Due to increasing networking, whether in the private sphere or in the business environment, the demands on security are also growing. The requirements to open up business facilities to the outside world bring new risks and with the increase in digital processes, individuals often reveal more about themselves than they actually want to. Measures and software that is as secure as possible are needed to prevent unauthorised access. One proven option here is two-factor authentication to protect against unauthorised access.
What is Two-Factor Authentication?
Two-factor authentication, abbreviated 2FA, is a security measure in IT that uses two independent components to secure access to networks or application areas. 2FA allows identity proofing to be made considerably more secure. Today, the BSI (Federal Office for Information Security) recommends the fundamental use of two-factor authentication for the use of IT services in its IT-Grundschutz catalogues.
How two-factor authentication works
With two-factor authentication, also called two-step verification, the user needs two different keys. The first is usually a password. This is set by the user as usual. The second key is ideally not a password. In practice, there are various possibilities, one of the best known is certainly the mTAN procedure that most people know from online banking. When logging on to a site or approving a transaction, a code is sent by SMS (sometimes also in an app). It can only be used once and is only valid for a short time window. The second key can also be a biometric feature, which works, for example, with facial recognition or the use of the fingerprint on one's own smartphone. However, it is better not to use these methods for highly sensitive data such as online deposits, as it cannot be ruled out that one's own fingerprints will end up in someone else's hands.
There is also the option of using hardware keys. Users receive a physical key in the form of a smart card, a USB dongle or a radio transmitter. If required, these are used with a corresponding reader or the NFC reader of the smartphone. However, this option makes little sense for private use (high acquisition costs) and is more likely to be used by larger companies and in public authorities. A somewhat more secure and less costly option is the use of security tokens, i.e. special devices that generate one-time passwords. They have some advantages over the usual smartphones. Among other things, the user does not install any foreign apps on security tokens that are given permission to read SMS messages. The token method is therefore very widespread, especially in the professional environment. For more information, see the article "Back to basics: Multi-factor authentication (MFA)" from NIST.
Why the Method makes Sense
Even if it is never possible to achieve one hundred percent security for (company) own data and accounts, two-factor authentication still makes sense. The method adds another level to the identification process that unauthorised persons must first overcome. This leads to more effort, which is often not in proportion to the (potential) gain. Phishing attacks in particular fail due to the security precautions, because this principle depends on using forged mails to determine passwords and PINs. Even if the addressees fall for it and pass on the data, nothing can be done with it because the second key (such as the fingerprint or the mTAN) is not available. The most common threat scenarios for identity theft on the internet can be prevented by 2FA. However, one must always weigh up where the procedure is really necessary. For access to Spotify, for example, a two-step verification would be excessive, but for online banking it's a different story. Here, the measure is a quickly implemented additional protection against potentially major damage. But one's own email account (if possible) or the accounts at Google and the iCloud with personal information should also be given such protection. A list of advantages and disadvantages was created by Kaspersky.
Two-factor authentication is not only sensible, but absolutely important and will continue to establish itself as a common security measure in IT over the next few years. Of course, in the case of targeted attacks, the measure alone will not be enough to keep attackers away from applications and information. However, this statement applies to most security measures. All security procedures can have vulnerabilities and therefore several measures at different levels are always useful.