Before we start

What is two-factor authentication?

20 May 2020

A lot of online accounts - e-mail, online retail and digital payment services, to name but a few - are chock full of sensitive data. The idea behind two-factor authentication is to ensure that hackers can’t get into private accounts even if they have managed to get hold of the password. IT-Security expert Christoph Bayer from TÜViT explains how this security instrument works and when and where you can use it.


#explore: What is two-factor authentication?
Christoph Bayer: As the name suggests, authentication of this type takes place using two different and, ideally, independent factors. One factor, for instance, would be an item of knowledge - your PIN or your password. The other would be an object in your possession - your debit card or a security token. In recent years, we’ve also seen the increasing use of biometric characteristics, such as fingerprints or iris or face recognition. Combining two or more factors is supposed to prevent someone who’s got hold of your password from pretending to be you and simply logging into your bank account or some other service. With online registration, the best thing is for the two factors to follow separate transmission routes. For instance, you might enter a password on your laptop and also have a security code sent to your smart phone which you also need to log in. The idea behind this is that a hacker who’s compromised your laptop, for instance using malware, can’t at the same time access your phone. For security reasons, you should always use two separate devices to log in and never run both processes for two-factor authentication on the same device.


What are the current methods of two-factor authentication?
The additional security stage will typically consist of a request for a second password generated exclusively for this log-in. Depending on the provider, the code will either be generated by a specific app on your smart phone or you’ll receive it as a text or an e-mail. Appropriate hardware, such as a security token in the form of a special USB stick, can be used as the second factor. A user’s fingerprint or face can likewise be used as the second factor, where these are scanned by the smart phone and then verified by a special provider app. In Germany, signing in to submit a digital tax return using the Elster online service, on the other hand, combines a password with a security certificate which is stored locally on the user’s computer.


Which providers are already using two-factor authentication?
With some Internet services, such as the Steam games platform, it’s now standard practice to have to enter both a password and an extra security code that the provider automatically sends to your mail account if you want to log in on a new device or with a different browser. Most of the big service providers like Google, Microsoft, Apple, Paypal, Amazon and Dropbox, along with social networks like Twitter or Facebook, are also now offering the two-factor authentication option. In most cases, this is deactivated by default, and you have to go to the settings of whichever online account it is to activate it.

"Having cybercriminals hack into your online bank account or e-mail isn’t the only way for damage to be done."

Christoph Bayer, cyber security consultant

Two-factor authentication always makes the log-in procedure a bit less convenient. Do I really need a second factor for security with every online service?
Two-factor authentication is a bit more involved, of course, all the more so as you have to have the other factor with you when you’re on holiday, for instance, if you want to access your e-mail account. Some online services might seem less important and less in need of protection than others. But as an IT security consultant, I’d always recommend making the access to your services as secure as possible - by using a second factor. After all, having cybercriminals hack into your online bank account or e-mail isn’t the only way for damage to be done. If hackers crack open your Facebook account and use it to spread compromising pictures or messages, that can also have very unpleasant consequences for you.


Christoph Bayer is an cyber security consultant and evaluator at TÜViT. In his daily work, the maths graduate focuses on the security of smart cards - which covers everything from payment cards and electronic passports through to health insurance cards.