mToken: easy and secure access to InsideBusiness explained in depth
mToken is a feature of the InsideBusiness App with a unique QR code solution that allows you to quickly and securely log in to InsideBusiness via your mobile phone. mToken can also be used for signing purposes in InsideBusiness. The main benefits are:
- Fast and easy log in and signing
- Easy activation within minutes
- No need to wait for the delivery
- No expiration date
- InsideBusiness App is available in 14 languages
- Environmentally friendly
- Download the InsideBusiness App on your mobile phone from iOS or Android.
- Install the InsideBusiness App and start the registration process
- Browse on your computer to InsideBusiness, https://insidebusiness.ingwb.com and choose mToken as log in option.
- Now open the InsideBusiness App, log in and tap on the mToken feature.
- Scan the QR code prompted on your computer screen and confirm the log in action.
- You have now successfully logged in to InsideBusiness!
** Please note: always validate that you are securely connected to ING by checking the internet address and the closed padlock (https://). Validate the owner of the website by clicking on the closed padlock next to the internet address, it will show the certificate is issued to ING. **
Security in short
- The InsideBusiness App is built against the highest security standards and will have no access to data or functionalities of your phone and is in no way able to take control over your personal or company phone.
- The InsideBusiness App is personal and communicates 1-1 with ING under strong and proven protocols that secure your connection.
- No personal data from your mobile phone is transmitted to ING.
- The registration process is strong and secure.
- Corporate Administrators are in full control to deactivate the InsideBusiness App.
- The InsideBusiness App uses mPIN, fingerprint or face recognition to ensure authenticated access only.
- The integrity of the InsideBusiness App is monitored by ING.
Any company data in the InsideBusiness App is stored encrypted on the device and becomes inaccessible after logout or de-registration to prevent data leakage.
In case of emergency
If your mobile phone is lost or stolen, or if there is any indication of fraudulent abuse, immediately contact your Corporate Administrators, the local ING helpdesk (during office hours) or the Alarm and Communications Centre ING +31(0)88 464 2224 (outside office hours) to deactivate the InsideBusiness App.
Security in more detail
Your security is our highest priority. The InsideBusiness App combines the security of two-factor authentication and a high-grade secure connection with the convenience of mobile phone features like fingerprint and face recognition.
Our InsideBusiness app is secured on several layers:
From a company policy perspective
- The user can be configured to use all InsideBusiness App functionalities or only use the mToken feature and is managed by the Corporate Administrator, or on request by ING.
- When a user only has the mToken permission, he can only use the app to log into InsideBusiness. No account information or other features will be present in the app, unless that permission is enabled by the Corporate Administrator, or on request by ING.
- The user can deactivate the app (wipe keys and block the app).
- The user or Corporate Administrator can deactivate the app via InsideBusiness.
- In case of emergency, ING can deactivate the InsideBusiness App.
- We are currently developing a new feature to disable self-activation. This means that users will need approval from the Corporate Administrator before being able to use the app or mToken.
From a data perspective
- No personal data from your mobile phone is transmitted to ING. The InsideBusiness App is built against the highest security standards and will have no access to data or functionalities and is in no way able to take control over your personal or company phone.
- All data in the app is stored encrypted and cleared after logout.
- ING monitors the integrity of the app continuously to prevent tampering. No personal data is gathered.
- An mPIN is your personal code for authentication. This code is unique for the app and mobile phone combination. The mPIN uses Secure Remote Password protocol and is therefore not known by ING, nor is it transmitted to ING.
- After 5 incorrect attempts, the mPIN is blocked. It is not possible to unblock the mPin. To get access to the app again, the user needs to re-activate the App via the registration process. When a new registration takes place, both the user and the Corporate Administrator will be informed.
- Authentication and signing of transactions are based on multi-factor authentication. The 1st factor is the mPIN you know or your fingerprint. The 2nd factor is the private keys you have which are generated and securely stored during app activation specifically for you.
Encryption and protocols
- Data is transferred securely between the app and ING via a TLS connection. Within this connection the data is additionally encrypted.
- Strong and proven protocols are used for connection, encryption and keys: TLS 1.2+, AES (256), HMAC (512) and RSA (2048).
- To further enhance security, you can enable additional mobile device security features (e.g., PIN, pattern, fingerprint, face recognition).
- The software is extensively tested in multiple phases of the development lifecycle. Before a major release the implementation is tested by an external party (grey box security review).
- The InsideBusiness App complies with applicable local regulatory requirements and international security standards, like EBA’s PSD2 RTS.