What is the full form of 2FA

2FA - two-factor authentication

Two-factor authentication or two-factor authentication (2FA) describes the combination of two different and independent factors in authentication. To increase security, but also to add complexity, there is multi-factor authentication (MFA).
The 2FA is basically the authentication with user name, password and an additional second factor. The first factor is usually a password. An additional second factor offers a considerable gain in security compared to methods with only one factor.

Why two-factor authentication?

The second factor is an additional level of authentication and is an effective protection against fraud and identity theft. Too many users are careless and irresponsible with their usernames and associated passwords.

  • Passwords that are too short and too simple are widespread.
  • Access data are stored too carelessly.
  • Access data fall into unauthorized hands.

If a stranger and unauthorized person gets access data or gets access to an authentication feature, it does not help him if there are further authentication features, for example a second factor.

What is a 2FA factor?

A factor is a security feature, to be more precise, an authentication feature that is linked to a user or to an identifier on behalf of the user. A factor, security feature or authentication feature can come from three defined areas.

  • Knowledge: This factor is something that only one person knows. Typically a PIN or a password that must be kept secret.
  • Possession: This factor is something that a person possesses. Typically a personal item that is ideally protected from theft and improper use. For example a card, a TAN generator, hardware or software tokens or a smartphone.
  • Being (Inherence): This factor is something that only one person can have. Typically a biometric feature that can be individually and clearly assigned to each person. For example B. fingerprint, face, voice or movement.

It is important that the individual factors must not be saved or kept together with other factors. If an attacker realizes that both or more factors belong together, then security is overridden by the second factor.

What do you mean by the 1st and 2nd factor?

Basically, with two-factor authentication, the two factors must come from two different areas: knowledge, possession and being.

In practice, two-factor authentication provides that, in addition to the 1st factor, usually a known password, a sequence of digits or a one-time password (OTP) is required for access to a user account must enter the second factor. However, the sequence of digits is not the 2nd factor, but the device on which the sequence of digits is generated or received. It is important here that the sequence of digits is only valid for this one authentication process.

As a rule, you receive the second factor as an SMS or in a security app, which you have to enter and thereby confirm ownership of the device on which the second factor was received and thus authenticate yourself.
Other ways in which the second factor is transmitted or received are telephone calls, mail, hardware or software tokens.
As a second factor, however, a biometric property, such as a fingerprint or facial features, can also be used to fully authenticate yourself.

Why is a username not a 2FA factor?

A user name in the traditional sense is useless as a security feature or authentication feature. A username is a name, label, or personal identifier that can be guessed, is known, or is publicly available. Like the name of a person, an organization or an email address. A typical user name can only be used as an identifier to which two additional factors must be assigned in order to be able to carry out two-factor authentication.

2FA example: bank card

Yes, the bank card that is used to withdraw money and pay at the cash register uses two-factor authentication. The first factor is the bank card itself, from the “possession” area. The 2nd factor is the pin, from the "knowledge" area.
We know from experience that the combination of “possession” and “knowledge” can be problematic if both are kept together. What is meant is when the pin is written down from the “Knowledge” area and thus moved to the “Possession” area. This becomes a security problem when both the card and the written pin end up in someone else's hands ("possession").

2FA example: online banking

In online banking, access and transactions are often authenticated using two-factor authentication. Here one wonders, however, how it can be that one authenticates oneself with two factors from identical areas. The authentication takes place first with a PIN or a password and then additionally with a TAN. Both factors, pin and TAN, come from the area of ​​“knowledge”. How can that be?

Basically, the form of the factor is irrelevant. The question is how do you get hold of the two factors.

In online banking, the first factor is the PIN or password, which you usually set yourself and which therefore clearly comes from the area of ​​“knowledge”.
The second factor is usually sent to you in some way. That's the whole point. Because the 2nd factor, e.g. A code, for example, is received by a device that must be "owned" by the person who is authenticating. A cell phone or smartphone is very suitable for this because it is perceived as a personal device and handled as a personal device. As a rule, only the “possessing” person has physical access to it. Ideally, the use of the device is restricted by an additional device authentication.
And that's why the 2nd factor, no matter what it looks like, is a factor from the area of ​​"possession". The TAN is only the feature that confirms the "possession" of the receiving device. The TAN has nothing to do with “knowledge” here.

