The two-factor authentication ( 2FA ), often called two-factor authentication referred to denotes the proof of identity of a user by means of the combination of two different and more particularly to independent components (factors). Typical examples are bank card plus PIN at ATMs , fingerprint plus access code in buildings , or passphrase and transaction number (TAN) for online banking . Two-factor authentication is a special case of multi-factor authentication .
For security-critical areas of application, two-factor authentication is recommended, for example by the German Federal Office for Information Security in its IT-Grundschutz catalogs .
In banking, two-factor authentication was made mandatory for the European Economic Area in 2018 with the EU Payment Services Directive . Some web platforms such as Amazon or Google ( Authenticator ) have also introduced this system.
Two-factor authentication is only successful if both specified factors are used together and are correct. If a component is missing or used incorrectly, the access authorization cannot be determined with absolute certainty and access is denied.
The factors can be:
- Secrecy-keeping item (possession) , such as a security token , a bank card , a short-term password generator or a physical key ,
- secret knowledge , such as a passphrase , a one-time password , a PIN or a transaction number (TAN),
- biometric characteristics (inherence) , such as a fingerprint , the pattern of an iris ( iris recognition ), the human voice or the gait pattern .
The two factors do not necessarily have to be of different types (for example, password plus TAN for online banking), but must always be transmitted through two separate transmission channels. The requirement that they are not saved or kept in the same place is often no longer met, so today numerous banks use the TAN procedure and the login interface as a combined e-banking app on the same end device Loss or, in the event of a security breach, both transmission channels come under one roof.
Indirect two-factor authentication
If, among other things, a protected item is required for authentication , the disadvantage arises that it has to be carried at all times if the user wants to be able to log in at any time. If the item is stolen, lost or if the user simply doesn't have it with him, access is impossible. There are also costs: on the one hand for the initial purchase, on the other hand for replacement purchases.
In order to avoid these risks, indirect two-factor authentication has been developed as an alternative. It uses mobile devices such as cell phones and smartphones as tokens, ie "something that the user owns" (but can also lose). If the user wants to authenticate himself, he usually has to enter a passphrase and a one-time valid, dynamically generated passcode . He receives this code by SMS , e-mail or via a corresponding app on his mobile device. The advantage of this method: No additional token has to be purchased and protected, as the mobile device is already a constant companion for many people these days. Some professional solutions ensure that a valid passcode is always available. If the user has used a sequence of digits, it is automatically deleted and the system sends a new code to the mobile device. If the new code is not entered within a specified period, the system will automatically replace it. In this way, no old codes that have already been used remain on the mobile component. For even greater security, you can specify how many incorrect entries are tolerated before the system blocks access.
If the authenticating user no longer needs to do manual data entry, the process is considered semi-automated . This is achieved with the NFC method. A previously personalized mobile device is used for this.
The process is only considered fully automated when the authenticating user no longer needs to handle anything . This has been achieved by using piconets ( Bluetooth ) as an international industry standard. A previously personalized mobile device is used for this.
Universal two-factor authentication
The FIDO Alliance launched the first version of the universal and license-free standards on December 9, 2014 U2F published for two-factor authentication, which is compatible with various methods and devices. In February 2015 Microsoft announced that Standard 2.0 of the FIDO Alliance for authentication on the Internet would be supported by the Windows 10 operating system .
- Data protection in the network: double security with two-factor authentication. In: Stiftung Warentest . March 19, 2019(freely accessible quick test on the subject).
- ↑ M 4.133 Appropriate selection of authentication mechanisms , BSI, status: 13th EL status 2013, accessed on February 20, 2015.
- ↑ Two-factor authentication for online banking is coming. futurezone.at, August 2, 2017 (accessed July 8, 2019).
- ↑ More security: Amazon introduces two-factor authentication. In: Der Standard online, December 5, 2016.
- ↑ Second factor: only a few users secure their Google account additionally. In: Der Standard online, January 22, 2018.
- ↑ Two-factor authentication: how it works , test.de , January 28, 2015, accessed on February 20, 2015
- ↑ Multi-factor authentication. A-SIT Center for Secure Information Technology, on onlinesicherheit.gv.at; accessed July 8, 2018.
- ↑ Michel Smidt: Briefly explained: Secure logins with two-factor authentication. In: Univention Blog. univention, April 27, 2017, accessed on August 14, 2018 .
- ↑ FIDO 1.0 Specifications are Published and Final Preparing for Broad Industry Adoption of Strong Authentication in 2015 , FIDO Alliance, accessed December 12, 2014
- ↑ Dustin Ingalls: Microsoft Announces FIDO Support Coming to Windows 10 ( Memento from February 15, 2015 in the Internet Archive ), windows.com, accessed on February 15, 2015