Strong customer authentication: two-factor authentication in online banking (Internet banking)
The PSD2 (Payment Services Directive 2) includes the requirement to employ strong customer authentication (SCA) to improve the security of payment transactions.
The factors required for strong customer authentication are knowledge, possession, and inherence. These factors must be independent of one another. This reduces the risk of fraud, even if one of the factors is compromised. A combination of multiple factors transmitted via a secure channel can ensure the highest possible degree of security for financial transactions.
Strong customer authentication will require the use of two of the following factors to log in and to sign payment orders in future
KNOWLEDGE: something that only the user knows (such as a password or PIN).
POSSESSION: something that only the user possesses (such as a card or device that generates an authentication code).
INHERENCE: something that is inherent to the user as a person (such as a fingerprint).
The new requirements will come into force on 14 September 2019. For legal reasons, it will only be possible to access the online banking system by means of two-factor authentication starting on this date.
The following are the current login and signature methods for online banking:
Schoellerbank ID (for login and transaction authorisation)
Schoellerbank ID is a new signature and login method. This employs a procedure based on a one-time password (OTP) to log into the online banking system and to sign transactions. It offers greater convenience and security. This new method also meets the regulatory requirements in the PSD2 for strong customer authentication (SCA).
Download the Schoellerbank ID app from your app store (AppStore, Google Play Store or Windows Store) and install it on your smartphone and/or tablet.
The functionality of the Schoellerbank ID app is very simple. The app shows you three numbers. One of these numbers matches the number shown in the online banking platform. When you tap this number, the login or transaction is authorised.
- Login with Schoellerbank ID
Every time you log into online banking, you will be shown a number that only you know. To authorise the login, you must tap the number shown in the online banking platform in the Schoellerbank ID app. If you select the wrong number, the procedure is cancelled and you will see an error message.
If the Schoellerbank ID app prompts you to authorise a procedure that you have not initiated, you can tap the button “I did not initiate this request!”. The procedure is cancelled immediately in this case, as well.
- Signing with Schoellerbank ID
Every time you sign an order in online banking, you will be shown a number that only you know. To sign the transaction, you must tap the number shown in the online banking platform in the Schoellerbank ID app. If you select the wrong number, the procedure is cancelled and you will see an error message.
If the Schoellerbank ID app prompts you to authorise a procedure that you have not initiated, you can tap the button “I did not initiate this request!”. The procedure is cancelled immediately in this case, as well.
Please note: The Schoellerbank ID app replaces the tresorTAN method. Once you install and activate the Schoellerbank ID app, the tresorTAN app is deactivated automatically. You cannot use both apps at the same time.
cardTAN method (for login and transaction authorisation)
cardTAN is an authorisation method that was developed by Austrian banks in cooperation with Studiengesellschaft für Zusammenarbeit im Zahlungsverkehr GmbH (STUZZA). The cardTAN method allows you to log into the online banking system and authorise payment orders in online banking in an innovative and secure manner using a cardTAN-compatible card and a cardTAN reader.
How does cardTAN work?
Login with cardTAN (available from 12 August 2019)
To log into online banking with cardTAN, you must select “cardTAN” as the login method. Then, take your cardTAN reader and cardTAN card (debit card). Insert your cardTAN card (debit card) into the reader, enter your electronic banking PIN, and confirm by pressing the “OK” button. The display will then read “Startcode od. Flicker”; confirm by pressing the “OK” button. The display will read “Startcode” ; enter “00”. The cardTAN login code will then be generated; enter this code in the corresponding box on the login screen.
Signing with cardTAN
Create your order in online banking in the usual manner and select the cardTAN signature method when signing the transaction. After you activate your card reader (using your cardTAN-compatible card and cardTAN PIN), hold the reader up to your computer screen to transmit the order to the reader using a flicker code. A cardTAN is generated for the transaction, which you can then use to sign your order.
Benefits of cardTAN:
- Authorising orders using your PIN and a cardTAN offers a very high level of security
- TANs can only be generated by entering your user PIN
- cardTAN works wirelessly (no computer connection or software required)
- The cardTAN generator is flexible and can be used for practically any Austrian bank
You need:
A cardTAN-compatible Schoellerbank card
- debit card (with a cardTAN logo on the back of the card), or
- cardTAN signature card
A cardTAN reader
The cardTAN generator is standardised across Austria and can therefore be used with any Austrian bank that participates in the cardTAN system. Schoellerbank will provide you with a card reader.
Order cardTAN
Contact your relationship manager to request the activation of cardTAN as well as a card reader and a cardTAN signature card.
FIDO token (only for login with the required hardware)
Online banking will also support the U2F/FIDO2 token (Universal Second Factor) as an additional login method. For the purposes of strong customer authentication, the FIDO2 token represents the possession factor. If you already have a FIDO token, you can use it to log into the online banking system. Please note that orders cannot be signed with a FIDO token.
The following browsers currently support the FIDO token:
Chrome (version 67 or higher), Firefox (version 60 or higher), and Microsoft Edge (build 17682 or higher). Support is currently being implemented for Safari. Internet Explorer does not support the FIDO token.
Note: You can only register one token at a time. If you have already registered a token and then register another token, the registration of the previous token will be cancelled. However, one FIDO2 token can be used for authentication by multiple users.
mobileTAN (for transaction authorisation)
The mobileTAN is used to authorise (sign) orders. In this method, a mobileTAN is sent to your mobile phone as a text message. Two-factor authentication still permits the signing of payment orders using a mobileTAN. However, you must also enter your PIN or password in addition to the mobileTAN to sign payment orders. You cannot sign into online banking using a mobileTAN.
Exception: The mobileTAN serves as an emergency login in the event that you forget your password. In this case, an activation code (one-time password) is sent to the mobile phone number the bank has on file for you. You must always ensure that your mobile phone number is up to date in the online banking system (menu item “My Data”/“Personal Data”).
tresorTAN (for transaction authorisation)
NOTE: The tresorTAN app will be replaced by the Schoellerbank ID app in the coming months. For this reason, we recommend that you switch to the new Schoellerbank ID app today.