What is TAN (transaction authentication number)? - Definition from WhatIs.com


TAN (transaction authentication number)

Part of the Authentication glossary:

A transaction authentication number (TAN) is a type of single-use password used for an online banking transaction in conjunction with a standard ID and password.

TANs are often in a list made by a financial institution and sent to the owner of the account. The list contains unique single-use passwords or passphrases. Each time users authenticate, they use one of the passwords and then cross it off the list. The lists may operate in sequential order or include an index system for the TANs, in which case the bank asks for the TAN under a specific index. The financial institution maintains a database of users and their respective lists and tracks which number is currently slated next for use. Some TAN systems are smartphone-based. In these systems, the user receives an SMS message from their bank containing the TAN.

TAN systems work reasonably well to add a modicum of extra security in an inexpensive and relatively simple-to-implement way. Since the technology involved uses software that keeps server-side and client-side lists synchronized, it’s also easy for an institution to maintain. However, almost all TAN variants are vulnerable to man-in-the-middle or phishing attacks. Those that use out-of-band authentication, such as SMS messages on mobile phones, are more secure in that an attacker has to compromise two communication channels to steal the information needed to complete a transaction.

TAN systems were created to protect against these attack vectors. ChipTAN uses security data from a user’s bank card as read by a chipTAN generator (a type of security key fob), which generates a TAN. PhotoTAN is a system where the bank generates and sends an encrypted message containing a QR code image to a smartphone or standalone device. Both of these TAN methods make for a stronger two factor authentication along with standard login. Nevertheless, out-of-band authentication methods are not impervious to attack. The Zeus Trojan is just one example of malware designed to steal SMS authentication data for online banking.

This was last updated in August 2014
Contributor(s): Matthew Haughn
Posted by: Margaret Rouse

Related Terms


  • rainbow table

    - A rainbow table is a listing of all possible plaintext permutations of encrypted passwords specific to a given hash algorithm. Rainbow tables are often used by password cracking software for networ... (WhatIs.com)

  • single-factor token

    - A single-factor token is a small hardware device that produces one confirming credential for user authentication; the devices may be used in conjunction with other types of credentials for multifac... (WhatIs.com)

  • multifactor token

    - Multifactor tokens are security tokens that use more than one category of credential to confirm user authentication. The standard categories of authentication credentials are knowledge factors thi... (WhatIs.com)


  • Authentication

    - Terms related to authentication, including security definitions about passwords and words and phrases about proving identity.

  • Internet applications

    - This WhatIs.com glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question About TAN (transaction authentication number)Powered by ITKnowledgeExchange.com

Get answers from your peers on your most technical challenges

Tech TalkComment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.