Security experts say hardware tokens are still the safest mechanism for generating one-time passwords (OTPs) for added security.
This is because they are unconnected, standalone devices, said Mr Vicky Ray, a threat intelligence analyst at network security firm Palo Alto Networks.
The OTPs generated by hardware tokens are not compromised even when computers and smartphones are infected by malware.
But software tokens are more convenient as they can be installed in users' smartphones, without requiring users to carry another device.
This makes them popular, especially with online service providers. For instance, Google's Authenticator software that generates OTPs to better secure users' access to its online services was rolled out some six years ago.
Software tokens' vulnerability depends on how they are designed, said a spokesman for anti-virus software firm Kaspersky Lab.
Some software tokens are designed with security to thwart hacking.
As new-generation smartphones come with fingerprint recognition, software tokens can embed the feature as a security measure, said Mr David Maciejak, head of security software firm Fortinet's FortiGuard Lion research and development team in Asia-Pacific.
But there is no silver bullet. "A software token can work effectively, and will, until the bad guys decide that the cost of attacking it is worth the effort," said Mr Nick FitzGerald, who is security software maker ESET Asia-Pacific's senior research fellow.
File clarification: We have changed the spelling of Mr FitzGerald's name to reflect the fact that it is spelt with an upper case "G" instead of a lower case "g".