pushTAN 2.0 requires authentification on every request

[UebertreibeR]

Hello,

I'm using a bank account with pushTAN 2.0 (ID=923) account for which support has lately been added (many thanks to the developers!). Import works fine, however I am always challenged to authenticate every single request, making headless use impossible.

To my understanding, once confirmed to be "trustworthy" the bank should not request re-authentification for 90 days.

Is there away around this that I am not seeing?

[JuliusFreudenberger]

This importer uses the nemiah/phpFinTs library. This library seems to lack full support for the workflow you describe. That's why I couldn't implement the "trustworthy" part in #145.
nemiah/phpFinTS#453 seems to follow the lacking support on the dependency site. I watch this thread and will try to implement a solution as soon as I see the possibility without rewriting parts of the dependency myself.

[UebertreibeR]

The problem seems fixed in the original library as indicated in nemiah/phpFinTS#453

• is there anything we can do now to get this running in fints-importer?

[JuliusFreudenberger]

I think it is possible and could be implemented. I already have some very rough ideas how to tackle it. However, my time in the next weeks is limited, so it could be next year until I find time to implement this. (My priority is not that high right now as it currently is working; not nice but working.)
If you want to start working in that, please feel free to do so.

[TyrionWarMage]

DKB is also switching to decoupled PushTan (https://www.dkb.de/fragen-antworten/kann-ich-eine-finanzsoftware-fuers-banking-benutzen) - Currently, i can not test it as the new server is not accepting 923/921, but it is likely to be 923 starting 25.11.

@JuliusFreudenberger If i understand the thread correctly, we need to persist like mentioned here:
nemiah/phpFinTS#453 (comment)
and store a mapping username+bank->persistString somewhere offline. Correct?
What is your plan for the offline storage?

Update: It works with TAN mode 940 (which is not listed ...), but it is also decoupled and requires re-verification. I assume the 623 implementation also required pressing submit after the 2FA step?

[JuliusFreudenberger]

Regarding your update: TAN modes can be added easily to the UI. When you are using a configuration file, you can just specify this mode.

I also understood the process like this. I planned to extend the configuration.json to store this persistence string. When it is set and needed for the selected TAN mode, it will be pulled from there. If it is not set, then a verification is needed and the resulting persistence string should be presented in the UI after the import is finished with a hint to put this in the configuration file.