How to *Not* Implement 2-Factor Authentication
A very interesting example of the extremely complex implementation of the 2FA procedure for the user: online banking from ING DiBa.
Roman Kuznetsov @ 22.07.2019
Follow Roman Kuznetsov on LinkedIn
The new European Payment Services Directive 2 (PSD2) came into force in Germany on 13 January 2018. Almost all banks have already implemented this directive, as the implementation deadline (14 September 2019) is fast approaching.

One of the facets of this directive is so-called strong authentication (multifactor authentication, 2FA, 2-factor authentication) for online banking. Some banks have used this procedure before, others are only now following suit.

The details of 2FA are not discussed here, the reader is referred to

A very interesting example of a rather poor implementation of this procedure, which is extremely time-consuming for the user, can be seen in the online banking of ING-DiBa, of which the author is an otherwise satisfied customer. The prerequisite for the new procedure is a smartphone with the ING DiBa mobile app installed and set up.
To use online banking, go to, where you should enter your "access number" and "internet banking PIN". This corresponds to a login with a user name and a password. The password (or PIN) is secret and corresponds to factor no. 1, of the "knowledge" type. So far, everything is going according to plan.

Since the PIN cannot be considered sufficiently secure, the bank introduced a procedure earlier to avoid the possible spying out of passwords: you are now supposed to enter 2 predefined digits from a 6-digit so-called online key. This key is also secret and is again considered a knowledge factor, now number 2.

Anyone who thinks that 2-factor authentication ends here is sadly mistaken. The fun really starts now. (As an aside, we note that this has not yet been a proper 2FA, because both factors are knowledge factors. But the 2FA requires that two factors should be different in type).

Now the online page switches to a waiting mode and asks us to switch to the mobile app.

We now open the mobile app and are confronted there with the entry of a 5-digit app PIN (not the same as online PIN). This is factor no. 3, mixed "knowledge/having", because on the one hand the PIN is secret and on the other hand the entry is made on a separate device.

If you have set up biometrics on your smartphone, you can log in using your fingerprint. This is now also factor no. 3 of the mixed type "having/being".

We're supposed to be done by now, right? No!

We are further shown that a login for online banking is waiting for us, which we are now supposed to release with one click. This is considered factor no. 4, of the "have" type.

The release of online access is considered a transaction in the app, and all transactions require their own release within the app. Consequently, we now have to enter a 5-digit transaction PIN (another knowledge factor) or release the transaction with our finger (being factor). This is factor no. 5 (!).

A confirmation now appears in the app that our efforts have not been in vain and that we can finally devote ourselves to actual online banking.
In the web browser that used to wait for us on the computer, the online banking page now opens and one can continue working.

From a technical point of view, one can see the problems the developers were confronted with, but the implementation of these problems on a practical level has failed. This procedure with 5-factor authentication is probably very secure, but obviously, very user-unfriendly.

The ability to use smartphones opens up new ways for developers and service providers to make the user experience not only more secure, but also better, and, among other things; more user-friendly. The example of ING DiBa presented certainly had this intention, but unfortunately failed to do so.