{"id":18189,"date":"2024-01-03T13:00:45","date_gmt":"2024-01-03T12:00:45","guid":{"rendered":"https:\/\/blog.rwth-aachen.de\/itc\/?p=18189"},"modified":"2024-01-05T08:58:12","modified_gmt":"2024-01-05T07:58:12","slug":"sicherheitsmechanismen-kurz-erklaert-mfa","status":"publish","type":"post","link":"https:\/\/blog.rwth-aachen.de\/itc\/en\/2024\/01\/03\/sicherheitsmechanismen-kurz-erklaert-mfa\/","title":{"rendered":"Security Mechanisms Unravelled: MFA"},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_18189 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_18189')){$('.twoclick_social_bookmarks_post_18189').socialSharePrivacy({\"txt_help\":\"Wenn Sie diese Felder durch einen Klick aktivieren, werden Informationen an Facebook, Twitter, Flattr, Xing, t3n, LinkedIn, Pinterest oder Google eventuell ins Ausland \\u00fcbertragen und unter Umst\\u00e4nden auch dort gespeichert. N\\u00e4heres erfahren Sie durch einen Klick auf das <em>i<\\\/em>.\",\"settings_perma\":\"Dauerhaft aktivieren und Daten\\u00fcber-tragung zustimmen:\",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/blog.rwth-aachen.de\\\/itc\\\/en\\\/2024\\\/01\\\/03\\\/sicherheitsmechanismen-kurz-erklaert-mfa\\\/\",\"post_id\":18189,\"post_title_referrer_track\":\"Security+Mechanisms+Unravelled%3A+MFA\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p><div id=\"attachment_18195\" style=\"width: 310px\" class=\"wp-caption alignright\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-18195\" class=\"size-medium wp-image-18195\" src=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2023\/12\/Blog-Layout-1-1-300x200.png\" alt=\"Laptop surrounded by security icons\" width=\"300\" height=\"200\" srcset=\"https:\/\/blog.rwth-aachen.de\/itc\/files\/2023\/12\/Blog-Layout-1-1-300x200.png 300w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2023\/12\/Blog-Layout-1-1-1024x683.png 1024w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2023\/12\/Blog-Layout-1-1-768x512.png 768w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2023\/12\/Blog-Layout-1-1-1536x1024.png 1536w, https:\/\/blog.rwth-aachen.de\/itc\/files\/2023\/12\/Blog-Layout-1-1-2048x1365.png 2048w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><p id=\"caption-attachment-18195\" class=\"wp-caption-text\">Source: <a href=\"https:\/\/de.freepik.com\/vektoren-kostenlos\/cyber-sicherheitskonzept_8290045.htm\">Freepik<\/a><\/p><\/div><\/p>\n<p>Multifactor-authentication (MFA) is a security method that enables access to digital resources such as devices, networks or online services by combining multiple authentication factors. Essentially, MFA requires at least two independent confirmations of a user&#8217;s identity to access the resource.<\/p>\n<p><!--more--><\/p>\n<p>MFA significantly increases security: even if one authentication factor is compromised, access is still protected by the second factor. You can find a more detailed explanation in our previous <a href=\"https:\/\/blog.rwth-aachen.de\/itc\/en\/2021\/05\/05\/die-multi-faktor-authentifizierung\/\">blog post<\/a> and in the <a href=\"https:\/\/www.youtube.com\/watch?v=xCCni1Sxe80\">BSI video<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #00549f;\">What Types of MFA Are There?<\/span><\/h3>\n<p>There are several types of multifactor-authentication methods. They are based on different factors to identify users. These factors can be, for example, a password (knowledge), a smartphone (possession) or a fingerprint (biometric feature). Each method has its own advantages and disadvantages in terms of ease of use, security, and vulnerability to attacks. The most used types include the following:<\/p>\n<p><span style=\"color: #00549f;\"><strong>Hardware Tokens<br \/>\n<\/strong><\/span>These are physical devices (security keys) that may be protected by a PIN or biometric properties (such as a fingerprint) and generate one-time valid codes. The codes are calculated using various methods, including HOTP &#8211; HMAC-based One-Time Password and We-bAuthn\/FIDO2 (Web Authentication).