Quiz Entry - updated: 2026.07.14
What is risikoabhängige Authentisierung (risk-based authentication) and how does e-banking use it?
Different actions require different authentication strength. Reading your balance might need only a password; making a payment needs 2FA; high-risk operations like adding a new beneficiary need extra verification.
E-banking pyramid (low → high authentication strength required):
| Activity | Auth required |
|---|---|
| General info (rates, branch hours) | None — public |
| Reading account/card info (smartphone) | Password only |
| Stock trading (smartphone) | Password |
| Scanning/registering payments (smartphone) | Password |
| E-bills (smartphone with Access Card) | Password + card |
| 'Smooth' payments (smartphone with Access Card) | Password + card |
| Pre-registered payments (PC) | Full e-banking login |
| Arbitrary payments (PC) | Full e-banking login |
| Changing customer data (PC) | Full e-banking login + extra check |
Why this matters:
- Forcing full 2FA on every interaction would push users to disable security or pick weaker banks.
- Letting low-risk actions go with low friction keeps users happy; only escalating where loss potential is real keeps the bank safe.
- This is the Schutzziel × Aufwand trade-off applied to UX.
Modern extensions: "adaptive authentication" — risk score is computed live from device fingerprint, IP geolocation, time of day, behaviour patterns, then escalation is triggered only when anomalous.