LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the main types of tokens for strong authentication / 2FA?

mTAN (SMS), OTP (time-based, e.g. SecurID), and Challenge-Response tokens (manual entry, semi-automatic via PhotoTAN/QR, fully automatic via Mobile ID).

The token family tree:

Token How it works Security based on
mTAN Bank SMSes a one-time code to your phone Access to your phone's SMS channel
OTP token (SecurID) Hardware displays a number that changes every 30/60 s; OTP = f(key, time) The key inside the token
C/R manual (chipTAN, calculator-style) You type a challenge into the device; it shows a response you type back Key inside token; manual transcription
C/R semi-automatic (PhotoTAN, QR) Phone scans a code from the screen, displays a response you type back Key inside phone app + visual channel
C/R fully automatic (Kobil AST, Mobile ID) Phone receives challenge over data, signs it, sends back automatically Key inside phone app + authenticated push channel

Two big OTP families:

  • Time-based (OTP = f(key, time)): SecurID, Google Authenticator (TOTP). No challenge — the "challenge" is the current 30 s window.
  • Challenge-based (OTP = f(key, challenge)): every transaction can have its own challenge → enables true transaction signing.

From Quiz: ISF / Access Control | Updated: Jul 14, 2026