Two-factor authentication protects – but does it really?!

Pic Source: Foundry via Pixabay

Two- or multi-factor authentication is the safety measure of cybersecurity. When used correctly, it can reduce cyber risks, but it does not protect against your own negligent behavior. We explain how two-factor authentication works, when it is worth using it, and what its limitations are.

How does two-factor authentication protect?

Two-factor authentication is a layered verification of identity for user accounts, consisting of two factors: for example, a password and another factor, such as a biometric feature – e.g., fingerprint or facial recognition – or a separately created PIN.  When logging in, the latter is sent separately, either as a SMS or in a security app on the smartphone, and must be entered in addition to the password. The use of such an additional factor greatly increases password security. If more than two factors are combined, this is called multi-factor authentication.

Why do we use two-factor authentication at all?

These days, it not secure enough to simply enter the password. Passwords can easily fall into the wrong hands – for example, by compromising login credentials during cyberattacks. This is where the biggest advantage of two-factor authentication kicks in: adding another factor to the authentication process creates an additional barrier that really pays off in the event of a cyberattack. Because in this case , cybercriminals would also need to be in possession of the second factor to penetrate a system. The more steps that need to be taken, the more difficult it is for criminal hackers to seize login credentials. With two-factor authentication, many threat scenarios – especially with regard to identity theft – can be ruled out.

What are the most common forms of two-factor authentication?

  • SMS token: This variant is the most-known type of two-factor authentication. In this case, a random code is generated when logging in to the respective online service and sent to the user’s smartphone via SMS.
  • Email: Authentication via email is also commonly used: In the course of logging in to an online service, a multi-digit code is sent by e-mail by the respective provider after the user name and password have been entered. Authentication by e-mail is particularly popular because no additional hardware or software is required.
  • TAN / OTP: With the TAN (transaction number) or OTP (one-time password), a one-time numerical code or password is transmitted to the user as a second factor – either via hardware in the form of a TAN generator or as software via an authenticator app. The passwords are time-based or event-based and are generated again and again. Here, the hardware-based authentication variants are currently considered the most secure.
  • Smartcards: Smartcards are used in highly secure Windows environments and can be used for logging into the Windows account, a corporate VPN or also for e-mail signatures or hard disk encryption. The smartcard is the size of a credit card and is equipped with a chip that stores a digital, encrypted certificate that can only be unlocked by a PIN. Here, too, the physical factor is considered a particular gain in terms of password security.
  • Biometric authentication: In this variant, biometric features such as the fingerprint or the face are included in the authentication process. This is simple, fast and considered very secure due to the uniqueness of the data. It is more difficult for network threat actors to replicate a person’s fingerprint or facial recognition scan.
  • Cryptographic token: the cryptographic token stores a private cryptographic key. Authentication in this case is done by sending a request to the token.

Where two-factor authentication is particularly worthwhile

Two-factor authentication has already been mandatory for online payments via online banking, credit cards or PayPal since March 15, 2021. Google introduced it for all accounts of its services at the end of 2021, and it is expected that other companies will follow suit. With password security in mind, Perseus advises that two- or multi-factor authentication should be used wherever possible, such as:

  • When identifying social media, cloud or user accounts: For this, use an Authenticator app to generate one-time passwords, for example from Google, Microsoft, Apple, or sending the TAN via SMS.
    With the online function of the ID card: The new ID card is equipped with a chip and can therefore also be used online for administrative procedures, to check legitimacy with financial service providers or for
  • business matters: In addition to authentication via a PIN, additional end-to-end encrypted authentication takes place with the respective service provider.
  • For tax matters: The online tax office ELSTER makes it possible to resolve financial matters completely paperless. Login is only possible with a password-protected software certificate or the online ID function.

Limitations of two-factor authentication

In everyday work, when things are often hectic and there is no time, two-factor authentication can be perceived as an additional burden. Yet, it can avert enormous damage. Companies should be aware of the advantages, inform themselves about the different options for two-factor authentication and decide on the most suitable solutions for themselves. The use of two-factor authentication should be defined in a company policy – both in what form and to what extent. Furthermore, all employees should be informed and trained accordingly. In the end, important data of your company is at stake.

Even though two-factor authentication is recommended for increasing security in many applications, it cannot prevent every incident:

  • The most popular variant is also the most vulnerable: the SMS token can be tapped via so-called swap attacks, if cybercriminals manage to trick the mobile provider and port the victim’s phone number to a SIM card.
  • If the email account is taken over by threat actors from the network, a two-factor code can be read without much effort. Also, this variant of authentication is not actually two-factor authentication, as many users handle their emails from both smartphones and computers. If a device is infected with malware, attackers can read every e-mail and pick up the codes accordingly.
  • In the case of the TAN or one-time password, phishing poses the biggest problem. It is possible to create a deceptively genuine phishing website that passes on credentials such as password and the code generated by an authentication app to log in to the real service. At the same time, cybercriminals log themselves in and can impersonate the compromised person without the service being used noticing the difference. Another disadvantage of authenticator apps is that it may not be easy to get the required codes if you lose your phone.

There is no 100% protection – but ways to minimize the risk. Above all, responsible behavior and compliance with security policies of each and every individual are the basic requirements to avoid cyber incidents:

  • Updates: often an outdated software, unlicensed programs from free download sites or randomly clicked links or visited websites, are the cause of a cyber incident. Such online behavior, is the cyber equivalent of driving a car on a cliff at 200km/h: a fastened seat belt or two-factor authentication will not be able to help in the end. Installing new updates, especially security updates for operating systems or using secure passwords, are already a first step to avoid cyber incidents.
  • Password hygiene: the less likely it is that your password can be guessed or calculated, the more secure it is. And the more secure your password is, the more secure the data, email, computers, corporate networks, etc. it protects. Password security is influenced by several factors. Among others, by the uniqueness, length, complexity, abstraction and secrecy of the given password.
  • Backups: Hard disks, computers, servers and entire systems can be rendered unusable by technical defects or by cyber attacks, such as the installation of malware. Backups are used to create backup copies of your data. Through these, lost or destroyed content and even entire systems can be restored. You can learn more about this in our blog post “No backup – no pity”.
  • Vigilance: Sharpen your critical eye on emails with unknown senders. No links should be clicked or attachments opened here. Clicking on the link of a phishing e-mail is one of the most common entry gates for cybercriminals.
  • Raise awareness for employees: Make your employees aware of cyber threats. Cyberattacks are among the biggest business risks of all. Appropriate training in the form of e-learning and phishing simulations imparts basic knowledge and raises awareness in the long term.

Only when such basic security rules are followed can two-factor authentication also be effective and, when used correctly, protect accounts and data from unauthorized access.  Two-factor authentication is an important security tool that provides effective protection against unauthorized access to one’s own data and should be part of a comprehensive cybersecurity strategy. Those who use it are on the safe side – no ifs, ands or buts.