Multi-factor authentication (MFA) or mostly 2-factor authentication is on everyone’s lips. You read a lot about the benefits – and yet you are often annoyed when “the second factor” has to be specified again – usually this is perceived as a nuisance. And yet this technology offers unbeatable advantages for the information and IT security level of an organisation.
But how does 2-factor authentication actually work? And what does the use of this technology improve, i.e. where is the concrete benefit?
With 2-factor authentication, access to a system is not only granted on the basis of a correct combination of a user name and associated password; the specification of another authentication feature – the second factor – is also required. This is usually a time-limited one-time password or token that is generated, for example, via one of the so-called authenticator apps (e.g. Authy, Microsoft Authenticator, Google Authenticator). The “first factor” – the password alone – is therefore not sufficient to gain access to the system. The user account in question and the second factor are linked via cryptographic procedures – only if both match will the system grant access.
So where is the concrete advantage? Quite simply, the requirement to use a second factor for authentication removes the basis for the vast majority of attacks on passwords. Conventional access systems based exclusively on user names and password authentication can often be outwitted by cracking the passwords used. Attackers take advantage of the fact that many users are very comfortable in choosing their passwords. Often one and the same, often far too simple, password is used for different services. “Far too simple” means either easy to guess or simply too short and containing too few special characters. By simply trying out all possible combinations (so-called “brute force” attack) or an automated comparison with collected passwords (so-called “rainbow table” attack), such passwords can often be guessed very often. Many users underestimate the risk – but an averagely powerful computer can typically make several hundred thousand attempts per second. 2-factor authentication therefore adds an additional layer of security: even if an attacker should have succeeded in guessing a password – it is of no help as long as the second factor is not also within the attacker’s reach.
In other words, brute force and rainbow table attacks to try or guess passwords come to nothing. A few seconds of extra effort from time to time to enter the second factor is highly effective in protecting against some of the best known and most commonly used attacks by attackers. The argument that 2-factor authentication is annoying and inconvenient is also put into perspective by the intelligence of the systems: in most cases, the entry of a second factor is not required every time a user logs in, but only in certain situations – for example, after a certain period of time has elapsed or when a new browser or device is used for the first time.
By the way: in the vast majority of cases, any authenticator apps can be used as a second factor. So it doesn’t always have to be Microsoft Authenticator or Google Authenticator; the technologies used are highly standardised, so that any authenticator apps can usually be used.
Generell empfiehlt das BSI die sogenannte Zwei-Faktor-Authentisierung