Overview#Soft tokens is a Token that is normally a cryptographic key that is typically stored on disk or some other media.
Soft tokens may also be called a software-secured key
Authentication is accomplished by proving possession and control of the key.
The soft token key shall be encrypted under a key derived from some activation data.
Typically, this activation data will be a password known only to the user, so a password is required to activate the token.
For NIST Electronic Authentication Guideline soft tokens, the cryptographic module shall be validated at FIPS 140-2 Level 1 or higher, and may be either a hardware device or a software module. Each authentication shall require entry of the password or other activation data and the unencrypted copy of the authentication key shall be erased after each authentication.
Some “mobility solutions” also allow keys to be stored on servers and downloaded to subscriber systems as needed. Other mobility solutions employ key components generated from passwords with key components stored on servers for use in split signing schemes. Such solutions may provide satisfactory soft tokens, provided that a subscriber password or other activation data is required to download and activate the key, that the protocol for downloading the keys block eavesdroppers and man-in-the-middle attacks, and the authentication process produces Approved digital signatures or message authentication codes. These mobility solutions usually present what appear to relying parties to be ordinary PKI digital signatures, and may be acceptable under this recommendation provided they meet the PKI cross certification requirements. This cross certification will require a detailed analysis of the implementation of the specific mobility scheme.