urn.kb.se/resolve?urn=urn:nbn:se:his:diva-21476

27
 Hardware or Software Tokens - A comparative review

[11] P. Urien, “Revisiting Multi-Factor Authentication Token Cybersecurity: A TLS Identity Module Use Case,” in 2024
International Conference on Computing, Networking and Communications (ICNC), Feb. 2024, pp. 33–38. doi:
10.1109/ICNC59896.2024.10556005.

[12] W. Wodo and D. Stygar, “PSD2 Compliant Hardware Token for Digital Banking,” in 2021 62nd International
Scientific Conference on Information Technology and Management Science of Riga Technical University (ITMS),
Oct. 2021, pp. 1–6. doi: 10.1109/ITMS52826.2021.9615340.

[13] S. P. Krishna, D. Tejasri, B. Soumya, M. Madhuri, and Lubna, “Bank Application: One-Time Password Generation,”
in 2022 International Conference on Applied Artificial Intelligence and Computing (ICAAIC), May 2022, pp.
855–859. doi: 10.1109/ICAAIC53929.2022.9792823.

[14] H. Z. Yong and M. K. B. Kasiran, “Ensuring Trust and Confidence: Safeguarding Online Banking Transactions with
Multi-layered Security in Malaysia,” vol. 5, no. 7, 2023.

[15] A. Bani-Hani, M. Majdalweieh, and A. AlShamsi, “Online Authentication Methods Used in Banks and Attacks
Against These Methods,” Procedia Computer Science, vol. 151, pp. 1052–1059, Jan. 2019, doi:
10.1016/j.procs.2019.04.149.

[16] W. Wodo, D. Stygar, and P. Błaśkiewicz, “Security Issues of Electronic and Mobile Banking:,” in Proceedings of the
18th International Conference on Security and Cryptography, Online Streaming: SCITEPRESS - Science and
Technology Publications, 2021, pp. 631–638. doi: 10.5220/0010466606310638.

[17] A. Kruzikova, L. Knapova, D. Smahel, L. Dedkova, and V. Matyas, ‘Usable and secure? User perception of four
authentication methods for mobile banking’, Computers & Security, vol. 115, p. 102603, Apr. 2022, doi:
10.1016/j.cose.2022.102603.

[18] H. Alotaibi, D. Aljeaid, and A. Alharbi, “Usability Testing of Memorable Word in Security Enhancing in
e-Government and e-Financial Systems,” International Journal of Advanced Computer Science and Applications,
vol. 14, no. 9, 2023, doi: 10.14569/IJACSA.2023.0140928.

[19] C.-H. Tsai and P.-C. Su, ‘The application of multi-server authentication scheme in internet banking transaction
environments’, Inf Syst E-Bus Manage, vol. 19, no. 1, pp. 77–105, Mar. 2021, doi: 10.1007/s10257-020-00481-5

[20] M. Majdalawieh, A. Bani-Hani, M. Hussain, and A. Alshamsi, “Assessing the Attacks Against the Online
Authentication Methods Using a Comparison Matrix: A Case of Online Banking,” in 2022 International Conference
on Computational Science and Computational Intelligence (CSCI), Dec. 2022, pp. 1039–1046. doi:
10.1109/CSCI58124.2022.00184.

[21] S. Naguleswaran, ‘Experimental Study on One-Time Password used in Authentication within Norwegian Banking’,
Master thesis, The University of Bergen, 2020. Accessed: Oct. 01, 2024. [Online]. Available:
https://bora.uib.no/bora-xmlui/handle/1956/23023

10. Time Plan

The time plan for this report is centered around the deadlines for each separate
assignment, as well as the course.
28
 Hardware or Software Tokens - A comparative review

Week Activity Deadlines

V.36 Find research topic

V.37 write background of the topic and methodology 15/9 - assignment 1

to conduct the research.

V.38 Find more articles on the subject, decide on

research questions

V.39 Finish writing introduction section 29/9 - assignment 2

V.40 Start writing on the literature review & proposed

solution sections

V.41 conduct peer review 11/10 - mid assignment

V.42 Finish work from V.40 & V.41, start working on 14/10 - peer review
results & discussion submission

V.43 continue on results & discussion, conclusions 27/10 - assignment 3

V.44 prepare for presentation, finish writing report 31/10 - opposition

submission,
3/11 - final report
submission
Table 8. Details how and when the report’s different sections will be worked on over the semester.

10.1. Risk Analysis

Possible risks that can affect the proposed time plan could be that due to the time
constraint of the assignment, a limited selection of articles could be analyzed. This could
impact the results of this study as the material may not be sufficient to draw conclusions
on the subject. Part of this risk can be managed by selecting articles relevant to the
subject, the findings from these can then be used as a basis for a more comprehensive
future study.

29