LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does challenge-response login work, and what's the difference between manual, semi-automatic, and fully automatic variants?

Server sends a challenge → token (or phone) computes a response from (key, challenge) → user delivers response back. Variants differ in how the challenge moves between server and token.

Variant Challenge transport Example
Manual (chipTAN, calculator-style) User reads challenge from screen, types it into hardware token Old TAN generators, banking calculators
Semi-automatic (PhotoTAN, QR-TAN) Phone scans a 2D code from screen → computes response → user types response back to PC German PhotoTAN, Swiss CrontoSign
Fully automatic (Mobile ID, Kobil AST) Phone receives challenge over data channel, signs it, sends response back automatically — user just confirms on phone Mobile ID, Authsignal, modern bank apps

The general flow (all variants):

  1. User enters password → 1. password.
  2. Server sends challenge → 2. challenge.
  3. Token computes response = f(key, challenge).
  4. User (or phone) returns response → 3. response.
  5. Server verifies.

The killer feature: transaction binding.

The challenge can include the transaction details (amount, recipient account). The response then cryptographically binds the user to those specific details. Even a malicious browser that tampers with the on-screen transaction can't fool the user, because the token shows the real challenge (with amount and recipient) directly.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026