Lots of online service providers now offer an account login method that allows the user to identify themselves with a second factor in addition to or instead of entering their password. Two-factor authentication (2FA) is available in a number of versions: some add a second factor after the password has been entered, while others replace the previous login method using a password altogether by combining two factors directly. Hardware-based techniques offer the highest level of security and should be used in addition to (or as a replacement for) a strong password.

How does logging in with a second factor work?

In many cases, multi-factor authentication starts in the usual way, by entering the right password. The system that the user is trying to log in to then verifies the entered password is correct. However, unlike with other straightforward systems, the user is not then taken straight to the content they want, but to a second barrier instead. This prevents unauthorised third parties from accessing user data or functions simply because the password has come into their possession.

Watch this explainer film to find out all you need to know about the second factor:

After requesting the password, many common two-factor systems then turn to external systems to perform two-step verification on the user. This may mean the provider with whom you are trying to log in sends a verification code to another of your devices, e.g. your smartphone. But equally, the second factor could be your fingerprint on an appropriate sensor or it could require you to use a USB token or a chip card. Only when you have this means of confirming your identity in your possession will you be able to access the requested content and use the online service or device in question.

Dr Niels Räth from the Federal Office for Information Security (BSI) is interviewed about two-factor authentication in this video:

It is crucial that the factors come from different categories, i.e. a combination of knowledge (e.g. password, PIN), possession (e.g. chip card, TAN generator) or biometrics (e.g. fingerprint) is used.

Instead of the service provider verifying different factors one after the other in a multi-step process, some methods combine several factors directly. With the of the German ID card, for example, the 'possession eID function — chip card' factor can only be used in conjunction with the 'knowledge — PIN' factor. The service provider will only authenticate the user if both factors are presented in combination. This approach is even more secure than verifying a password, then a separate, second factor in succession.

What systems are commonly used for two-factor authentication?

It's true that a second factor will always increase security, but the way in which that second factor is implemented and used will also have an effect. Broadly speaking, two-factor authentication methods can be split into the following groups:

TAN/OTP systems as a second factor after entering a password: a TAN or an OTP is a one-time code that can be sent as a second factor. In the past, TANs were provided in advance as paper lists (iTAN), but this method has been classed as not sufficiently secure for some time now. TAN generators (hardware) or authenticator apps (software) are better, as they constantly generate new one-time codes, either on a time-controlled or event-controlled basis. Even more secure are TAN generators that include data from the transaction itself (e.g. account number and amount) when they generate the TAN (eTAN, chipTAN).

Alternatively, the service provider can send the TAN to the user via a different route or to a different end device. The most common method is to send it via text message (mTAN, smsTAN) and provide additional transaction data, where applicable. However, it is not advisable to receive the mTAN to the same device where you are logging in to or using the service (factors are not kept sufficiently separate).

Cryptographic tokens: a cryptographic token stores a private cryptographic key. Authentication is performed by sending a request to the token, which the token can only answer correctly with the help of the private key.

The key can be stored as a software certificate (familiar from the ELSTER system), but it is more secure to store it in hardware on a chip card (HBCI, signature cards) or on a special USB stick/NFC token (FIDO/U2F). The ID card and electronic residence permit also contain a secure keystore, which facilitates the eID function.

Biometric systems: these systems verify that a unique physical characteristic (fingerprint, face, retina) that was recorded in advance is present. Biometric characteristics are not usually 'secret', so it is important for the system to detect the subject is actually living to stop it being fooled by a photo, for example.

What is the difference between authentication and authentication?

The terms authentication and authentication are often used synonymously in general speech, but they describe different sub-processes of a login procedure, for example. A user AUTHENTICATES themself with a system by providing unique login information (e.g. a password or chip card). The system then checks the validity of that data and AUTHENTICATES the user.

Where are these security processes used?

Multi-factor authentication is used by a huge range of different technologies, here are just a few examples:

• Online banking: log in with a password and confirm transactions with an additional TAN via mTAN or pushTAN; alternatively the additional factor could use card-based systems like chipTAN or HBCI.
• Debit or credit card payments: the chip in the card shows possession and knowledge of the PIN legitimises the transaction.
• eID function of the German ID card: the chip in the card first has to be enabled by entering the PIN before any data can be transferred. Mutual authentication is also performed between the card and the service provider and the data read out is sent to the service provider with end-to-end encryption.
• Cloud or e-mail providers, social media platforms: log in securely with a password and mTAN or an OTP from an authenticator app; alternatively the additional factor could be hardware-based and use a U2F/FIDO token.
• Tax return: with ELSTER, you can submit your tax return digitally by logging in using a password-protected software certificate or the eID function of the German ID card.

Please do not disable two-factor authentication

It can sometimes be inconvenient to provide an online account with adequate protection. However, the BSI would always advise against disabling two-factor authentication. Wherever an online service has this option, you should use it. Particularly where online banking, online shopping and accounts with extensive rights and opportunities to cause damage (e.g. e-mail and social media) are concerned, the increased security is worth the effort. People do not have to put up having their identities stolen, their accounts taken over by strangers or their sensitive data published.

Current recommendations and risks

Recommendations:

• Wherever an online service offers two-factor authentication, take advantage of it.
• Many services have the function disabled by default, but they do provide it. It is worth checking the available login methods.
• If your password or PIN gets into the wrong hands, your sensitive data is still secure if you have the additional barrier of a second factor to protect you against unauthorised access.

Disadvantages:

• Multi-factor authentication makes the process of logging in slightly longer. You could skip it on trusted devices under certain circumstances, but to do so would make your login less secure.
• If you no longer have access to your possession-based factor or it breaks, you will usually lose access to the corresponding service or its functionality will be restricted. Take precautions for this scenario by — where possible — storing several 'second' factors (e.g. another token, another TAN app or another mobile phone number for mTAN).