Two-tier authentication is one of the most important system components. Once logged-in, users can only launch queries; performing active operations (orders) requires passing a separate authentication procedure. This means that transactions can be sent to the bank only after supplying a separate signature.
Electra Internet Banking can also handle multiple signatures. This function is useful mainly for SMEs and companies as it allows defining primary and secondary signatories.
The system supports the following authentication methods:
- SMS password
- TAN code
- signature password
- chip card
Financial institutions can select from among the above authentication methods at their discretion. It is also possible to combine the above methods (e.g. using TAN codes and signature passwords together) or associate them with certain limits. What is more, it is possible to set the required authentication method for each specific user, satisfying thereby individual client needs.
SMS passwords offer one of the most secure authentication methods, which is applied more and more frequently by Hungarian banks and cooperative savings associations. This form of signature enjoys the highest popularity in Hungary even in comparison with other European countries.
It was Cardinal Kft. that introduced SMS password-based authentication in Hungary. The first such system was developed for Konzumbank back in 2002. Since then, most financial institutions using Electra Internet Banking has started to support SMS password-based authentication.
When using SMS password-based authentication, the user receives a unique signature code in SMS to the phone number he previously specified. He has to enter this code as his signature in the browser application. Security is ensured by the user receiving the signature code via a channel other than the Internet, and the basis for authentication is the device (the mobile phone) in the user's possession.
This is a single-use code, i.e. it cannot be used to sign another order, and its validity is limited in time, i.e. it can be used only for a certain period starting from the time of sending (for 5 minutes by default).
A single signature code can be used to sign more than one package, which makes package management easier on the one hand, and significantly decreases the total cost of the SMS messages sent on the other hand.
If the user uses the SMS password to sign a single transaction, the SMS text may also confirm the type and the main details of the transaction (e.g. the counterparty's account number and the amount) apart from specifying the password.
Token-based authentication is highly similar to that described under the paragraph on SMS passwords with the single difference that here single-use unique signature codes are generated not by the bank but by a stand-alone electronic device which is in the user's possession.
When using token-based authentication, the underlying basis of authentication is possessing a certain physical device again, with the only difference that this device is not a mobile phone but a token.
The token, which has a unique serial number, is associated with the user during a registration procedure at the bank, and it is the task of the server application related to the tokens to decide whether the token code received from the user actually comes from the device associated with him.
Basically, there are two types of tokens: one has an integrated keyboard and uses a PIN code to ensure that nobody else could use the code if the device is lost, the other does not have a keyboard and when it is used, the Electra Internet Banking application also requires a signature password to ensure the appropriate security level.
Due to its flexibility, the Electra system can be connected to any token-based authentication system. Currently, it has an existing connection to the Vasco system.
In the case of TAN code-based authentication, users receive single-use, unique signature codes not one by one but in tabular form batches containing even as many as one hundred codes at a time.
These are typically in hard copy, printed by either the bank or the client. When the user has used one of the codes, he strikes it through and will use the following code next time. Using the last TAN code, the user can generate a new list of TAN codes for himself.
Although this solution may seem to be a bit obsolete, it is a popular solution as it has no related cost: there are not any SMS-related charges and no fee has to be paid for tokens and the underlying server solution, either.
The signature password-based method is one of the weakest authentication methods nowadays, and it is also the most vulnerable solution due to phishing attacks. Its weakness stems from the user always entering the very same authentication code, and once that is obtained by an unauthorised person, secure access is compromised.
Although Electra Internet Banking is ready to handle chip card-based authentication, this technology is currently not used in any Internet Banking environment due to the inherent difficulties of the technology.
These difficulties are related to having to install different drivers for both the card reader and the card, and browsers cannot handle these devices without some specific applications (e.g. Java applets), either. As a consequence of this, Internet Banking loses its mobility and, technically speaking, binds the user to a single computer.
Despite all this, banks can decide to provide this authentication method to some specific clients of theirs as our system allows setting the authentication method on a user-by-user basis.