A software token is a type of two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone. This is in contrast to hardware tokens, where the credentials are stored on a dedicated hardware device.
Because software tokens are something one is not physically in possession of, they are exposed to unique threats such as computer viruses and software attacks. However, both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or simple phishing attacks in which the OTP provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have unarguable benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens. 
Security architecture Edit
For a shared secret, an administrator will typically generate a configuration file for each end-user. The file will contain a username, a personal identification number, and the secret. This configuration file is given to the user.
The shared secret architecture is potentially vulnerable in a number of areas. The configuration file can be compromised if it is stolen and the token is copied. With time-based software tokens, it is possible to borrow an individual's PDA or laptop, set the clock forward, and generate codes that will be valid in the future. Any software token that uses shared secrets and stores the PIN alongside the shared secret in a software client can be stolen and subjected to offline attacks. Shared secret tokens can be difficult to distribute, since each token is essentially a different piece of software. Each user must receive a copy of the secret, which can create time constraints.
Some newer software tokens rely on public-key cryptography, or asymmetric cryptography. This architecture eliminates many of the traditional weaknesses of software tokens. A PIN can be stored on a remote authentication server instead of with the token client, making a stolen software token no good unless the PIN is known as well. If there are attempts made to guess the PIN, it can be detected and logged on the authentication server, which can disable the token. Using asymmetric cryptography also simplifies implementation, since the token client can generate its own key pair and exchange public keys with the server.