AUTHENTICATION

PSD2

Wultra’s Guide to Code-Based vs. Codeless Mobile Tokens

August 5, 2024
Elements of code-based and codeless tokens on two sides of the image: mobile phone, laptop, text messages, and biometrics, all on blue background

Mobile tokens, also called mobile authenticators, software tokens, or soft tokens, are mobile apps for iOS and Android that supplement two-factor authentication (2FA) for various online applications, both on the web and in mobile apps.

In this quick overview, we’ll elaborate on the two main approaches to mobile tokens that we see on the market and compare their pros and cons.

Code-Based Mobile Tokens

Code-based mobile tokens generate temporary one-time passwords (OTPs) that allow users to authenticate by rewriting the OTP in an application. OTPs generated by code-based mobile tokens are typically 6-8 digits long and are valid for 30 seconds. 

The most well-known example of a code-based mobile token is Google Authenticator, but many more alternative apps exist. The apps usually focus only on authentication and don’t include any additional advanced security features. However, some variants do provide additional security features, including:

  • Access protection via PIN code or local device biometrics (such as Face ID and Touch ID)
  • A QR code scanner or data entry linking the OTP with current transactions

These tokens typically use simple hash-based OTPs (HOTP) or time-based OTPs (TOTP) protocols with possible minor variations that enable the following use cases.

Pros of Code-Based Mobile Tokens

  • Standardized implementation
  • Universal usage: Code-based mobile tokens can be used anywhere an OTP can be entered
  • A familiar approach for the end user
  • One app for multiple accounts, which leads to easier adoption

Cons of Code-Based Mobile Tokens

  • Manual rewriting is inconvenient
  • Not resistant to phishing or social engineering
  • OTPs can be stolen by Android malware or remote desktop apps
  • OTPs aren’t usually linked to a specific operation

Codeless Mobile Tokens

In contrast to the code-based approach, codeless mobile tokens utilize strong cryptography under the hood and data channel connectivity for operation fetching and approving operations. 

From the user's perspective, there are no codes to rewrite or data to enter. For example, a user can initiate payment approval by scanning a QR code or via push notifications. The token app instantly displays operation details on the screen, and the user can approve or reject it after using the device's local biometrics (such as Face ID or Touch ID) or a PIN code.

As codeless mobile tokens are often highly specialized, they often include extended security features, such as:

  • In-app protection that complies with OWASP MASVS resilience requirements
  • Resilience against mobile malware and remote desktop attacks
  • Added resistance to complicate various phishing scenarios

Codeless mobile tokens often leverage proprietary protocols, although there is a growing trend towards standardization with protocols like OAuth 2.x CIBA, FIDO2, or Verifiable Credentials/Verifiable Presentations (decentralized identity).

Pros of Codeless Mobile Tokens

  • Better user experience and faster approvals
  • Supports dynamic linking and WYSIWYS
  • Often includes phishing and social engineering protection features
  • Resistant to malware, remote access tools, and other tampering

Cons of Codeless Mobile Tokens

  • Still susceptible to social engineering
  • Less standardized implementation options
  • Requires online access
  • One app for one account

Summary

Both approaches to mobile tokens — code-based and codeless — have merit and are suitable for particular applications.

A code-based approach may be the faster way of adding 2FA for applications with lower security requirements. Moreover, users can use a single familiar app, such as Google Authenticator, for multiple services. 

However, codeless mobile tokens that are tailor-made for a specific service are typically better for security-sensitive and regulated applications, like banking or government apps. In addition to improved security, they also provide a more positive user experience. And while these tokens usually can’t be used to store multiple accounts, solutions like identity federation allow them to be used across multiple applications through a single provider.

Related articles

CONTACT US

get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Ondřej kupka
ACCOUNT EXECUTIVE
ondrej.kupka@wultra.com
Picture of Account Executive Ondrej Kupka
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.