Two-Factor Authentication: More Security on the Web

In today’s world of increasingly sophisticated cyber attacks, the traditional single-factor login process (usually a password) is no longer sufficient to reliably protect company data and access. Passwords alone often do not provide adequate protection against sophisticated attacks such as phishing or brute force attacks. This is where two-factor authentication (2FA) comes into play. Over the past few years, it has proven to be much more secure than traditional methods and is also being used more and more frequently. It provides an additional layer of security by adding a second authentication factor. This makes it much more difficult for attackers to gain unauthorized access to personal data and accounts. Two independent types of verification are always combined. An attacker who already knows the password cannot access the system or online account without the second verification. Thus, two-factor authentication offers companies a simple and cost-effective protection mechanism that significantly reduces the risk of data loss and unauthorized access.

This glossary entry explains how 2FA works, common methods, and the importance of 2FA for online security.

How Does Two-Factor Authentication (2FA) Work?

Two-factor authentication is based on the combination of two different factors.

The different factors

1. Knowledge (Something you know): This is usually a password or PIN.
2. Possession (Something you have): This is something that the user physically possesses, such as a smartphone, hardware token, or smart card.
3. Being (Something you are): This factor is based on biometric characteristics such as fingerprints, facial recognition, or iris scans.

Combination of the two factors

In practice, the first factor is almost always knowledge (something the user knows), such as a password or PIN.

The second factor can be something the user has (possession factor), such as a smartphone or a security token (USB stick). Or something the user is (inherence factor), for example a biometric feature such as a fingerprint or facial recognition.

Example of a possible registration process:

1. Enter password: The user enters their e-mail address or username and password as usual.
2. Request second factor: The website or app requests a second factor.
3. Additional verification: Another factor will be requested. More on this below.
   For example
   • A one-time code (OTP) generated by an app (e.g., Google Authenticator) or sent via text message.
   • A fingerprint or face recognition scan.
   • A push notification on the mobile device that the user must confirm.
   • A physical security key (e.g., YubiKey) that the user plugs in or uses via NFC.
4. Access granted: Access to the system or account is only granted if the user has entered both factors correctly.

This procedure makes unauthorized access considerably more difficult, even if the password has been compromised, as the attacker needs the second factor, such as a smartphone or hardware key.

What are common two-factor authentication methods?

There are various factors or methods that are commonly used as the second factor in two-factor authentication. Some of the most common methods are:

• SMS codes: A unique security code is sent via SMS to the user’s registered mobile phone.
• Authenticator apps: Special apps generate time-based one-time passwords (TOTP) that the user must enter when logging in. Examples include Google Authenticator, Authy, and Microsoft Authenticator.
• E-mail codes: Similar to SMS, a code is sent to the user’s registered e-mail address.
• Hardware tokens: Small physical devices that generate a constantly changing security code at the push of a button.
• Biometric methods: Authentication is performed using the user’s fingerprint, facial recognition, or iris scan.
• Push notifications: A notification is sent to a trusted device belonging to the user, which must be confirmed in order to complete the login.

The availability of the various methods depends on the respective service or platform. They also differ in the level of security they provide.

Difference Between Two-Factor and Multi-Factor Authentication

Although both terms are sometimes used interchangeably, there is a clear distinction between them.

• Two-factor authentication always uses exactly two different categories of factors to verify a user’s identity.
• Multi-factor authentication (MFA for short) can include two or more factors. For example, password + one-time password, or password + hardware token + biometrics. In other words, any number of factors greater than one.

For many companies, 2FA is now considered the minimum standard for secure online use or is even required by law. Security-critical industries (e.g., finance, government, healthcare) are already going beyond two factors to meet higher protection requirements.

Classic Use Cases for Two-Factor Authentication?

Two-factor authentication is useful in many areas and is increasingly becoming the standard. Some classic use cases include:

• Online banking: Provides an additional layer of security for sensitive financial transactions (mandatory!)
• E-mail accounts: Protects against unauthorized access to personal or business e-mails.
• Social media: Prevents user profiles from being taken over and data from being misused.
• Cloud storage services: Protects important user files and documents from unauthorized access.
• Company networks and VPNs: Secures access to internal resources and sensitive company data.
• Online shops and payment service providers: Increases security for online purchases and payment transactions.

Advantages of Two-Factor Authentication

Below are some of the advantages of using two-factor authentication.

1. Significantly higher security: Even a stolen or guessed password is not sufficient to gain access. The second factor creates an additional barrier that deters potential attackers.
2. Protection against phishing and password attacks: Phishing e-mails aim to obtain passwords. With 2FA, accounts are protected even if the password falls into the hands of criminals. 2FA also prevents attacks that automatically test large lists of passwords, such as brute force attacks, password spraying, or credential stuffing.
3. Easy implementation: Many software solutions and services already offer integrated 2FA options that users can often activate and set up with just a few clicks in the administration interface.
4. Cost efficiency: App-based solutions such as Google Authenticator, Microsoft Authenticator, or password managers can be used without additional hardware. Only high-quality hardware tokens (USB sticks) incur additional acquisition costs.
5. Increased trust: Customers and business partners view security measures positively, and by providing the 2FA method, companies communicate that security is their top priority.

Disadvantages and Challenges

In addition to the advantages mentioned above, there are also certain challenges associated with the introduction and use of 2FA.

1. User acceptance: This additional factor may seem annoying to users, especially if they switch between different accounts frequently. Clear communication about the benefits of 2FA can help.
2. Availability of the second factor: If a smartphone or hardware token is lost or the device is changed, access may be temporarily blocked or at least made more difficult. Companies should therefore provide emergency processes and backup codes.
3. Sufficient technical knowledge: Often, an authentication procedure (with one factor) was introduced in the past and the employee responsible has left the company or the implementation was not sufficiently documented. Since security can only be guaranteed by continuously updating security-relevant access technology, this should not be used as an excuse. In case of doubt, an external service provider such as Engity should be commissioned in good time to ensure adequate protection by means of two-factor authentication.
4. Technical integration: Not all older systems support 2FA as standard. In such cases, additional solutions are required, such as VPN with its own 2FA gateway or third-party services.
5. Training requirements: It may be necessary to train employees in the use of the second factor, as correct use and awareness of security processes are crucial to success.

How Could the Introduction of 2FA Look Like in SMEs?

If the introduction of two-factor authentication is planned, a possible roadmap could look as follows.

1. Prioritize critical access: Services that are particularly sensitive, such as e-mail accounts, administrator accounts, VPN access, and cloud services, should be prioritized.
2. Provide backup options: In case the second factor is lost, appropriate procedures should be established in advance. These can include emergency codes, pre-registered replacement devices, or a defined support process.
3. Communication and training: The benefits of 2FA should be explained in workshops or short videos. It should be made clear how easy it is to integrate such a query into the workflow and what risks exist without it.
4. Regular checks and updates: Regular checks should be made to see which accounts have 2FA enabled. If employees have disabled the second factor, appropriate inquiries should be made. Authenticator apps and access policies should also be kept up to date.

Summary

Two-factor authentication is an effective way for organizations to prevent unauthorized access to digital resources. It is easy to implement, offers a high level of security, and requires relatively little additional effort. With a structured rollout that includes clear communication processes and emergency plans, organizations can protect themselves against common cyber threats in the long term. The introduction of a two-factor authentication should ideally start where sensitive data is stored or administrative rights are assigned.