Two-factor authentication (2FA) uses two independent components. With 2FA, an increase in authentication security can be realized compared to simple login procedures via password. This is intended to make identity theft more difficult.
What is two-factor authentication (2FA)?
Two-factor authentication, or 2FA for short, differs from simple logon procedures with a user ID and password in that two independent components (factors) are used for login. Proof of identity can be made much more secure thanks to 2FA. 2FA represents a form of multi-factor authentication (MFA) and can prevent identity theft through simple password theft.
The various factors can be divided into possession, knowledge, and characteristic factors. Meanwhile, the BSI (German Federal Office for Information Security) recommends the fundamental use of two-factor authentication for the use of IT services in its IT-Grundschutz catalogs.
When logging in using 2FA, both factors must be present and correct. If one factor is incorrect or not present, the user cannot be authenticated and access remains blocked. A typical application example for two-factor authentication is the use of ATMs or electronic payment transactions. At the ATM, the bank card must be present and the correct PIN must be entered; the electronic bank transfer requires a PIN and a TAN generated via a token. 2FA is also increasingly used on the Internet to log in to e-mail accounts, cloud services, or messaging services.
What is the advantage of two-factor authentication?
The major advantage of two-factor authentication is that the theft or unauthorized copying of access IDs, for example via phishing attack, hacker attack, or virus, does not yet enable logon to the system. In order for the attacker to succeed in this, he must simultaneously gain possession of the second factor. The most common threat scenarios for identity theft on the Internet can thus be ruled out.
Disadvantages of two-factor authentication
One of the most serious disadvantages of two-factor authentication is that the increase in authentication security comes at the expense of the usability and convenience of the login process. Users are often forced to carry the second factor with them at all times in the form of a token. If they forget it or lose it, it is initially impossible to log on to the system. Stolen or lost tokens also have the disadvantage that costly workarounds are necessary to restore temporary access for the user. Complete replacement of the lost token incurs additional costs for procurement and setup.
What different 2FA methods exist?
The factors used for 2FA methods can be classified into three different types. These are:
- Knowledge: the user has certain knowledge that is known only to them. For example, these are PINs, passwords, user IDs, or answers to security questions
- Feature: the user possesses a unique feature such as a fingerprint or iris pattern
- Possession: the user is in possession of a special item such as a bank card, key, or token
Methods are often used that require the user to carry an item (token) in addition to a password. For example, a user’s own cell phone with its unique phone number or a registered app can represent such a token. When a user logs on to a system, he must first enter his user ID and password.
The system then sends an identifier to the previously stored mobile phone number or registered app of the smartphone. The user in possession of the cell phone or smartphone enters this identifier in the system in a second step. If all the features are correct, successful authentication takes place. Using the cell phone as a token offers the advantage that no other items need to be carried, since many people always have their cell phone with them.
Another frequently used method is authentication by fingerprint and password. Many modern smartphones now have powerful fingerprint scanners built in, which a user can use to log in using his biometric feature and an additional password. However, for this to be a 2FA method, authentication via fingerprint alone is not sufficient.