<br \/>\nIn the <strong>HOTP procedure<\/strong>, a secret (in the form of a password) is issued by the service and incorporated into the security key. The codes are generated in a fixed sequence based on this secret. The <strong>WebAuthn method<\/strong>, on the other hand, is a challenge-response method. The server sends a request to the token, which responds to it.<\/p>\n<p>These tokens can be USB keys such as Yubikey, smartcards or specialized authentication devices.<\/p>\n<ul>\n<li><strong>Pros:<\/strong> Strong authentication, as an independent device that is not permanently connected. Attacks on the device are therefore made more difficult (e.g., data theft of the secret).<\/li>\n<li><strong>Cons<\/strong>: Acquisition costs, training for users, compatibility depending on the system and provider.<\/li>\n<li><strong>Security level:<\/strong> Very good due to the combination of possession and knowledge.<\/li>\n<\/ul>\n<p><span style=\"color: #00549f;\"><strong>Authentication Apps<br \/>\n<\/strong><\/span>These apps generate time-based or one-time security codes using the TOTP (Time-based One-time Password) method or, as described above, the HOTP method on a user&#8217;s device. Examples are Google Authenticator, Microsoft Authenticator, Authy or 2FAS Auth.<\/p>\n<ul>\n<li><strong>Pro:<\/strong> Generates security codes on another end device.<\/li>\n<li><strong>Cons:<\/strong> Requires installation of an additional app. Potential risk of malware attacks on the end device. May require the use of private end devices (e.g., smartphone) in a business context.<\/li>\n<li><strong>Security level:<\/strong> Good, as the separate end device and the app are password-protected in the best case.<\/li>\n<\/ul>\n<p><span style=\"color: #00549f;\"><strong>TAN List<br \/>\n<\/strong><\/span>A TAN list (transaction number list) is a list of unique security codes that is used for authentication. Each number on this list can only be used once and is used to confirm a specific transaction. When users want to carry out a transaction, the system requests a transaction number (TAN) from the list. Users then enter this number to authorize the transaction. It should be noted that there are also TAN lists where the order in which the numbers are dialed is predefined. Once a number has been used, it is considered invalid and must be checked off to prevent it from being used again.<\/p>\n<ul>\n<li><strong>Pros:<\/strong> Simple and user-friendly, requires no special additional devices or codes.<\/li>\n<li><strong>Cons:<\/strong> Risk of loss both digitally and physically (unsecured codes can be used by anyone).<\/li>\n<li><strong>Security level:<\/strong> Medium, but potentially vulnerable to phishing attacks<\/li>\n<\/ul>\n<p><strong><span style=\"color: #00549f;\">SMS Codes or E-mail Codes<br \/>\n<\/span><\/strong>The system sends a one-time security code to the cell phone or e-mail address of the person using the service. The user must enter the generated code at the service to confirm access.<\/p>\n<ul>\n<li><strong>Pros:<\/strong> Easy to use, no additional app or hardware required.<\/li>\n<li><strong>Cons:<\/strong> Susceptible to SIM swapping attacks with SMS codes. Email codes could be compromised by hacked email accounts. They are susceptible to hacking attacks in the form of phishing and remote attacks. This is also highlighted by the German Federal Office for Information Security (BSI) in an <a href=\"https:\/\/www.bsi.bund.de\/SharedDocs\/Downloads\/DE\/BSI\/Publikationen\/Studien\/2FA\/it-sicherheit.pdf\">&#8220;IT security&#8221;<\/a> evaluation table.<\/li>\n<li><strong>Security level:<\/strong> Poor, as the security risk is high due to the above-mentioned attack possibilities.<\/li>\n<\/ul>\n<p><span style=\"color: #00549f;\"><strong>pushTAN<br \/>\n<\/strong><\/span>The pushTAN* (mainly used for transactions and authentication purposes in connection with banking transactions) works via an app that is installed on the smartphone and is linked to the user&#8217;s bank account. After initiating a transaction on the computer, the user receives a push notification on the paired smartphone. This notification displays a TAN that was generated specifically for this transaction.