2FA stands for Two Factor Authentication and requires users to use 2 different factors during login or when executing critical actions. Generally, both factors are independent of each other. The first security level is the password. If this is correct, the second independent factor is requested.
What types of authentication factors exist?
Generally, the following types are distinguished: Knowledge, Possession, Biometrics, Behavior. An example of the knowledge factor would be knowing the answer to a specific question, an additional PIN, or a password. The "possession" factor refers to access to hardware, such as a smartphone, a chip card, or similar. Biometrics is self-explanatory - these are unique characteristics of the user, such as fingerprints, facial features, or iris. Behavioral factors aim to analyze the user's behavior - this would include location or typing behavior.
What are common 2FA methods?
The most common type of second factor in practice is and remains SMS, where a one-time code is sent. Authenticator apps for Android or Apple are also popular and very secure - worth mentioning here are the Authy app or Google's Authenticator. In this context, it's worth mentioning HMAC-based One-Time Passwords (HOTP) and Time-based One-Time Passwords (TOTP). Hardware tokens are also an option - these are physical devices that generate a code. An example would be the Yubikey.
Smartphone owners are usually also familiar with another factor - namely the push notification received when trying to log into certain accounts (usually Google or Apple accounts). To stay with the "smartphone" example: modern smartphones support the ability to use your fingerprint as a second factor for certain actions.
What are the advantages and use cases of 2FA?
Not much needs to be said - a second authentication factor brings additional security and is essentially mandatory for critical accounts (bank account, social media account, email accounts, shopping, credit card access). 2FA protects against phishing attacks or password theft via so-called Infostealers or keyloggers. Often attackers have the passwords but cannot log in because of the second factor. Additionally, good logging allows quick response to attacks. In a business context, implementing 2FA (or MFA) is among the measures necessary from a compliance perspective.
What are the disadvantages and risks of 2FA?
The "time" factor is often mentioned as a disadvantage - honestly though, we're only talking about a few seconds more waiting time until you can successfully log in. That's the price for significantly increased security.
2FA isn't perfect - not every factor is equally secure. An example is SMS-based codes - these can often be intercepted, generally the SS7 protocol is outdated and considered compromised. If you've caught malware on your smartphone or PC, all factors based on it (SMS, email, authenticator app) may no longer be secure - here you have the classic "man in the middle" problem. In the case of SMS, you might even be in a dead zone - and consequently not receive SMS, so you can't log in.
Hardware dependency is also a disadvantage - especially when using authenticator apps and you lose your smartphone or it breaks. Accordingly, you should provide for backups to access the data.
Our recommendations for using 2FA
Certainly, you don't need to activate 2FA for every hobby forum account, but using it for relevant accounts that could cause damage is absolutely mandatory. Generally, using authenticator apps is recommended as they are more secure than SMS codes - but: SMS is better than nothing. Not everyone has the ability to intercept SMS - it depends on your own threat model!
If account security is particularly important to you (or if you have special reasons for it), you might consider whether it would be worth using a second smartphone exclusively for 2FA. With this smartphone, you don't surf, don't open emails, have no additional apps installed. This reduces the risk of catching malware somewhere or installing an app that might send a byte too much.
Thank you for your feedback! We will review it and optimize this content.
