Multifactor tokens are security tokens that use more than one category of credential to confirm user authentication.
For two-factor authentication (2FA), a combination of knowledge and possession factors is common. For example, an end user might enter a user name and password to access an account and then input a one-time password sent to his phone in response to the login. In three-factor authentication (3FA), all three standard categories of factors are usually involved. The case has also been made for including location (and/or time) for four-factor or even five-factor authentication (4FA or 5FA). Additional multifactor authentication factors make it increasingly unlikely that an attacker can fake or steal all elements involved, which makes for a more secure login.
A common example of a multifactor token is the use of a smartphone software token app that enables the phone to serve as the hardware token; this example yields a two-factor token. Typically, PINs from tokens are combined with a user’s password, making for three-factors of authentication: The device itself belongs to the possession factor, the smartphone GPS registers location and the password provides the knowledge factor.
The multifactor soft token app eases the burden on users by combining factors into a package the user was probably going to be carrying anyway and eases the burden on administrators by limiting the number of devices that must be managed.