Talking Shop

Talking Shop: Debating Soft Tokens for Online Banking Access

By August 5, 2021No Comments

Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].

Member question: “Do you allow soft/mobile tokens for online banking access instead of physical tokens? If so, do you limit it to personnel with company-issued cell phones?

  • “Did your IT team have any concerns with allowing soft/mobile tokens?”

Peer answer 1: “We currently only issue physical tokens, but we are having the same internal discussion around changing our policy pending review with our IT team.”

Peer answer 2: “We recently have allowed mobile tokens for a few specific banks where only a limited number of treasury and support personnel have access. These individuals are all located within the US and we do require company phones to be used.

  • “We previously had a firm stance against mobile tokens, but our IT security teams have come around to the idea as of late.
  • “We ensure the terms and conditions of the account have strong language around security and similar areas, giving us comfort to proceed with these tokens.”

Peer answer 3: “Our company allows mobile tokens for Bank of America and Citibank. We partnered with our security team to review the security profile of the mobile tokens for each bank—they are not all created equally.

  • “With [one bank] we found their security was not as robust, so we only offered mobile tokens to read-only users. We have not encountered any issues so far.
  • “It’s much easier to manage than physical tokens. We do not limit mobile tokens to company-issued cell phones.”

Peer answer 4: “We have implemented mobile tokens (NOT mobile banking) with Citi and will be rolling out to other banks as well. We do not limit to company-issued cell phones.”

Peer answer 5: “We do allow soft/mobile tokens for banks that offer it. We reviewed it with our IT security team before doing so.

  • “They did have a bunch of questions, but after those were satisfactorily addressed, they allowed us to offer it to employees with and without company-issued cell phones.”

Peer answer 6: “Pre-pandemic, we were hesitant. There’s a slight increase in risk, if there is a delay in removal, that a person with a token on a personal phone takes it with them when they leave the company.

  • “We felt the risk was manageable and now allow mobile tokens.”
Justin Jones

Author Justin Jones

More posts by Justin Jones