Multifactor-authentication (MFA) is a security method that enables access to digital resources such as devices, networks or online services by combining multiple authentication factors. Essentially, MFA requires at least two independent confirmations of a user’s identity to access the resource.
MFA significantly increases security: even if one authentication factor is compromised, access is still protected by the second factor. You can find a more detailed explanation in our previous blog post and in the BSI video.
What Types of MFA Are There?
There are several types of multifactor-authentication methods. They are based on different factors to identify users. These factors can be, for example, a password (knowledge), a smartphone (possession) or a fingerprint (biometric feature). Each method has its own advantages and disadvantages in terms of ease of use, security, and vulnerability to attacks. The most used types include the following:
Hardware Tokens
These are physical devices (security keys) that may be protected by a PIN or biometric properties (such as a fingerprint) and generate one-time valid codes. The codes are calculated using various methods, including HOTP – HMAC-based One-Time Password and We-bAuthn/FIDO2 (Web Authentication).
In the HOTP procedure, a secret (in the form of a password) is issued by the service and incorporated into the security key. The codes are generated in a fixed sequence based on this secret. The WebAuthn method, on the other hand, is a challenge-response method. The server sends a request to the token, which responds to it.
These tokens can be USB keys such as Yubikey, smartcards or specialized authentication devices.
- Pros: Strong authentication, as an independent device that is not permanently connected. Attacks on the device are therefore made more difficult (e.g., data theft of the secret).
- Cons: Acquisition costs, training for users, compatibility depending on the system and provider.
- Security level: Very good due to the combination of possession and knowledge.
Authentication Apps
These apps generate time-based or one-time security codes using the TOTP (Time-based One-time Password) method or, as described above, the HOTP method on a user’s device. Examples are Google Authenticator, Microsoft Authenticator, Authy or 2FAS Auth.
- Pro: Generates security codes on another end device.
- Cons: Requires installation of an additional app. Potential risk of malware attacks on the end device. May require the use of private end devices (e.g., smartphone) in a business context.
- Security level: Good, as the separate end device and the app are password-protected in the best case.
TAN List
A TAN list (transaction number list) is a list of unique security codes that is used for authentication. Each number on this list can only be used once and is used to confirm a specific transaction. When users want to carry out a transaction, the system requests a transaction number (TAN) from the list. Users then enter this number to authorize the transaction. It should be noted that there are also TAN lists where the order in which the numbers are dialed is predefined. Once a number has been used, it is considered invalid and must be checked off to prevent it from being used again.
- Pros: Simple and user-friendly, requires no special additional devices or codes.
- Cons: Risk of loss both digitally and physically (unsecured codes can be used by anyone).
- Security level: Medium, but potentially vulnerable to phishing attacks
SMS Codes or E-mail Codes
The system sends a one-time security code to the cell phone or e-mail address of the person using the service. The user must enter the generated code at the service to confirm access.
- Pros: Easy to use, no additional app or hardware required.
- Cons: Susceptible to SIM swapping attacks with SMS codes. Email codes could be compromised by hacked email accounts. They are susceptible to hacking attacks in the form of phishing and remote attacks. This is also highlighted by the German Federal Office for Information Security (BSI) in an “IT security” evaluation table.
- Security level: Poor, as the security risk is high due to the above-mentioned attack possibilities.
pushTAN
The pushTAN* (mainly used for transactions and authentication purposes in connection with banking transactions) works via an app that is installed on the smartphone and is linked to the user’s bank account. After initiating a transaction on the computer, the user receives a push notification on the paired smartphone. This notification displays a TAN that was generated specifically for this transaction.
- Pro: TANs are not stored/generated on the device but sent to the selected verified device via a secure connection.
- Cons: Installation of an additional app required. Trust in the integrity of the device and the network for push notifications. Verification process necessary.
- Security level: Good, comparable to or better than authentication apps.
MFA Offers Protection and Security
Multifactor-authentication significantly increases the security of systems by providing additional protection against unauthorized access. Even if one authentication factor is compromised, attackers must overcome at least one additional security barrier before gaining access to the target. Every hurdle that is erected in the process acts as a further protective factor for the security of sensitive data.
Important: Every second factor is only as secure as it is handled. Each additional factor increases security against remote attacks. Overall, security only increases if the first factor (login data) continues to be used carefully with a secure password. Due to the security aspects mentioned above, the IT Center generally recommends the use of hardware tokens and smartphone apps.
[1] One Login
[2] Security Insider
[3] IT Center Blog
*This procedure is currently not offered by the IT Center.
Responsible for the content of this article are Janin Iglauer, Malak Mostafa, Jelena Nikolic.