SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Hard or Soft token to external Third Party Vendors?

I have a question about your policy when sending tokens to Third Party Vendors? Do you send a hardware token to them or a software token? What is safer?


I am on the verge of needing more hardware tokens but have a number of available software tokens, should I send them or purchase more hardware tokens to send to external vendors?


Is the a correct answer to this?



Labels (1)
3 Replies
Employee (Retired) Employee (Retired)
Employee (Retired)

Ryan McVey‌,


I've moved your question to the RSA SecurID Suite‌ space so it can be seen by others who use Authentication Manager and the SecurID tokens.


Whether you provision hardware or software tokens to your outside contractors is a decision that needs to be made based on your company's security policies.  That being said, I'd be curious what members of this community have to say.  There are arguments for opting for hardware tokens v software tokens and vice versa. 


For example, some people think hardware tokens are more secure, but our technical people say both options are  equally secure.  If you provide a software token to a contractor, when they no longer need to authenticate to your resources, you simply revoke it and then when needed, distribute that same token serial number  (with a new set of random numbers) to a new contractor.  Take a look at  Video Link : 27003   Easy peasy . . . and there is no need to worry about whether the hardware token mailed back to you.


OK RSA admins who are reading this, give us your feedback in the hardware versus software token debate!




Trusted Contributor Trusted Contributor
Trusted Contributor

You could also look into "OnDemand" tokens from Authentication Manager. The user enters their logon ID and a PIN. This causes the server to send a SecurID tokencode to the user via SMS. You would need to establish a relation with an SMS provider. AM has a generic HTTP plug-in architecture for SMS-provider integration.


OnDemand tokens can be used with any qualified partner agent as "Next Tokencode Required" is leveraged to prompt the end-user for the SMS code they received on the mobile device.


One security benefit I see with using soft tokens is the ability to lock down the token to be used on one device using the binding id for that device. 


Also, if you have the Identity Router configured in your environment I could also see a possible use case for using push code authentication.