Security experts say that soft tokens can be as safe as hardware tokens for generating one-time passwords (OTPs) for extra protection.

Most soft tokens are securely designed with anti-tampering capabilities and their functions are "compartmentalised", said Mr Clement Lee, security software maker Check Point Software Technologies' principal consulting security architect in the region. But users should not be complacent and should have mobile threat protection software installed in their phones, he added.

Soft tokens are more convenient, as they can be installed in smartphones, without requiring another device. This makes them popular, especially with online service providers. Google's Authenticator software, which generates OTPs to better secure users' access to services, was rolled out some six years ago.

As new-generation smartphones come with fingerprint recognition, software tokens can embed the feature as a security measure.

But hardware tokens are still the safest mechanism as they are unconnected, standalone devices.

"A soft token running on a general-purpose computing platform connected to the Internet can never be as secure as a dedicated hardware device," said Mr Dick Bussiere, security specialist Tenable Network Security's Asia-Pacific technical director.

OTPs delivered via SMS are the least safe, he said. For instance, smartphones can be infected with spyware that intercepts OTPs and forwards them to computer servers run by hackers.

SMS OTPs are also vulnerable to interception while being sent.

Irene Tham