Last rites for the LuxTrust token?
(This story was updated with new information from the Banque de Luxembourg in paragraphs 2, 11 and 12)
The days of frantically searching for a misplaced LuxTrust token to complete an online transaction could soon be coming to an end, with several of the country’s major banks signalling that the infamous handheld gadget will be phased out in favour of an online app.
The Banque de Luxembourg scrapped the use of the physical token in 2017, while BNP Paribas has begun switching away from the token, transferring customers to the online app since last April.
Raiffeisen, Spuerkeess and Banque Internationale à Luxembourg have indicated its use of the physical token will eventually end - although a firm date has not been set.
The LuxTrust token is required to complete a host of tasks in Luxembourg, such as verifying online banking transactions and accessing personal information on certain government websites, including the filing of tax returns.
Founded in 2005 as a joint initiative by the Luxembourg government and banks, LuxTrust offers secure log-in by providing users with a six-digit code to complete transactions. However, a full transition to a digital version is underway in order to “offer an even higher level of security”, LuxTrust said, and to comply with an EU directive.
More than 220,000 customers are already using the LuxTrust Mobile app, the company said. While it is clear that the physical token will be phased out, there have been conflicting accounts as to whether its demise is imminent.
End of an era
At the end of last year, Luxembourg’s consumer union, the Union Luxembourgeoise des Consommateurs (ULC), issued a statement urging customers to get ready for the transition, which it said would occur during 2022. “All bank customers will therefore have to switch to the smartphone application in the course of next year,” the ULC said.
That statement, and resulting media coverage, provoked a response from LuxTrust, which said that it was seeking to issue “clarifications”, adding that no deadline had been set for the end of the physical token.
“To date, no deadline has been set for the definitive decommission of the token for banking transactions. However, the use of the token will progressively end, but it will still be available for non-banking transactions,” a LuxTrust statement said, adding that responsibility ultimately lies with each bank, which “can decide to no longer authorise the use of the token by its customers”.
“In addition, we would like to let users know that options are and will be available for those who prefer or need a hard device instead of a digital one,” LuxTrust said.
Five banks contacted by The Luxembourg Times said they were encouraging their customers to use the online app, but just two, Banque de Luxembourg and BNP Paribas, had either scrapped the physical token entirely or are in the process of a full-scale transfer.
“Because of security considerations, access to our banking application is not granted anymore to customers who are not equipped with the Luxtrust scan or Luxtrust mobile app,” a Banque de Luxembourg spokesperson said.
“In April 2021, BGL BNP Paribas began to gradually migrate its clients who use the Token to the LuxTrust Mobile solution,” a BNP Paribas spokesperson said. “Once LuxTrust Mobile has been activated, the token can still be used to log in to other sites that still accept it.”
The Banque Internationale à Luxembourg (BIL) said that it plans to distribute tokens “until at least” the end of this year. “About one third of our clients using LuxTrust have activated LuxTrust Mobile. The cease of use of the physical token is being discussed with LuxTrust. At BIL we will continue to distribute tokens until at least the end of 2022,” a BIL spokesperson said.
Spuerkeess said it will retain the physical token “at least in the medium term”, while Banque Raiffeisen said it “has not yet set a deadline for the complete replacement of the token” but added it is encouraging its customers to use the digital version.
A spokesperson for the ULC consumers union said that for many banks, the transition may take the form of simply “letting the tokens die” and then not replacing them when they have broken.
Nasir Zubairi, the head of the Luxembourg House of Financial Technology (LHoFT) business hub, said that many companies working with LHoFT are already using the digital version. “Online/mobile authentication is a de facto standard for many banks outside of Luxembourg and seems to create little to no problem,” he told The Luxembourg Times.
“If a good number of customers prefer the use of the physical token, enough to justify the costs of producing and managing the token, then perhaps the transition period should be extended, but, ultimately, we do need to move forward in terms of technology,” added Zubairi.