TAN (transaction authentication number)

Part of the Authentication glossary:

A transaction authentication number (TAN) is a type of single-use password used for an online banking transaction in conjunction with a standard ID and password.

TANs are often in a list made by a financial institution and sent to the owner of the account. The list contains unique single-use passwords or passphrases. Each time users authenticate, they use one of the passwords and then cross it off the list. The lists may operate in sequential order or include an index system for the TANs, in which case the bank asks for the TAN under a specific index. The financial institution maintains a database of users and their respective lists and tracks which number is currently slated next for use. Some TAN systems are smartphone-based. In these systems, the user receives an SMS message from their bank containing the TAN.

TAN systems work reasonably well to add a modicum of extra security in an inexpensive and relatively simple-to-implement way. Since the technology involved uses software that keeps server-side and client-side lists synchronized, it’s also easy for an institution to maintain. However, almost all TAN variants are vulnerable to man-in-the-middle or phishing attacks. Those that use out-of-band authentication, such as SMS messages on mobile phones, are more secure in that an attacker has to compromise two communication channels to steal the information needed to complete a transaction.

TAN systems were created to protect against these attack vectors. ChipTAN uses security data from a user’s bank card as read by a chipTAN generator (a type of security key fob), which generates a TAN. PhotoTAN is a system where the bank generates and sends an encrypted message containing a QR code image to a smartphone or standalone device. Both of these TAN methods make for a stronger two factor authentication along with standard login. Nevertheless, out-of-band authentication methods are not impervious to attack. The Zeus Trojan is just one example of malware designed to steal SMS authentication data for online banking.

This was last updated in August 2014
Contributor(s): Matthew Haughn
Posted by: Margaret Rouse

Related Terms


  • invocation ID

    - An invocation ID is an ID number that identifies databases within Active Directory and changes as AD is in a restore process. Invocation IDs change during the restore process to make sure replicati... (

  • social login

    - Social login is a single sign-on (SSO) that allows users to authenticate themselves on various applications and sites by connecting through a social networking site rather than typing a separate ID... (

  • out-of-band authentication

    - Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password. Out... (


  • Authentication

    - Terms related to authentication, including security definitions about passwords and words and phrases about proving identity.

  • Internet applications

    - This glossary contains terms related to Internet applications, including definitions about Software as a Service (SaaS) delivery models and words and phrases about web sites, e-commerce ...

Ask a Question About TAN (transaction authentication number)Powered by

Get answers from your peers on your most technical challenges

Tech TalkComment



    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.