Two factor authentication: How to protect your accounts

Time and time again, the media reports on large-scale hacker attacks. Internet criminals get their hands on thousands of e-mail addresses and passwords from large web platforms, forums, or online shops, and gain unauthorized access to the accounts of their victims. These so-called phishing attacks also give criminals access to sensitive account information. One of the safest ways to protect your own accounts from criminal tampering is the two factor authentication method: With this, access to an account is only possible with a second identity verification. In our article, we explain what exactly two factor authentication is, how it works in practice, and which benefits and drawbacks the method has.

Two factor authentication combines two different and independent components of identification to identify a legitimate user. You come across a simple everyday example for two factor authentication every day at the ATM or a supermarket checkout: To withdraw money or pay with a card at the store, two components are needed: Your debit or credit card and your pin (or signature). Only when the two are correctly combined is the two factor authentication successful. The same principle can also be applied to the securing of e-mail accounts, online shop accounts, or other large web portals.

Unfortunately, an overwhelming majority of accounts on the web are still only protected by one component: To log into an e-mail account, cloud service, or online shop, just one password is usually required. If these are targeted, hackers can gain quick access to sensitive emails, account information, and other personal data. To prevent that, a growing number of providers such as Dropbox, Google, or Amazon have implemented two factor authentication as an additional security measure for their respective services. This method can turn out a number of ways, depending on which of the various components are combined to create it.

The components or factors necessary for access in a two factor authentication can be a number of different things. The most important and most widely used factors are:

• Token or access card
• PIN (Personal Identification Number)
• TAN (Transaction Number)
• Password
• Biometric characteristic (e.g. fingerprint, voice, or iris)

All these factors require something for the identification of a legitimate person that they either know, have, or are inseparably connected to (“know”, “have”, “are”). The bank account example shows that in everyday life, usually tokens of some kind are combined with one of the other factors. But this method has the critical disadvantage that even authorized persons can’t gain access without carrying the token with them – which can result in inadvertent moments of locked access (e.g. the incorrect input).

For this reason, two factor authentication systems where classic tokens aren’t required, or the risk of loss is at least minimized, are increasingly used online for identifying legitimate users: As a rule, the system generates an automatic code in addition to a password. This is delivered to the authorized user by means of their smartphone – either via SMS, mail, or a special authentication app. This guarantees that only the person who should have access receives the additional security code. The benefit: The code is only valid once and automatically loses its validity after a specified time.

Two factor authentication without a token or access card also has the advantage that secondary methods for receiving a security code can be defined: If, for example, access to the app isn’t possible, then a code can alternatively be sent via SMS, or an authorized user can receive a phone call with an automatic announcement of the code.

The two factor authentication setup process of other services is just as simple: Amazon, Microsoft, Apple – almost all large companies offer their customers similar options. The low prevalence of two factor authentication raises the question of whether there are disadvantages that come with the additional security.

The higher security standard provided by two factor authentication brings along its own benefits, and is ultimately recommended by the National Institute of Standards and Technology (NIST) in its Electronic Authentication Guideline. For users, though, the risk of being blocked out of their own accounts due to carelessness or system failures is there, since the two-step authentication adds an extra step not only for potential hackers, but also for legitimate users. Because two factor authentication is usually used to secure account online via a combination of “know” (password, etc.) and “have” (cell phone to which the security code is sent), the loss of the phone in question results in the (temporary) lockout of the authorized user. Technical problems with the authentication app also cannot be avoided entirely.

Luckily, most companies have a “double floor” for cases like this, or the possibility to specify a restore option, such as an alternative number where the authentication code can be sent. A written or printed emergency code or a replacement e-mail address are also sometimes requested to restore access to the account. This disadvantage is largely relative, though. It’s only necessary to take the security measures into account – as long as they’re optional and not obligatory – and to carefully note down the information for emergency access. This minimizes the risk of locking yourself out.