Two- or multi-factor authentication is the safety belt of cybersecurity. When used correctly, cyber risks can be reduced, but it does not protect against one’s own negligent behavior. We explain how two-factor authentication works, when it is worth using it and where its limits lie.

How does two-factor authentication protect?

Two-factor authentication is a multi-step identity check for user accounts, consisting of two factors: for example, a password and another factor, such as a biometric feature – such as a fingerprint or facial recognition – or a separately created PIN. When logging in, the latter is sent separately, either as an SMS or in a security app on the smartphone, and must be entered in addition to the password. By using such an additional factor, password security is greatly increased. If you combine more than two factors, this is called multi-factor authentication.

Why do we use two-factor authentication in the first place?

Entering the password alone is no longer secure enough today. Passwords can easily fall into the wrong hands – for example, by compromising login data in cyberattacks. This is where the biggest advantage of two-factor authentication comes into play: By including another factor in the authentication process, an additional barrier is created that is worth its weight in gold in the event of a cyberattack. Cybercriminals would also have to be in possession of the second factor in order to be able to penetrate a system. The more steps that have to be taken, the more difficult it is for criminal hackers to get hold of the login data. With two-factor authentication, many threat scenarios – especially with regard to identity theft – can be ruled out.

What are the most common forms of two-factor authentication?

• SMS Token: This variant is the most well-known type of two-factor authentication. When registering with the respective online service, a random code is generated and sent to the user’s smartphone via SMS.
• E-mail: Authentication by e-mail is also frequently used: In the course of registering with an online service, a multi-digit code is sent by e-mail by the respective provider after entering the user name and password. Authentication by e-mail is particularly popular because no additional hardware or software is required.
• TAN / OTP: With the TAN (transaction number) or the OTP (one-time password), a unique numerical code or password is transmitted to the user as a second factor – either via hardware in the form of a TAN generator or as software via an authenticator app. The passwords are time- or event-based and are constantly regenerated. Here, the hardware-based authentication variants are currently considered the most secure.
• Smart cards: Smart cards are used in highly secure Windows environments and can be used for logging in to the Windows account, a company VPN or even for e-mail signatures or hard disk encryption. The smart card is the size of a credit card and is equipped with a chip that stores a digital, encrypted certificate that can only be activated by a PIN. Here, too, the physical factor is considered a special gain in terms of password security.
• Biometric authentication: In this variant, biometric features such as the fingerprint or the face are included in the authentication process. This is easy, fast and is considered very secure due to the uniqueness of the data. It’s more difficult for online threat actors to replicate a person’s fingerprint or facial recognition scan.
• Cryptographic token: The cryptographic token stores a private cryptographic key. Authentication in this case is done by sending a request to the token.

Where two-factor authentication is particularly worthwhile

Since March 15, 2021, the use of two-factor authentication has been mandatory for online payment transactions via online banking, credit card or PayPal, Google introduced it for all accounts of its services at the end of 2021 and it is expected that other companies will follow suit. With password security in mind, Perseus advises using two- or multi-factor authentication wherever possible, such as:

• When identifying social, cloud, or user accounts: To do this, use an authenticator app to generate one-time passwords, for example from Google, Microsoft, Apple or sending the TAN by SMS.
• For the online function of the ID card: The new ID card is equipped with a chip and can therefore also be used online for visits to authorities, for legitimation checks at financial service providers or for business matters. In addition to authentication via a PIN, an additional end-to-end encrypted authentication takes place with the respective service provider.
• For tax matters: The online tax office ELSTER makes it possible to clarify financial matters completely paperlessly. Registration is only possible with a password-protected software certificate or the online ID function.

Limitations of two-factor authentication

In everyday work, when things often have to be done quickly and there is no time for many things, two-factor authentication can be perceived as an additional block on the leg. In doing so, it can avert enormous damage. Companies should be aware of the advantages, find out about the different options for two-factor authentication and decide on the right option. The use – both in what form and to what extent – should be specified by guideline in the company and all employees should be informed and trained accordingly. In the end, it’s all about important data of your company.

Even though two-factor authentication is recommended for increasing security in many applications, it cannot prevent every incident:

• The most popular variant is also the most vulnerable: The SMS token can be tapped via so-called swap attacks if cybercriminals succeed in outsmarting the mobile phone provider and porting the victim’s phone number to a SIM card.
• If the email account is taken over by threat actors from the network, a 2-factor code can be read without much effort. This variant of authentication is also not actually a two-factor authentication, as many users process their e-mails from both smartphones and computers. If a device is infected with malware, the attackers can read every email and grab the codes accordingly.
• Phishing is the biggest problem with the TAN or one-time password. It is possible to create a deceptively genuine phishing website that shares login credentials such as password and the code generated by an authenticator app to log in to the real service. At the same time, cybercriminals log in themselves and can impersonate the compromised person without the service being used noticing the difference. Another disadvantage of authenticator apps is that it may not be easy to get the codes you need if you lose your phone.

Thereis no such thing as 100% protection – but there are ways to minimise the risk. Above all, responsible behavior and compliance with security regulations by each and every individual are the basic prerequisites for avoiding cyber incidents:

• Updates: Often, outdated software, unlicensed programs from free download sites, or arbitrarily clicked links or visited websites are the cause of a cyber incident. Such online behavior is the cyber equivalent of driving a car on a cliff at 200km/h: Wearing a seatbelt or two-factor authentication will not be able to help in the end. Installing new updates, especially security updates for operating systems or using secure passwords, is already a first step in preventing cyber incidents.
• Password hygiene: The less likely it is that your password can be guessed or calculated, the more secure it is. And the more secure your password is, the more secure the data, emails, computers, corporate networks, etc. it protects. Password security is influenced by several factors. Among other things, due to the uniqueness, length, complexity, abstraction and secrecy of the respective password.
• Backups: Hard drives, computers, servers and entire systems can be rendered unusable by technical defects or by cyber attacks, such as the installation of malware. Backups allow you to create backup copies of your data. These can be used to restore lost or destroyed content and even entire systems. You can find out more about this in our blog post “No backup – no pity”.
• Vigilance: Sharpen your critical eye on emails with unknown senders. No links should be clicked or attachments opened here. Clicking on the link of a phishing email is one of the most common entry points for cybercriminals.
• Raising awareness for employees: Sensitize your employees to the dangers of the Internet. Cyberattacks are one of the biggest business risks of all. Appropriate training in the form of e-learning and phishing simulations imparts basic knowledge and increases awareness in the long term.

Only when such basic security rules are followed can two-factor authentication take effect and, if used correctly, protect accounts and data from unauthorized access. Two-factor authentication is an important security tool that provides effective protection against unauthorized access to one’s own data and should be part of a comprehensive cybersecurity strategy. Those who use it are on the safe side – without ifs and buts.