Classic authentication involves logging in with the help of a username and a password, as seen with email providers like Yahoo, Google, or T-Online. This is a single-factor login based on knowledge of credentials. Multi-factor authentication (MFA) extends the login process by at least one additional factor.
There are three main methods for authentication
A normal login with username and password is based on knowledge. You know what your access data is and can use it to log in. To authenticate yourself, you require either knowledge, biometrics, or possession. A standard login with a username and password is based on knowledge. You know your login credentials and can use them to sign in.
An alternative method is biometrics, which involves your body. For instance, you can log in using your fingerprint, iris, or facial recognition. The most common example is smartphones, where you can sign in by using your fingerprint or simply hold your face up to the camera. However, it usually only involves a basic form of authentication, as you either use your password or biometrics.
The third method of authentication is possession. This could be a special hardware USB stick that you plug into your PC to log in. Apple uses this type of authentication, for example, to register a new device. If a login occurs on a new device, a message appears on the already existing devices saying “Do you want to authorize this device?”. Thus, only possession/access to a specific item is required.
When any two of these factors are combined, it’s called two-factor authentication, abbreviated as 2FA. You may have noticed this 2FA option for many logins on the internet, whether it be on Instagram, Facebook, or LinkedIn.
For banks, two factor authentication has long been the standard. Fifteen years ago, people used a printed TAN list at home to confirm logins and transactions. Printed TAN lists are now obsolete, but the principle remains the same. The paper has been replaced by a USB stick or smartphone app. Whether it’s Sparkasse or Volksbank, nowadays every user needs at least two apps for online banking on their smartphone. The regular banking app and an app that contains the code for 2FA.
Another example is payment with a smartphone. Here, a combination of possession and biometrics unlocks the card. The smartphone, with the bank card set up, represents possession. The login via facial recognition or fingerprint represents the biometrics. In contrast, smaller amounts of 25 to 50 euros can be paid with just the possession of an EC or credit card –– thanks to contactless payment. In this case, the mere possession of the card, for example, enables you to make a 25-euro card payment.
Three-Factor Authentication, abbreviated as 3FA, provides additional security. In addition to login credentials, two authentication codes are sent to different endpoints –– for instance, to an email address and a phone number. Alternatively, a password login can be followed by a fingerprint scan and security code entry. Any combination of knowledge, biometrics, and possession is possible here.
For increased security, it’s advisable to authenticate with a different device than the one used for login.
For example, if an attacker gains access to a user’s smartphone, which contains both the login data and the app for 2FA/3FA, the additional factor is no longer a real safeguard.
Correctly implemented multi-factor authentication provides significantly more security. For example, if a user’s PC and browser have not been kept up to date for an extended period, they may have inadvertently installed ransomware that can record their keyboard and observe their browser history. The attacker can now log in anywhere the user has provided a username and password. Still, without the second factor, the hackers cannot do much with the access data. The more factors required to log in, the greater the effort required for the attacker. Access data, 2FA code, and facial recognition? Access data, email code, and notifications to your tablet? A remote hacker may require physical intrusion these cases, making the effort too great for hackers.
To use BISON services, 2FA is mandatory. BISON uses an SMS TAN similar to the Authenticator app. After the investor logs in with their access data, they receive a code via SMS, which must be entered. This process ensures that an attacker cannot access the account with just the login data.
Krasnoff, B. (2023) “How to set up two-factor authentication on your online services,” The Verge, 18 April. Available at: https://www.theverge.com/23612381/two-factor-authentication-2fa-amazon-twitter-how-to, last accesseed 12.09.2023.
Two-factor Authentication (2022). Available at: https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Zwei-Faktor-Authentisierung/zwei-faktor-authentisierung_node.html, last accesseed 12.09.2023.
Shacklett, M.E. and Contributor, T. (2021) “What is multifactor authentication and how does it work?,” Security. Available at: https://www.techtarget.com/searchsecurity/definition/multifactor-authentication-MFA , last accesseed 12.09.2023.
The content of this article is for informational purposes only and does not constitute financial, investment, and/or trading advice. We strongly recommend that you conduct the necessary research before making an investment, and/or trading decision. Please note that past performance does not guarantee future results.
Liability of the Börse Stuttgart Group and its subsidiaries for the article is excluded.