Use your phone to secure online banking and say goodbye to annoying hard tokens

Treasury Management
May 2015
The following article was originally published in Capital One Bank’s Capital Perspectives

Steve Blessing
Senior Vice President and Head of Treasury Management Client Services


Janice Gill
Senior Vice President and Head of Treasury Management Online Channels

Protecting their organizations against rising levels of online banking fraud is top of mind for today’s treasury managers. A key aspect of any payments fraud-fighting plan is user authentication — requiring authorized staff members to prove who they are before they can access an online treasury management platform to initiate and/or approve payments or make changes to user permissions. Traditionally, authentication has required treasury professionals to carry around a hard token or — if they bank online with multiple institutions — a key chain full of these small devices.

It can be a nuisance.

For this reason, we expect to see a growing number of banks offer a different means of authentication that provides the same level of protection against unauthorized logins but is far more convenient: a soft token on a mobile device.

When the holder of a hard token enters a PIN, the token generates a one-time passcode number that’s required — along with other credentials, such as a user ID and password — to access an online banking application. Hard tokens provide another layer of security because they are separate from the user’s computer. If the user’s PC is ever compromised, say through malware or phishing, and the fraudster steals those other credentials, access to the company’s online banking platform would be protected since the token passcode number is also needed to initiate a payment.

Hard tokens provide effective protection but often are a source of user frustration. When you must carry around a number of physical tokens in order to have remote transaction capability, not only is it cumbersome, but you have to remember which token supports which bank application. What’s more, you can accidentally leave hard tokens at home or lose them, and sometimes they break or their batteries die.

Whenever any of these circumstances occur, and you need to make a critical payment, you have to regain access to your online banking platform. This could mean going home to retrieve your token or ordering a new one, which can take several days. The end result is a delay in initiating a payment.

With the new soft token approach to authentication, the one thing other than your wallet or purse that you almost never leave home without — your mobile phone — essentially becomes your hard token. To use this form of authentication, entitled online banking users download a soft token app onto their mobile phones. The app performs the same function as a hard token. Users open the app and it generates a token number that correlates to their account. In combination with their user ID and password, the number authenticates them and gives them access to initiate payments.

What makes a soft token on a mobile device convenient is that users don’t have to carry anything extra. They already carry a phone. This approach just gives that phone more functionality. But what if all of your treasury employees don’t have corporate phones? Or they don’t want to carry their work mobile device at all times? Not a problem. A soft token can be downloaded onto a personal phone, creating no additional cost to the employee, nor any additional fraud risk for the employer (since the token number by itself doesn’t provide access to proprietary data or bank accounts).

Using a soft token on a mobile device offers a win-win for treasury managers and their banks. This new approach makes it more convenient for treasury personnel to secure their online banking platform, as they increasingly look to perform banking functions remotely. They no longer must endure the hassle of carrying, keeping track of, and maintaining one or more hard token devices. They just have to regularly carry a phone, which almost everyone does anyway. At the same time, banks will benefit greatly as more of their clients begin carrying soft tokens on their phones. Banks will be able to reduce expenses related to purchasing and distributing hard tokens, and controlling and regularly auditing those devices.

Capital Perspectives publication is for informational purposes only, does not constitute the rendering of legal, accounting or other professional services by Capital One, N.A., or any of its subsidiaries or affiliates, and is given without any warranty whatsoever.

Products and services offered by the Capital One family of companies, including Capital One, N.A., Member FDIC.

©2017 Capital One. Capital One is a federally registered service mark. All rights reserved.