More and more companies rely on two-factor authentication. With the creativity that users have when assigning their passwords, it is no wonder that the transfer of employee accounts continues to be a core problem of IT security.
2FA Doesn’t Necessarily Hold Better
At this point, the use of a solution for two-factor authentication (2FA) promises more security. Another factor is included in the authentication process, which creates an additional barrier in the event of attacks and is intended to slow down attackers. For this, ownership components are used more often. Two-factor authentication is not always two-factor authentication – different technologies are also used in this area, some of which differ greatly from each another and have different advantages and disadvantages in terms of security in general, but also the risk of attack.
Two-Factor Authentication With SMS Tokens
The best known type of two-factor authentication runs with SMS tokens. A random code is generated each time a user logs in and sends to the user’s smartphone a SMS. According to a blog post from Google, automated bot attacks can be completely blocked in this way. With large-scale phishing campaigns, this value is almost 100 percent. Nevertheless, SMS tokens are rightly considered the least secure 2FA variant. If attackers succeed in outsmarting the mobile operator and porting the victim’s phone number to a SIM card, the tokens can be intercepted using swap attacks. A SIM token can also be reused if it is sent to a malicious server as part of a social engineering campaign.
2FA With Smart Cards
Smart cards or integrated circuit chip cards are typically used for two-factor authentication in highly secure Windows environments. The smart card is the size of a normal credit card, but is equipped with an integrated chip that stores a digital certificate that is used to uniquely identify the user. This certificate is encrypted and must be activated with a PIN. This means that the hardware-based certificate has strong security features. For larger companies however, managing a public key infrastructure is extremely time-consuming – especially if the smart cards have to be made available at various locations on an international level.