As of: April 4, 2024, 5:25 a.m
By: Fabian Hartmann
Comments
Press
Split
Two-factor authentication is intended to offer users more security when logging in. She does that too, says an expert. However, myths still surround 2FA.
Bremen - In view of increasing digital threats such as phishing attempts or hacker attacks, which the Federal Office for Security and Information Technology (BSI) also warns about in its management report on IT security (2021), many consumers are trying to ensure their security to protect the vastness of the Internet. Also because security gaps can quickly affect important services such as your own online banking.
For example, additional authentication via a code provided externally by an app can help. The search engine giant Google, for example, offers this with its “Authenticator”. But logins in particular on new devices or devices other than the usual ones can involve seemingly avoidable additional effort - and sometimes even cost users nerves.
Does two-factor authentication make logins more secure for internet users?
The so-called two-factor authentication (2FA) is intended to make the login process more secure for Internet users. In order to be verified, users must also enter a code after entering their email address and password as usual. This was previously created individually for the user by the authenticator app.
“Attackers who have obtained the username and password via social engineering or data leaks cannot simply take over the online account in question without the 2FA code,” say the experts at the Tuch
platform
chip.de.
An expert clears up two myths in the context of 2-factor authentication. © Silas Stein/dpa/Symbolbild
Security researcher Anna Lena Fehlhaber from the University of Hanover, who works there as a lecturer in the area of “Human Factors in Cybersecurity”, also agrees. “If implemented correctly
,
2FA protects against account or resource theft,” she says in an interview with
chip.de.
She considers it unlikely that someone would get both factors in an account and know that they belong together.
Myth 1: Two-factor authentication is not vulnerable to common threats
Although 2FA can increase security on the Internet and in services such as online banking, according to
chip.de
experts, there are still some myths surrounding the ominous second step of authentication for logins. “Waterproof” namely, According to c
hip.de,
contrary to what many users assume,
2FA is not.
“This is due to the different registration modules,” write the platform’s experts.
My news
1500 euros per month - Citizen's benefit recipient emphasizes: "It's just too much money for my standards" read
WhatsApp disruption: Tens of thousands of people cannot use Messenger
Contribution service sends letters to thousands of households - if you don't respond, you risk being fined
“Accumulation of vehicles” spotted: Russia’s army is moving new tanks to Crimea
“That touched a nerve”: Breakfast café has to close shortly after opening – due to too many guests reading
Pensions in Germany: Voluntary additional payments reach record highs
To log into their account on a different or new device, the user must first enter a password, a PIN or the answer to a security question to start the login process. For the second login step, an item that is in the respective user's possession is often required. A hardware token can be used for this, for example, or a smartphone that receives the numerical code sent via app or SMS. According to
the
chip.de
experts, the latter is not as secure as some people might think.
Because SMS are unencrypted and can be manipulated comparatively easily. 2FA also does not protect against phishing or social engineering attacks - i.e. attempts to deceive 2FA users in order to obtain personal data. “This is one of the most common threat scenarios on the Internet,” says security researcher Anna Lena Fehlhaber from the University of Hanover, lecturer in the field of “Human Factors in Cybersecurity,” in an interview
with
hip.de.
Myth 2: 2-factor authentication requires a second device
There is also a widespread assumption that a second device is absolutely necessary for 2FA. But according to the
chip.de
experts, this is also wrong. According to them, it is entirely possible to use your own smartphone for both steps of the login process.
For example, a user can enter their password for an email service and then verify the login attempt using a fingerprint. The first factor is “knowledge”, the second “biometrics” - but both work on the same device.
This is also the reason why many security experts criticize SMS-based 2FA. “Strictly speaking, this is not a real 2-factor authentication,” says expert Fehlhaber. Finally, SMS messages could be redirected. “You don’t have to have a smartphone to receive them,” she adds.
(fh)