Multi-factor authentication


During the last few months, we have noticed that there is a lot of confusion about the topic of two- and multi-factor authentication. Often when online banking apps or extra security layers are added to online accounts, there is a false claim of multi-factor authentication. I have even heard someone (an actual IT professional!) claim that a combination of a user name and a password is in fact two-factor authentication, because one and one makes two. No, it is not!

To successfully explain the concept multi-factor authentication, it is necessary to describe the different types of authentication. So here comes a tedious piece with definitions.

RSA created a good, clear definition of authentication:
“Authentication is a process where a person or a computer program proves their identity in order to access information. The person’s identity is a simple assertion, the login ID for a particular computer application, for example. Proof is the most important part of the concept.”

This definition already stipulates the biggest problem with authentication: how can you make sure the person at the door is really who he claims to be? This has to be verified by asking him something. There are different categories of what can be asked in this case. These are the different verification methods:

  1. Something you know (knowledge)
  2. Something you own
  3. Something you are (personal attribute)

The first method is quite clear:

This entails both, a user name and a password. This is information the user has or remembers and it stays the same for a certain amount of time. In order to access an account of someone else, it suffices to steal the information from the rightful owner in some way.


  • Easy to use for everyone
  • Relatively cheap implementation


  • Secure passwords have to be complex
  • Passwords can be forgotten
  • No further security layer and therefore quite easy to hack
    (e.g. dictionary attack, spyware, social engineering, phishing)


The second method needs more explanation:

The category describes e.g. physical devices that one owns, such as TAN generators, a mobile phone for receiving mTANs, a special token generator, etc. In most cases, the codes generated with such devices are onetime passwords that change with every log-on, which makes sense, security wise.
Stealing a onetime password, for instance with a keylogger or spyware, will not necessarily help a stranger to get into the victim’s account (unless he is able to compromise the browser after infecting the computer with a special trojan, but that is another story). Stealing the actual piece of property or the device can be more helpful, as long as this specific authentication method is not combined with another method.

  • Range of possible authentication devices is diverse
  • Addition of one security layer


  • Authentication device can be lost or stolen
  • Creates a false sense of security if used on log-in device (e.g. mobile phone)


The third method is clear as well:

Things to fall into this category are finger prints, irises, DNA voices and some more. In short: biometrical data. These attributes are seemingly theft-proof, but that’s not entirely true. It is not always necessary to actually take a spoon and take out an eyeball to get illegal access to his accounts, as many Hollywood movies suggest. It often suffices to just steal the hash that is made from the iris, a unique calculated value. It is also very possible to make a copy of a finger print that works for this purpose. Of course, in most cases, it takes a lot of effort to steal or copy someone’s biometrical data, so this is very unlikely to happen to illegally check into the accounts for the online gaming community Habbo Hotel, for instance. This method is currently mostly in practice for high-level authentication purposes, as single-factor authentication or also as part of multi-factor authentication.


  • Higher security-level
  • No password can be forgotten
  • In an ideal world, no bio-identifier (finger, eye, …) can be lost or stolen


  • Higher implementation costs
  • As in every security solution: It is not 100% secure
  • Possibility to create unambiguous movement profile
  • If the calculated hash value is stolen, there is no chance to replace it

To be able to speak of two-factor authentication, there must be a combination of two different authentication methods that are completely independent. A combination of a user name and a password is not enough, as both these data are part of the first authentication method. For two-factor authentication it would be necessary to at least send a onetime password to an independent device, a mobile phone for instance. Normally two-factor authentication is also two-way authentication, but this is not the case if the log-in device is the same as the receiveing device of the onetime password.  In that scenario the second, independent, element is eliminated. Just imagine a piece of spyware on that smartphone. That would be able to record all necessary login data (user name, password plus onetime password) from just one device.

Real-world problems with digital multi-factor authentication on mobile devices

This illustrates the trouble a lot of banks find themselves in today. A lot of log-ins are made from a mobile device, making true two-factor authentication (with actual two-way authentication) more difficult. In fact, we see more and more banks falling back even further with their authentication procedures. Special banking apps, official apps issued by banks and also third-party apps, for smartphones are becoming increasingly popular, and they usually don’t use any form of multi-factor authentication at all. Most banks consider it too user unfriendly to ask people to carry their special bank token or bio data scanner with them at all times to be able to check their balance, so for their banking apps, they abandon two-way authentication and often all forms of two-factor authentication altogether.

To compensate this lack of security, different restrictions are made by several banks: some do not allow making any transfers exceeding a certain amount with the app. Others only allow transferring money to bank accounts one has already transferred money to in the past. But soon, people will no longer accept these restrictions implied by their banking apps.

In order to make online banking on any device truly multi-factor authenticated AND user friendly, chances are, we will be moving towards a solution with biometric authentication carried out with the help of the mobile device. Apparently, one of the biggest drawbacks appears to be the costs for the implementation of such systems. It’s all about the money. Always.Another idea that could be used as second authentication method, besides the user+password knowledge method, could include the information of your SIM card. Usually, information like IMEI and IMSI are unique, bound to the SIM that is inserted into the device used. 

The gist:

There is no doubt about the fact that multi-factor authentication and also multi-way authentication is more secure than single-factor and single-way authentication! And the need for strong authentication has grown, especially with the all-time availability of the Internet on mobile devices and the therefore given almost non-stop work possibility. But, there has to be an individually assessed balance between the usability and the security needs.

Interesting links:

The tech magazine Wired reports: Twitter is about to implement two-factor authentication

Microsoft also blogs on its Official Microsoft Blog: it will implement two-step authentication