High security through multi-factor authentication

Just a few years ago, the theft of access data in the form of an email/username and password meant losing control of your own account. Be it a social media account, app access or access to online banking. Customers are increasingly being offered the option of securing their login with several authentication steps. In this article, you can find out exactly how multi-factor authentication - also known as authentication - works, what advantages it brings and how BSDEX uses this security measure.

What is multi-factor authentication?

Classic authentication describes a login using a user name and password. The simplest example is logging in to an email provider such as Yahoo, Google or T-Online. This is a login using a single factor, the knowledge of the access data. Multi-factor authentication adds at least one more factor to the login process.

Knowledge, biometrics and possession as authentication factors

To authenticate yourself, you need either knowledge, biometrics or possession. A normal login with a user name and password is based on knowledge. You know what your access data is and can use it to log in.

Login BSDEX

Biometrics, i.e. your body, offers an alternative. For example, you can log in using your fingerprint, iris or facial recognition. The best-known example of this is the smartphone. Many smartphones allow you to log in using your fingerprint or by simply holding your face up to the camera. However, it usually remains a simple authentication, as you either use the password or biometrics.

Biometric authentication

The third option for authentication is possession. This can be a special hardware USB stick, for example, which you have to insert into the PC in order to log in. Apple uses this type of authentication, for example, to register a new device. If a login takes place on a new device, the message "Would you like to share the device?" appears on the existing devices. This means that possession/access to a specific item is sufficient.

Ownership Authentication

2-factor authentication (2FA)

As soon as you combine two factors in any combination, this is called 2-factor authentication, or 2FA for short. You should have noticed this 2FA for many logins on the internet by now. Whether Instagram, Facebook or LinkedIn, an optional 2FA is possible for almost all social networks, and authentication via two factors has long been standard for banks. Even 15 years ago, you had a printed TAN list at home that you used to confirm your login and bank transfer. The printed TAN lists are now outdated, but the principle remains the same. The piece of paper has given way to a USB stick or smartphone app. Whether Sparkassen or Volksbank, every user nowadays needs at least two apps for online banking on their smartphone. The normal banking app and an app that contains the code for 2FA. Only with this code is it possible to make a bank transfer, for example, and another example is paying with a smartphone. Here, a combination of possession and biometrics unlocks the card. The smartphone with the bank card set up represents the possession. The login via facial recognition or fingerprint represents biometrics. In contrast, even smaller amounts of 25 to 50 euros can be paid with the possession of a debit or credit card - thanks to contactless payment. In this case, possession alone is enough to authorize card payments of 25 euros, for example.

Biometric authentication

3-factor authentication (3FA)

Three-factor authentication, or 3FA for short, provides additional security. For example, two authentication codes are sent to different endpoints in addition to the login data. For example, to an email address and a telephone number. Alternatively, a login via password can be followed by a fingerprint query and the entry of a security code. Here too, all possible combinations of knowledge, biometrics and possession are possible.

How two-factor authentication works - video from the BSI

YouTube

Implement 2FA easily via smartphone app

The best-known and certainly the simplest option for 2FA is to use an authenticator app. There are various providers of such apps, but the range of functions is generally identical. The first step is simply to download and open the app. Now 2FA is activated where you want to secure the login with further authentication. A QR code or number is usually displayed there. This QR code simply needs to be scanned with the Authenticator app. The app now displays a code, usually six digits long, which changes every 30 seconds. This code must now always be entered when you log in to the respective tool. If you activate 2FA on Instagram, for example, you also have to go to the Authenticator app after logging in with your username and password to copy the code and then enter it. Any number of authentications can be added in the app.

Enhanced security through hardware 2FA

An alternative to digital second authentication are various hardware solutions. This can be an ID card, for example, but also USB sticks, which are produced precisely for this purpose. Hardware 2FA is often described as a more secure method.

Do not lose the 2nd and 3rd authentication factor

The more information you need for access, the more problematic it is to lose. For example, if you lose your smartphone including the Authenticator app and do not have a backup for your smartphone, you will also lose access to the respective tool, product or service. Some providers offer a recovery code, which you receive when setting up 2FA or 3FA and should keep in a safe place. If you no longer have this either, it can be complicated or even impossible to log in again.

Use of multiple devices for authentication

Multi-factor authentication is intended to make logging in more secure. It is therefore best if the device for logging in and the device for authentication are not identical. For example, if the attacker has access to your smartphone and it contains both the login data and the app for 2FA/3FA, then the additional factor is no longer any real protection. It is particularly not advisable to integrate 2FA into a password manager at the same time. This is possible with some providers. Losing access to a browser game is certainly not that bad. However, if the attacker gains access to the password manager including all 2FA codes, all doors are open to them.

Multi-factor authentication offers a significantly higher security factor

Multi-factor authentication, when implemented correctly, offers significantly more security. An example: Let's assume that you have not kept your PC and browser up to date for a long period of time. Unnoticed, you have installed ransomware on your computer that is able to record your keyboard and monitor your browser history. The attacker is now able to log in anywhere you have entered your username and password. But without the second factor, the hackers can't do much with the credentials. The more factors required to log in, the greater the effort required by the attacker. Access data, 2FA code and facial recognition? Access data, email code and notification on your tablet? A hacker attack from a distance might require a real break-in into the victim's home. The effort is certainly too great in most cases.

2-factor authentication at the Börse Stuttgart Digital Exchange

If you want to use the BSDEX services, a 2FA is mandatory. BSDEX uses an SMS tan for this, which is similar to the Authenticator app. As soon as the investor logs in with the access data, they receive a code via SMS which must be entered. It is therefore not possible for an attacker to log in with the access data alone and access the respective account. Even if someone has access to the personal computer, access is not possible.

BSDEX plans to offer optional 3-factor authentication in the future

Offering customers as much security as possible is one of the core values of the Börse Stuttgart Digital Exchange. That is why the introduction of further authentication options is on the BSDEX road map. If 2FA does not offer sufficient security, further factors can be added. However, there is not yet an exact date for 3FA.