LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How does risikoabhängige Autorisierung (risk-based authorisation) reduce 2FA friction in e-banking — and where's the catch?

Routine, low-risk payments skip the second-factor confirmation via "allow-lists"; only unusual transactions demand it — so users actually scrutinise the rare ones.

This mirrors risk-based authentication, but applied to authorising transactions: instead of forcing a transaction-signing step on every payment, the bank asks for it only on the risky ones. "Risky" is decided with two kinds of allow-list:

Allow-list What's on it Why it counts as low-risk
Global (bank-wide) Trusted recipients (e.g. Swisscom, the tax office); payees many customers send to often Reputable, widely used payee — little fraud upside
Personal (per-customer) Small amounts (a per-payment and/or per-day limit); recipients this customer has already paid before Low value or an established relationship — limited damage if abused

A payment matching an allow-list clears with just the login; anything outside them triggers full second-factor authorisation (transaction signing).

The catch — which is really the point: because routine payments are friction-free, the user only ever sees a confirmation prompt for rare, unusual transactions — exactly the ones an attacker would try to inject. Reserving the prompt for the unusual case makes users check those rare confirmations far more carefully instead of clicking through on autopilot. The friction is spent where it buys the most security.

Tip: This is the authorisation-side twin of risk-based authentication (reading your balance needs only a password; moving money needs 2FA) — the same "match control strength to the risk" idea, applied to payments instead of logins.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026