The innovative banking practiced in Nigeria today has made virtually all our banking transactions to be done either with the use of mobile phones or other banking kits like Mobile Token.
This shift in paradigm coupled with the era of mobile phone proliferation should have long addressed some key issues faced by many Nigerian bank customers. A good example is the case of Mobile Token and OTP code which many Nigerian bank customers still don’t understand or know their differences when they carry out their daily bank transactions.
This article is will explain in details, the difference between Mobile Token and OTP.
Why Token in the first place?
In the banking industry, a token is an easy to use security device (hardware) or application (software) that generates a unique code used in two-factor authentication (2FA) for transactions.
The hard token is typically acquired from the bank’s premises, while the soft token is downloadable from multiple platforms like the Google Playstore or Apple Store.
While some bank customers may find it difficult coping with today’s modern banking, many other customers that are tech-savvy are on daily basis demanding for more fast and convenient payment measures that are security oriented and also regulatory complaint. This is where “Token” comes into play.
For the banks, Token makes access to all their digital banking channels easier for their customers with a highly secure and user-friendly means of authentication and authorizing operations.
What is a Mobile Token?
Now that you know what token is in the banking system, understanding what a Mobile Token is should be much easier now.
A Mobile Token is a hardware device which is used to authorize banking transaction on your mobile phones or laptops. It is also called a bank token or a security token that is used to get access to a restricted banking transaction on your phone.
Most Nigerian banks now offer both hardware and software security tokens.
The hardware token or hard token is something you can feel or touch. It’s usually a very small or pocket friendly electronic device known as “fob”that generates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card’s factory-encoded almost random key. The hard token uses a technology called RSA SecurID.
What is RSA SecurID?
RSA SecurID sometimes referred to as SecurID, is a two-factor, public-key encryption authentication technology that is used to protect network resources. SecureID which is developed by RSA Data Security, is built around the difficulty of factoring very large numbers. Because of this design, the algorithm uses prime factorization as a foolproof method of stopping brute force attacks. Solving the encryption takes a massive amount of time and processing power, thus deterring direct attacks on the security system. It is the standard encryption method for important data, especially when the information is being sent over the internet.
This authentication system is built around two main protections—a password or pin drive known by the user (something known), and (typically) a USB, smart card, or fob, otherwise called hardware tokens (something you have with you).
These two points of authentication, or then used in conjunction with RSA’s Authentication Manager Software, which verifies the authentication requests.
How Mobile Token work
When you access a protected resource like a financial tracking database, or your bank’s back-end interface, you will be asked for your passcode. The passcode is based on both the PIN provided by the SecurID system upon setup and the code that is generated for that login by the your authenticator token.
Hard Token is usually used when users login to their banking application and want to perform a transaction. Upon doing that, you will be required to enter the number that will display on the token and this token numbers last for just 60 seconds. This process is just to authenticate if you are the original user of that device due to a fraudulent act or banking scam online.
In this example, the user clicks on their RSA SecurID device, which generates a session specific code. Then, both of these codes are received by the RSA Authentication Agent and translated to the RSA Authentication Manager software, which then checks and approves the codes. The RSA SecurID system computes what number the token is supposed to be showing at that moment in time, checks it against what the user entered, and makes the decision to allow or deny access.
The Soft Token otherwise known as “eToken” is mainly generated via your bank’s designated soft token mobile app downloaded from either Google Playstore or Apple Store. When you launch the soft token mobile app it automatically generates a one-time passcode which you can enter for that particular banking transaction and its also last for 60 seconds.
To use a software token: launch the RSA SecurID app and enter your PIN number. The token will then generate a one-time passcode that changes every 60 seconds. Use the passcode to log in to VPN.
What is OTP Code?
One-time passwords (aka One-time passcodes) are a form of strong authentication, providing much better protection to eBanking, corporate networks, and other systems containing sensitive data.
It provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests. The static password is the most common authentication method and the least secure.
The code is usually a unique 6-character code that can only be used once and is sent only to your registered mobile number used in the bank mapped to the customer BVN number for online banking.
OTP authentication process works on a simple method as when a website wants to validate a user, they usually ask the user to enter their mobile number for verification.
How OTP works
After encoding your user ID and password, you will also be required to enter the correct OTP to complete the login process. By sending a One-time password (OTP) on mobile number businesses can verify users when they want to make necessary transactions.
Why is a one-time password (OTP) safe?
The OTP feature prevents some forms of identity theft by making sure that a captured user name/password pair cannot be used a second time.
Typically the user’s login name stays the same, and the one-time password changes with each login.
In the client-server era, compliance was the main reason why banks adopted security solutions like two-factor authentication, as they needed to fulfill regulations for protecting financial, customer cardholder data, etc. But nowadays, security and risk management are the main reasons banks want to implement two-factor authentication. Data breaches are real and affecting millions of bank customers, and have real consequences on a large scale. While only a few applications needed to be protected, today’s security environment requires access to dozens to hundreds of applications to be secured.