<\/p>\n<ul>\n<li><strong>Pro:<\/strong> TANs are not stored\/generated on the device but sent to the selected verified device via a secure connection.<\/li>\n<li><strong>Cons<\/strong>: Installation of an additional app required. Trust in the integrity of the device and the network for push notifications. Verification process necessary.<\/li>\n<li><strong>Security level:<\/strong> Good, comparable to or better than authentication apps.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span style=\"color: #00549f;\">MFA Offers Protection and Security<\/span><\/h3>\n<p>Multifactor-authentication significantly increases the security of systems by providing additional protection against unauthorized access. Even if one authentication factor is compromised, attackers must overcome at least one additional security barrier before gaining access to the target. Every hurdle that is erected in the process acts as a further protective factor for the security of sensitive data.<\/p>\n<p><strong>Important:<\/strong> Every second factor is only as secure as it is handled. Each additional factor increases security against remote attacks. Overall, security only increases if the first factor (login data) continues to be used carefully with a secure password. Due to the security aspects mentioned above, the IT Center generally recommends the use of hardware tokens and smartphone apps.<\/p>\n<p>&nbsp;<\/p>\n<p>[1] <a href=\"https:\/\/www.onelogin.com\/de-de\/learn\/what-is-mfa\">One Login<\/a><\/p>\n<p>[2] <a href=\"https:\/\/www.security-insider.de\/was-ist-multi-faktor-authentifizierung-mfa-a-631486\/\">Security Insider<\/a><\/p>\n<p>[3] <a href=\"https:\/\/blog.rwth-aachen.de\/itc\/2023\/05\/31\/multifaktor-authentifizierung-im-idm-selfservice\/\">IT Center Blog<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>*This procedure is currently not offered by the IT Center.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p>Responsible for the content of this article are <a href=\"https:\/\/www.itc.rwth-aachen.de\/cms\/it-center\/it-center\/profil\/team\/~epvp\/mitarbeiter-campus-\/?gguid=PER-FV6GWWB&amp;allou=1\">Janin Iglauer<\/a>, <a href=\"https:\/\/www.itc.rwth-aachen.de\/go\/id\/epvp\/gguid\/PER-FSX9U9J\/allou\/1\/\">Malak Mostafa<\/a>, <a href=\"https:\/\/www.itc.rwth-aachen.de\/cms\/it-center\/it-center\/profil\/team\/~epvp\/mitarbeiter-campus-\/?gguid=PER-WA9GPG2&amp;allou=1\">Jelena Nikolic<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Sorry, this entry is only available in Deutsch.<\/p>\n","protected":false},"author":5003,"featured_media":18195,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"c2c_always_allow_admin_comments":false,"footnotes":""},"categories":[306,311,312,314,315],"tags":[609,621,62,303,869],"class_list":["post-18189","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ankuendigungen","category-fun-facts","category-insight-it-center","category-it-sicherheit","category-services-support","tag-cyber-security","tag-cybersicherheit","tag-mfa","tag-multi-faktor-authentifizierung","tag-multifaktor-authentifizierung"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/18189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/users\/5003"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/comments?post=18189"}],"version-history":[{"count":14,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/18189\/revisions"}],"predecessor-version":[{"id":18270,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/posts\/18189\/revisions\/18270"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/media\/18195"}],"wp:attachment":[{"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/media?parent=18189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/categories?post=18189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rwth-aachen.de\/itc\/en\/wp-json\/wp\/v2\/tags?post=18189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}