Two-factor authentication - in a nutshell
In an environment, such as e-banking, where security is critical, two- or multi-factor authentication (2FA, or MFA) has become an increasingly common method to controll access. This security procedure is also known as "strong" authentication.
In connection with authentication, there are a few key security concepts that merit a brief explanation:
Authentication vs Authorisation
A user authenticates him-/herself on a system by proving their identity. The system (or application) authenticates the person, that is, it checks the authenticity of the proof that the person has provided. A successful authentication authorizes the person to do or to have access to certain things, i.e. the person is granted the rights which he or she claimed.
Authentication factors
In a scenario with multi-factor authentication, at least two different and independent factors must be provided by the same person for verification. These factors are divided into three groups as follows, with corresponding examples:
- Knowledge (something you know): PIN, password, user name
- Possession (something you have): SecurID token, mTAN code, badge
- Biometrics (something you are): fingerprint, retina scan, vein pattern, voice recognition
Depending on the area of application, certain factor combinations may be more or less suitable.
2FA/MFA
With secure authentication via web browser, all factors originating from the same input device (PC, mobile phone, etc.) are transmitted to the website via an encrypted channel. If an attacker gains access to this channel, (s)he has both factors in his hands. To reduce this risk, dynamic factors can be used one example is the RSA SecurID hardware token (factor group: ownership), which works according to the time-based one-time password (TOTP) procedure. This device generates a new, temporarty token code every minute, consisting of 6 digits. Each token code can only be used once. When used in combination with a PIN (factor group: knowledge), this results in very secure authentication.
Physical access to a data center typically requires several factors that need to be applied in several steps. For example, a valid badge (factor group: possession) is necessary to gain access to a separation system. In this system, a fingerprint scan (factor group: biometrics) can be required as a second factor. Only if all factors result in successfull authentication will access to the interior be granted.
To ensure strong and reliable authentication of the systems operated by aspectra, we offer a wide range of authentication means and methods. Our clients can choose from a wider range of options, including mobile TAN (mTAN), mobile OTP, matrix card, email OTP, RSA SecurID, Kobil SecOVID, VASCO Digipass, client certificates (X.509, SuisseID, etc.), CrontoSign, Kobil AST, Swisscom Mobile ID (Mobile Signature Services), OATH tokens, or a combination of several methods. Contact us so that we can discuss your requirements and find the suitable solution for your project.