Packed with private messages, photos as well as notes – smartphones are our constant companions. Whether we’re in the office, shopping, playing sports or relaxing at home, these devices combine vast quantities of personal data that create detailed user profiles. This is why secure passwords are essential when it comes to protecting one’s privacy against data theft. This is all the more relevant in relation to sensitive data in a professional or commercial context. Since this data is usually classified as strictly confidential and a good password alone is no longer sufficient, the focus is shifting to two-factor authentication or 2FA. This process combines two factors for authentication and takes security to the next level with minimal extra effort. In conjunction with European Data Privacy Day on 28 January, we now take a look at what’s behind 2FA. What does the name mean? When it is useful? And just how secure is it? We shed light on the topic and provide an overview of this method of identity verification. As a general principle, using two-factor authentication is always more secure than depending on a single password.
Most login pages rely on a single factor to authenticate their users: the password. In these cases, the user is authorised as soon as the username and password are entered correctly. No further identity check is performed, which is precisely what creates a high degree of risk. At the end of the day, IT specialists have warned in vain for years against an excessively lax approach to passwords that has led to simple numerical combinations such as 123456. Hackers can easily guess these passwords or crack them automatically using brute-force attacks. The consequence? Devices and systems are compromised. To stop this from happening, two-factor authentication can be used.
More than just a password: two-factor authentication
Two-factor authentication, or 2FA, describes a method of identity checking that queries at least two factors in order to authenticate a user. In so doing, it goes beyond the traditional password query by incorporating an additional factor into the authentication process.
Unique identity verification is possible
In practice, the 2FA process functions as follows: Once a secure password has been entered, the system confirms that the password is correct. Rather than immediately directing the user to the requested content as is frequently done, the system presents an additional security barrier in the form of the second factor. This is where the 2FA process turns to an external system. Only if users also enter the second factor correctly, thereby confirming their identity, will they gain access to the online service and the requested content. This reduces the risk of data theft. The second factor also prevents unauthorized third parties in possession of someone else’s password from gaining access to that person’s user profile.
The three pillars of the security barrier
There are three key pillars of the security barrier, ideally combining two categories to maximise security.
- Knowledge: the user has knowledge known only to them. This can include PINs, the answers to security questions, and the user ID. A transaction number (TAN) or a one-time password (OTP) are other possibilities that fall within the definition of the knowledge factor. These are known as one-time passwords. While they were previously made available to the user on printed lists, users today rely on TAN generators and authenticator apps. These programs generate a never-ending stream of new time-based or event-based codes. TAN generators, which also incorporate account numbers and amounts to generate the TAN, provide even greater security.
- Possession: the user possesses a corresponding object, such as an access card, a key or a token. The latter option is used to store a private cryptographic key. During the authentication process, the system sends the token a request that can only be answered correctly by the token using the private key. This key can be stored as a software certificate, although it makes more sense to store it on a chip card in the hardware or a special USB stick/NFC token.
- Features: users identify themselves using their unique biometric features. These include the fingerprint, the face and the iris. Once these factors have been scanned and saved, users can be identified by a sign of life. This makes it impossible to trick the system, for example, by using the user's photo. Users must be physically present and must identify themselves using their biometric features when requested.
All-round protection for personal data
Although two-way authentication cannot guarantee absolute security, it does not suffer from any known vulnerabilities. The additional security barrier provides obvious advantages: cybercriminals who manage to steal a password cannot use it to log into bank accounts and other online services without the second key. Therefore, 2FA provides a reliable barrier that effectively supplements traditional login processes and helps protect personal data. This is a major plus, especially for highly sensitive and personal data. For instance, two-factor authentication can boost the security of personal or health data bound by privacy regulations or non-disclosure agreements. However, the principle of using secure and randomly chosen passwords also applies here. Only then is the risk of account hijacking and unauthorised data access minimised.