LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

For E-Banking, what's the difference between the protection goal of Authentication and the protection goal of Authorisation?

Login (Authentication) protects Confidentiality of bank-customer data. Transaction confirmation (Authorisation) protects Integrity of the transactions.

The two use-cases:

Stage Action Protects
Authentication Logging in to view your account Confidentiality — only you should see your balance
Authorisation Confirming a specific payment Integrity — the transaction must be the one you actually meant to send

Why this distinction shapes which token to use:

  • If you only care about login confidentiality, any well-implemented 2FA (TOTP, mTAN, OTP token) does the job — once authenticated, attackers can read your balance until logout.
  • If you care about transaction integrity, you need transaction signing — a method that binds the response to the specific payment details (chipTAN, PhotoTAN, Mobile ID with details displayed). Otherwise a man-in-the-browser can redirect the payment after login.

Implication: banks that only require TOTP at login (no per-transaction signing) protect confidentiality well but transaction integrity poorly. Banks with PhotoTAN/chipTAN for every payment protect both.

Tip: when assessing any auth scheme, ask the two questions separately: "Does this protect login confidentiality?" and "Does this protect transaction integrity?" — the answers can be different.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026