Two-factor authentication (2FA) refers to the proof of identity of a user by means of a combination of two different and, in particular, independent components (factors). Typical examples are bank card and PIN for ATMs, fingerprint and access code in buildings, or passphrase and transaction number (TAN) for online banking. Two-factor authentication is a special case of multi-factor authentication.
Two-factor authentication is only successful if two defined means of authentication of different categories (possession, knowledge, property) are used together in the verification. Each means of authentication must successfully pass the protocol of authentication. If a factor is missing or a factor is used incorrectly, the authenticity cannot be determined beyond doubt and access to the system is denied. Factors may include:
- Secret object (possession), such as a security token, a bank card, an app that generates one-time passwords (see below), or a physical key,
- Secret knowledge, such as a password, one-time password, PIN or transaction number (TAN),
- Biometric characteristics (inherence), such as a fingerprint, the pattern of an iris, the human voice or the gait pattern.
Security experts warn that SMS spoofing and man-in-the-middle attacks, in which attackers present a fake login page, can be abused to bypass two-factor authentication, which relies on one-time passwords.
---
Both factors should use two separate transmission channels. The request not to store them in the same place is often not met. For example, many banks use the e-banking app and the app for two-factor authentication via one-time password in the same device, so that if it is lost, only a PIN code on the 2FA app protects the application. Even if you install the app for two-factor authentication via TOTP on the same device on which you use the 2FA-secured IT service, this increases the security compared to authentication only by means of a login name and password – which results from the uniqueness of the one-time password. However, using the authentication app via a second device provides the additional security of the second factor.
In addition, most providers allow you to define certain computers as trusted clients, from which you can log in without a one-time password. If an attacker can gain access to such a computer, there is no additional protection.
In the case of two-factor authorization via SMS, where the provider of a service sends a one-time TAN to the user, which the user then has to enter, the service provider incurs costs for sending this SMS. Twitter had to pay more than $60 million per year to a total of around 390 telecommunications companies for a number of years, where more than 10% of SMS billed to Twitter was generated through fraudulent sign-up processes. Those telecommunications companies had set up numerous accounts on Twitter, with which they continuously logged in again and again in order to be able to invoice Twitter for sending the SMS with the login TANs.
This misuse is only possible with the – less and less used – use of SMS as a second factor and does not compromise the security of this authentication method.
