A security token is something you physically possess, the possession being a second factor of verification that you are, well you. To prove that you currently possess the token it displays a unique changing security code that you enter alongside your password at login. The token might be a physical device or a program loaded onto a mobile phone.
Some require you to enter a security code first, 30-60 seconds or provide a one time use key when you press the on button. Most physical keys support only one security account, while a software token can often support multiple accounts at the same time.
One way to use two-factor authentication is to use a physical token. Most are about the size of a USB key, while a few are the size of a handheld device. It varies from manufacturer to manufacturer.
A physical token is not always a good fit for some businesses. In such situations, a soft token can be used. It’s the same thing as a physical token except you get the code on your smartphone (through an app) instead of a dedicated token device. This way, your costs go down to practically zero (since most people have smartphones anyway) and a soft token app will often support multiple accounts.
When a phone, or physical device isn’t a possibility you can always setup and use a token printed on regular ol’ paper. This is a security matrix where you would have to match the rows and columns give to you by the system respond with the appropriate code.