Quiz Entry - updated: 2026.07.14
What are the main types of tokens for strong authentication / 2FA?
mTAN (SMS), OTP (time-based, e.g. SecurID), and Challenge-Response tokens (manual entry, semi-automatic via PhotoTAN/QR, fully automatic via Mobile ID).
The token family tree:
| Token | How it works | Security based on |
|---|---|---|
| mTAN | Bank SMSes a one-time code to your phone | Access to your phone's SMS channel |
| OTP token (SecurID) | Hardware displays a number that changes every 30/60 s; OTP = f(key, time) |
The key inside the token |
| C/R manual (chipTAN, calculator-style) | You type a challenge into the device; it shows a response you type back | Key inside token; manual transcription |
| C/R semi-automatic (PhotoTAN, QR) | Phone scans a code from the screen, displays a response you type back | Key inside phone app + visual channel |
| C/R fully automatic (Kobil AST, Mobile ID) | Phone receives challenge over data, signs it, sends back automatically | Key inside phone app + authenticated push channel |
Two big OTP families:
- Time-based (
OTP = f(key, time)): SecurID, Google Authenticator (TOTP). No challenge — the "challenge" is the current 30 s window. - Challenge-based (
OTP = f(key, challenge)): every transaction can have its own challenge → enables true transaction signing.