Note: The device authentication takes place depending on the device and user with a pin, fingerprint or face recognition. It is important to understand that the type of device authentication has nothing to do with the second factor. This means that if you authenticate yourself with your fingerprint on the device, then that is not the 2nd factor. The second factor is then a TAN or an OTP that you have to transfer from an SMS or security app to the online banking app. Even if the apps involved can automatically transfer this TAN.

Why is an email address not suitable for receiving the 2nd factor?

An e-mail address is often a personal identifier that is only used by one person and therefore, like a cell phone number, is used to receive a second factor, e.g. B. via SMS or app, would be suitable. The problem at this point is that the lawfulness of possession, as expected by the “possession” factor, cannot be fulfilled for an e-mail address.

  • Problem 1 is that e-mails can be received by any Internet-enabled device with knowledge of the access data. E-mails can be conveniently accessed and managed from multiple devices. This also applies to the second factor.
  • Problem 2 is that access to e-mails often does not require a second factor, which breaks the two-factor principle.
  • Problem 3 is that users of e-mail addresses are very careless with access data, especially with the password. Users do not deal with this data as if they “own” it.

All 3 problems, although there are certainly more, only lead to the conclusion that the "possession" of an e-mail address including the access data must be questioned.

Problems with two-factor authentication

One problem with two-factor authentication is the “possession” factor. What if the related item, e.g. B. a smartphone, is lost or broken. Then it has to be replaced. This then means that on the new device the codes with which the security apps and the authentication server originally authenticated each other.
This means that you have to reactivate the authentication for all services and applications for which two-factor authentication has been activated on a smartphone. This can vary in complexity depending on the service and application. With online banking, you often get a new activation code sent by post. It can take a few days before you can use online banking again. In addition, the replacement device must be permanently usable, otherwise you have to start the game all over again.

When choosing the 2FA method, one rarely has a choice. You should therefore think twice about whether to activate two-factor authentication. It is not the ultimate solution. For many uncritical services and applications, authentication with one factor is completely sufficient.
For particularly critical services and applications, it makes sense to have the TAN or OTP sent by SMS. Then a defective smartphone is not a problem. Because you simply insert the SIM card into another device and you then get the SMS on it. In other words, the “possession” factor here is actually not the device, but the SIM card.
It is different if there is an authenticator or security app that has to be activated with a code during commissioning. The app then has to be set up again for a new device.

Therefore, before activating two-factor authentication, you should be clear about what the consequences will be if you no longer own the device in question, which is connected to the 2nd factor from the “Ownership” area .

How secure is two-factor authentication?

Let us assume that an attacker sneaks into a network and can somehow access passwords, secret keys, certificates and other authentication features, then that does not help him because he does not have the hardware to receive the 2nd factor. Two-factor authentication helps against attacks from outside when the attacker acts remotely.

But you shouldn't feel too safe. Because there are attack methods with which the protective function of a registration can be undermined with two factors.

  • An attack on the two-factor authentication with a TAN that is received via SMS is possible if the attacker succeeds in redirecting the SMS. For example, by a Trojan horse on the smartphone or by a second SIM card that the attacker obtained from the cell phone provider for the cell phone number used. Therefore it is usually safer if the second factor is generated by an app.
  • In typical security apps, it is often overlooked that the second factor is not a real second factor. For example, if the banking app and the security app are installed on the same smartphone. In such a case, one can theoretically speak of two-factor authentication, but in practical terms the login process is only slightly more secure than with just one password. If the attacker has remote access to the end device, he can not only pick up the password, but also the second factor and authenticate in front of the user.

2FA procedure

  • PushTAN
  • Mobile TAN
  • U2F - Universal Second Factor Protocol (FIDO Alliance)
  • FIDO2
  • WebAuthn - Web Authentication (W3C)

Other related topics:


Product recommendations

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!

Everything you need to know about networks.

Network technology primer

The network technology primer is a book about the basics of network technology, transmission technology, TCP / IP, services, applications and network security.

I want that!