Information about MFA

In many cases, authentication using several factors begins with the usual entry of a good password. The system that the user wants to log into then confirms that the password entered is correct. However, this does not lead directly to the desired content - as is usual with simple systems - but to a further barrier. This prevents unauthorized third parties from gaining access to user data or functions simply because they have obtained the password.

Many common two-factor systems rely on external systems after the password request to carry out a two-stage verification of the user. This can mean that the provider you want to log in to sends a confirmation code to another of your devices, e.g. your smartphone. However, the second factor can also be your fingerprint on a corresponding sensor or the use of a USB token or chip card. Only when this means of identity confirmation is also in your possession will you be able to access the requested content and use the online service or device.

TAN/OTP systems as a second factor after a password: A TAN or OTP is a one-time password that can be transmitted as a second factor. In the past, TANs were provided in advance on paper lists (iTAN). However, this procedure has not been considered secure enough for some time. TAN generators (hardware) or authenticator apps (software), which constantly generate new one-time passwords based on time or events, are better. Even more secure are TAN generators that also include data from the transaction (e.g. account number and amount) when generating the TAN (eTAN, chipTAN).

Alternatively, the TAN is transmitted to the user by the service provider via a different transmission channel or to a different end device. Transmission by SMS (mTAN, smsTAN) is particularly common here, possibly with additional transaction information. However, it is not advisable to use the same device for receiving the mTAN as for logging in or using the service (insufficient separation of factors).

Cryptographic tokens: A cryptographic token stores a private cryptographic key. Authentication takes place by sending a request to the token, which the token can only answer correctly using the private key.

The key can be stored as a software certificate (known from ELSTER), but it is more secure to store it in hardware on a chip card (HBCI, signature cards) or a special USB stick/NFC token (FIDO/U2F). The ID card and the electronic residence permit also contain a secure key memory and thus enable the online ID function.

Biometric systems: Biometric systems verify the presence of a previously recorded unique physical feature (fingerprint, face, retina). Biometric features are not normally “secret”, so it is important to ensure that the systems cannot be tricked with a photo, for example.

For most people, confirming our identity to digital systems is a routine procedure that we don't actively think about. In contrast, security experts focus very intensively on login procedures. From an information security perspective, a user's login is divided into three clearly defined phases:

Authentication refers to the proof of identity by the user, e.g. by entering a username and password.

Authentification refers to the verification of identity by the system, i.e. the verification of details and, if necessary, the request for additional proof as part of the MFA

Authorization describes the assignment of rights based on the proven identity, i.e. the access granted to the user after successful login.

The difference between Authentication, Authentification, Authorization can be summarized as follows:

Authentication is the proof of identity, authentification is the verification of identity and authorization is the access to the system after passing the check.

In everyday life, these individual steps are of course closely linked, which is why the terms can often be used interchangeably.