A hardware token is a physical device used as part of authentication, often to provide stronger proof of identity than a password alone.
A hardware token is a physical device used to help prove identity during login or another protected action. In plain language, it is a separate piece of trusted hardware that the user possesses, such as a security key or token-generating device, which adds stronger proof than a password by itself.
Hardware tokens matter because they can provide stronger resistance to phishing, credential theft, and remote account takeover than software-only methods. When identity proof is tied to a physical device, attackers usually have a harder time replaying stolen secrets from anywhere on the internet.
They also matter in higher-assurance environments. Organizations often reserve the strongest authentication methods for administrators, developers with production access, or staff who can reach especially sensitive systems.
Hardware tokens appear in Multi-Factor Authentication, passwordless login, VPN access, privileged admin workflows, and identity-provider sign-in. They may be required for system administration, step-up authentication, or secure enrollment into trusted-device programs.
Security teams also use hardware tokens as a risk-reduction measure after phishing incidents or when older authentication methods prove too easy to bypass.
A cloud operations team must use hardware security keys for administrator login. Even if an attacker steals an admin password, that attacker still cannot complete the login from a remote location without the enrolled physical key and the related user interaction.
A hardware token is not automatically the same as a passwordless design. Some deployments use hardware tokens as a second factor in addition to a password, while others use them as part of a passwordless flow.
It is also different from SSO itself. Single Sign-On organizes how login is reused across applications. A hardware token is one method that can strengthen the authentication event behind that SSO session.