Two-Factor Authentication and the Battle Against 123456

A wide variety of two-factor authentication methods are available. Which of these are both secure and user-friendly?

Aug 3, 2021 - 3 min.

People tend to opt for simple solutions – even if these are not always the best ones. For example, sequences of numbers such as "123456" or a person's date of birth are still some of the most popular passwords used for online accounts. However, even more, complex passwords can often be cracked in less than six hours. They provide cybercriminals with an easy way of taking over user accounts (in an "account takeover" or ATO process) or penetrating corporate networks. With the aid of tools such as Medusa, Metasploit and Hydra, thousands of different password variants can be automatically tested at a breath-taking rate until the correct login data is identified. In view of the fact that many users tend to go for the easy option of assigning the same passwords to multiple accounts, the door is often left open for scammers to gain simultaneous access to multiple networks.

Passwords alone don't offer protection against hackers

Once a hacker has succeeded in penetrating a corporate network, they can use programs such as Mimikatz to obtain Windows passwords or use keylogger tools that record keystrokes for the purpose of accessing any additional login details.

The consequences can be equally devastating for companies and users, ranging from financial losses and the theft of sensitive data to long-term damage to corporate reputations.

Businesses have therefore realised that a username or email address and a password are no longer an effective means of protecting users' accounts and data from devious online criminals. Instead, additional steps need to be taken when retrieving information that’s meant to be inaccessible to unauthorised individuals.

Two-factor authentication for protection beyond the password

Many providers in the e-commerce sector were initially sceptical about two-factor authentication. They feared that the procedure might complicate the login process and deter potential customers. However, the way that 2FA enables unique ID factors such as a fingerprint or facial scanning to be used for authentication is dispelling concerns that two-factor authentication might negatively impact the user experience. In fact, the exact opposite is the case, as the process of gaining authorised access to a person's own data and online transactions has never been more user-friendly.

More and more organisations are therefore using two-factor authentication (2FA) to create an additional level of security that online fraudsters cannot easily overcome. Since 2018, 2FA procedures for financial institutions have been mandatory under the EU Payment Services Directive within the European Economic Area. As well as various Microsoft services, online providers such as Amazon, Google, Facebook and Instagram have already introduced 2FA – without making it mandatory. If customers want to pay with a credit card on the Internet, they will also, as authorised users, now need to authenticate themselves using two different factors.

In addition to their username, email address and possibly a password, an additional step is involved in which a factor is requested to which only the user has access. This can be:

  • Something known to them – such as a code sent to their smartphone in a text message or their debit card PIN number
  • Something in their possession – say, a list of transaction authorisation numbers (TANs), a (mobile) phone, a chip card or an RSA token
  • Something intrinsic to them – like a fingerprint, the iris of their eye, or their face
  • Or their location – the place where they are currently located, determined by their IP address or by GPS

Not all 2FA strategies are equally successful in fending off cyber attacks

Two-factor authentication systems use different technologies to better protect users' accounts and confidential data. Certain methods, however, can still be rendered ineffective by means of sophisticated techniques. Here is a selection of widely used 2FA methods:

SMS tokens

SMS tokens are randomly generated codes valid only for a short period of time that online services such as Instagram send to the user's phone in a text message during the login process.

Tokens provide very good protection against phishing and bot attacks. However, if the cybercriminals succeed in redirecting the SMS tokens to another phone by means of social engineering (in a "SIM swap" attack), the SMS token will be unable to prevent unauthorised access to a user's account.

Cryptographic tokens

Cryptographic tokens store a private crypto key without which the user will be unable to complete the desired transaction.

Hardware tokens (such as FIDO)

Fido Alliance hardware tokens are considered very safe and easy to use. With these, authentication relies on an external key that is stored on a dongle or on the TPM (Trusted Platform Module) chip built into the user's device. 

TAN methods 

In the past, a number of financial institutions utilised paper forms with long lists of TANs (transaction authentication numbers) that customers would have to use for authenticating themselves when carrying out online banking transactions. However, if these paper lists fell into the wrong hands, they would no longer be secure.

Even today, TANs are still in use – albeit in the form of digital "eTANs". These are only valid for a short time and are sent, for instance, to an authenticator app on the user's smartphone. To access the app, users have to authenticate themselves in an additional step by scanning their fingerprints or entering a PIN number.

Over time, the use of hardware-based TAN generators for producing transaction authentication numbers has become less common. Most users find it impractical always to have to resort to an additional external device for their online transactions.

Which is the best 2FA solution?

As a general rule, it's safe to say that 2FA is now one of the safest ways of protecting users' data and accounts from unauthorised access. However, the specific procedures a company chooses will often depend not only on the degree of security provided but also on the set-up and operating costs and, importantly, their user-friendliness.

Methods that integrate biometric features into the authentication process and/or rely on the Fido Alliance's U2F standard are seen as particularly advanced in this respect. They combine a maximum level of security with a high degree of user-friendliness for customers.