Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Identitätsschutz Glossary

Zwei-Faktor-Authentifizierung (2FA)

A security procedure that requires two independent forms of identity verification—typically a password plus a one-time code (TOTP) or a hardware key. Prevents account takeovers even if passwords are stolen.

Two-factor authentication (2FA) is a subset of multi-factor authentication (MFA) that combines exactly two factors. The term is often used interchangeably with MFA, even though MFA can also involve three or more factors.

The three factors of authentication

Each authentication factor falls into one of three categories:

Knowledge (Something you know): Password, PIN, security question—information known only to the user.

Possession (Something you have): Smartphone (for a TOTP app or SMS code), hardware token (YubiKey, FIDO2), smart card.

Inherence (Something you are): Biometrics – fingerprint, facial recognition, iris scan.

2FA typically combines: Knowledge (password) + Possession (one-time code on the smartphone).

Comparison of 2FA Methods

SMS-based 2FA (OTP via SMS)

How it works: After entering the password, a one-time code is sent via SMS.

Issues:

  • SIM swapping: Attackers convince mobile carriers to transfer the number to their own SIM card
  • SS7 vulnerabilities: Mobile network protocol allows SMS interception (state actors)
  • Device loss: Whoever controls the phone has the 2FA factor

Recommendation: Better than no 2FA, but insufficient for critical accounts.

TOTP (Time-based One-Time Password)

How it works: An app (Google Authenticator, Authy, Microsoft Authenticator) generates a 6-digit code every 30 seconds based on a shared secret and the current time.

Implementation: RFC 6238, HMAC-SHA1-based.

Strengths:

  • No network required (works offline)
  • SMS interception not possible
  • Widely used and easy to implement

Weaknesses:

  • Vulnerable to Adversary-in-the-Middle (AiTM) phishing: If a user enters the code on a phishing site, an attacker can reuse it in real time
  • Shared secret must be stored securely (if the server is compromised: all TOTPs are compromised)
  • Time-dependent: System time must be synchronized

FIDO2 / Passkeys (Phishing-resistant)

How it works: Public-key cryptography. The private key never leaves the device. Authentication is domain-bound—the key does not work on a phishing domain.

Implementation: W3C WebAuthn standard, CTAP2 protocol.

Hardware authenticators: YubiKey, Google Titan Key, Nitrokey.

Platform authenticators: Windows Hello, Face ID/Touch ID on iPhone/Mac, Android Fingerprint.

Strengths:

  • Phishing-resistant: Domain binding prevents use on fraudulent sites
  • No secret that can be stolen (only public key on server)
  • User-friendly: Fingerprint instead of typing in a code

Weaknesses:

  • Device loss issues (recovery keys or backup authenticator required)
  • Older systems/browsers do not support FIDO2

Hardware tokens (HOTP / dedicated)

HOTP (Counter-based OTP): Similar to TOTP, but counter-based instead of time-based. RSA SecurID is a classic example.

Hardware tokens: Dedicated devices that do not rely on a smartphone—for high-security environments.

Push authentication

Apps like Microsoft Authenticator, Duo Security, or Okta send a push notification: "Please confirm the login attempt." The user taps "Agree."

Risk: MFA Fatigue / Push Bombing: An attacker who knows the credentials sends so many push requests until the user accidentally or out of impatience agrees. Countermeasure: Number verification (user must enter a number from the request).

Why 2FA Doesn’t Protect Against Everything

2FA with TOTP does not protect against:

  • AiTM Phishing: Real-time session cookie theft (TOTP is relayed live)
  • Malware on the device: Stealers extract TOTP seeds from browser extensions
  • Social engineering: Users are convinced to disclose their TOTP code over the phone

Phishing-resistant 2FA (FIDO2) protects against all of these attacks.

Compliance requirements

NIS2 Art. 21: Explicit requirement for multi-factor authentication for privileged access.

BSI IT-Grundschutz ORP.4 / SYS.2: MFA for privileged accounts and remote access.

ISO 27001 A.5.17: Authentication information – MFA as best practice.

PCI DSS v4.0 Req. 8.4: MFA mandatory for all privileged access and all remote access.

Recommendations for Organizations

  1. Immediately: Enable 2FA for all employees (at least TOTP)
  2. Priority 1: FIDO2 keys for privileged accounts (domain admins, IT admins, executive management)
  3. SMS-2FA: Only if no other method is possible, and then as a temporary solution
  4. Store backup codes securely (not in the same system as credentials)
  5. Define a recovery process: What happens if an employee loses their 2FA device?

AWARE7 Services on This Topic

ISO 27001 Beratung Penetrationstest
Back to Glossary Book a free consultation