ارزیابی متدهای تصدیق تراکنش در بانکداری آنلاین Evaluation of transaction authentication methods for online banking

1. Introduction Two forms of authentication can be used in online banking to authorize financial transactions [1]. Entity authentication is concerned with proving the identity of an online banking user, similar to authentication for other online services (email, instant messaging, etc.). Transaction authentication concerns the certainty that financial transactions (the destination account number, the amount of money, etc.) are deliberately authorized by the user. Current evaluation mechanisms of entity authentication methods do not take the specifics of online banking environments into consideration. A mechanism which also evaluates and compares aspects specific to transaction authentication is missing. Such a mechanism should take into account that transaction authentication methods can rely on an active role of the user to provide the security the method needs. Banks slowly start to introduce transaction authentication methods which require users to verify information received by the bank on bank-issued trusted devices and on userowned mobile devices. The possible reliance on the user’s actions and the trustworthiness of what the user observes should also be considered when comparing authentication methods. The goal was to evaluate different implemented and proposed online banking authentication methods to identify points for improvement. Our contribution includes an examination of different proposed evaluation mechanisms and our own proposal. We extended an existing mechanism with aspects related to the feasibility of using an authentication method securely. The new aspects cover the taxation of the user’s cognitive capacity through expansion of the user’s work flow, the ability for security to be (willingly or unwillingly by the user) circumvented and the lack of function and information clarity through the user interface and in- and output channels. The mechanism we propose can be used to evaluate online banking authentication methods in a way which takes the active role of the authenticating user into consideration. Seven raters performed an evaluation of 4 implemented and 8 proposed authentication methods.