Get the inside scoop with LoginTC and learn about relevant security news and insights.

Top 5 reasons hard tokens are hard to manage

March 16, 2015Ilana Belfer

Hard tokens (also known as hardware tokens, security tokens, authentication tokens) are a common method of deploying two-factor authentication (2FA), popularized by RSA in the late 80s / early 90s. Typically carried on a key ring as a key fob, hard tokens generally display a random number that changes periodically at fixed intervals, known as a one-time password (OTP). The user enters this number as a second-factor credential for access to online accounts. Hard tokens can also take the form of smart cards and USB dongles.


Although Gartner reports that hardware tokens currently have the largest installed base of any 2FA method covering 70% of the market, it also says mobile and cloud alternatives have been “disruptive” to the status quo, and calls legacy authentication methods increasingly “deprecated” (Magic Quadrant Report, December 2013). Gartner predicts that:

“By 2017, more than 50% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations — up from less than 10% today.” (Magic Quadrant Report, March 2013)

In other words, hard tokens may be a popular and traditional mechanism for deploying 2FA, but that doesn’t make them the best mechanism. In fact, they’re far from it.

Here are the top 5 reasons hard tokens are hard to manage:

  1. They’re not scalable. To secure access to important digital assets (e.g. VPN), large enterprises, such as a banks or government departments and agencies need to deploy 2FA to hundreds of thousands of employees and/or customers. With hard tokens, that means buying, supplying and managing a physical token for each individual. Good luck.
  2. They’re easy to lose. Not only are hard tokens uncomfortable in your pocket and bulky on your key chain, they are also easy to forget at home, misplace, drop down an elevator shaft, drop into a puddle… you get the picture. The point is hard tokens are foreign objects that have been introduced into users’ lives for the sole purpose of seemingly far-off virtual threats, which makes user adoption a constant challenge.

  1. They’re expensive. The prevalence of lost tokens has forced most administrators to keep extra token inventory in stock to serve as replacement tokens. However, this problem goes beyond being an administrative headache because hard tokens are extremely pricey. A 10-pack of RSA tokens on goes for over $3,000 which equates to $300 a pop. Then there’s the software license and eventual expiry to consider, at which point you would need to renew. Now apply this to the hundreds of thousands of users we discussed earlier. Yikes.

  1. They’re not cloud based. Hardware-based access management appliances like most hardware are subject to breaking down, especially over time. That means smart companies must keep TWO hardware appliances on site in case one breaks down. What happens if both break? No one has access to any corporate resources, valuable time gets wasted and a special, immediate (and potentially inconvenient) trip to the office is required. Many companies are switching to cloud-based IT services across the board. Why should two-factor authentication for access to those services be any different?
  2. They’re limiting. There is only so much you can do with a hard token, as there’s not room for much else besides an OTP-type code to appear on its screen. This means that as multifactor technology progresses toward widespread incorporation of biometrics (like fingerprint and iris scanning), wearables and contextual information (such as geolocation) hard tokens will fall short.


Just because something’s been done a certain way for a long time, does not make it the best way. Switching from hard tokens to LoginTC would eliminate all five of the administrator pain points outlined above:

#1. It requires no additional hardware and instead leverages your existing IT infrastructure in cooperation with something users already have and already know how to use (not to mention, something they check over 100 times a day!): a mobile device (smartphone, tablet) or desktop via Google Chrome. #2. People are only as likely to lose LoginTC as they are their desktop or phone i.e. not very. #3. No overhead expenses, no expiry. LoginTC costs $3 or less per user / month (plus volume savings). #4: LoginTC delivers contextual information to end users and has the potential to develop alongside 2-factor technology.

Implementing a new security system may seem like more trouble than it’s worth. But LoginTC makes the transition quick and easy. Our free trial program for up to 10 users will help you conduct a Proof of Concept to test out exactly how LoginTC will work in the specific context of your company before purchasing it. Plus, we’re renowned for our detailed, custom documentation and exceptional customer supportGet Started now!

Start your free trial today. No credit card required.

Sign up and Go