Both Hardware Tokens and Software Tokens provide "something you have" factor authentication. Common hardware tokens are smartcards, USB sticks or one-time-use password generators. Software tokens are generally apps that generate a temporary password. Software tokens are considered a cheaper alternative to hardware tokens, as issuing a hardware token to a large number of users has a high cost. Arguably hardware tokens are more secure, but are less practical and more costly.
A software token (a.k.a. soft token) is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. (Contrast hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated — absent physical invasion of the device)
Because software tokens are something one does not physically possess, they are exposed to unique threats based on duplication of the underlying cryptographic material - for example, computer viruses and software attacks. Both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or to simple phishing attacks in which the one-time password provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens.