Quiz Entry - updated: 2026.06.01
How does mTAN (SMS-based One-Time Password) work for a login or transaction?
User enters password → server sends a short code by SMS to the user's registered phone → user types the code back. Security depends entirely on the SMS channel being uncompromised.
The flow:
- User enters password on the PC →
1. passwordto bank server. - Bank generates a short code (e.g.
XK83L4) and sends it via SMS →2. mTANto user's phone. - User reads SMS on phone, types code on PC →
3. mTANto bank. - Bank verifies code matches → returns account info.
Security: entirely tied to SMS channel security.
Strengths:
- Convenient: most users already carry a phone.
- Out-of-band: separates the OTP delivery channel from the login channel (until step 3, when the user retypes on the same PC).
Weaknesses (why NIST has deprecated SMS for high-assurance):
- SIM-swap attacks: attacker convinces the telco to port the victim's number to a new SIM. Now SMS arrives at the attacker.
- SS7 vulnerabilities: old telephony signalling can intercept SMS in transit.
- Malware on the phone: Android malware can read incoming SMS silently.
- Phishing: the user is asked to type the code on a fake site — and does.