Two-factor authentication for user verification
How two factor authentication works
Often two-factor authentication begins with the normal entry of a good password. The system confirms the correctness of an entered password. This does not immediately lead to the desired content, but to a new barrier. This prevents unauthorised persons from accessing user data or functions if they have the password.
Many two-factor systems use external systems after the password request to perform the two-step user verification. This can result in providers receiving a confirmation code for another device such as the smartphone. However, the fingerprint on corresponding sensors, a USB token or a smart card can also serve as a second factor. Only then can one use the requested content, online service or device. It is important that the factors come from different categories and thus knowledge (e.g. PIN, password), biometrics (e.g. fingerprint) or possession (e.g. TAN generator, smart card) are used in combination.
Some procedures combine several factors directly with each other. With regard to the online ID function of the ID card, the aspect "possession of chip card" can only be used together with the aspect "knowledge of PIN". Only then does authentication take place at the provider. This leads to even greater security than with the sequential verification of a password and a single second factor.
Common systems for two factor authentication
TANs and OTPs are one-time passwords that are transmitted as a second factor. Cryptographic tokens store private cryptographic keys. Authentication is performed by sending a query to a token, and tokens can only be answered correctly with private keys. In biometric systems, previously captured unique physical characteristics such as face, retina or fingerprint are verified. Life recognition is important.
Use of these security procedures
With online banking, you log in with a password and have the transactions confirmed with mTan or pushTan. Otherwise, HBCI or chipTAN also work.
The chip in debit or credit cards confirms ownership and knowing the PIN legitimises the transaction. With the online ID card function, the chip transmits the data by entering the PIN. In addition, mutual authentication and end-to-end encryption of the read data takes place between the service provider and the ID card.
Social media platforms and cloud or mail providers offer a secure login with mTan and password or an OTP from the Authenticator app. Alternatively, hardware-based U2F/FIDO tokens also work. You can submit your tax return digitally with ELSTER. Logging in is done via a password-protected software certificate or the online ID card function of the ID card.