Is Two-Factor Authentication Worth the Effort?

2FA has been touted for years for increased security and by now you've probably encountered it here and there.

I don't know how many times I have asked myself whether two-factor authentication justifies the increased effort.

I know the answer to this question (after all, I've been working in IT for years) - and you probably guessed it too:

2FA represents a significant increase in security. The additional effort of 2FA is on average less than one minute and reduces the success of automated hacking by 99.99% according to studies.

Diesen Prozentsatz äusserte Alex Weinert (Microsoft Director für Identitätssicherheit bei Microsoft) in seinem blog.

Still, the main reaction (including my own) to this issue is, unfortunately, mostly negative, because it makes logging in more inconvenient.

But that is exactly the point: the annoying code via SMS or Auth App means more effort, but it also means that access to two access methods is needed.
One is the classic password and the other is the auth code, which is always generated anew on a second medium to which access must exist. If someone has compromised your devices, tools such as keyloggers can be used to record keyboard entries in order to obtain passwords. It can also happen that you have fallen victim to phishing (read more about phishing in this article). Normally, this means that third parties can access the customer account in question.

have fallen victim to. Normally, this means that third parties can access the customer account in question. But if you activate two-factor authentication (often called authentication), the captured information is not enough to gain access to your customer accounts. It needs one more step. A second factor.

2FA types

  • SMS
  • Auth-code app
  • Stick

These three media are the ones used by us normal users. There are more advanced variants (e.g. smart cards) used by government agencies, but I don't know them well enough, nor do I think they are really relevant to this article.

How the auth codes (which are actually called tokens) are generated depends on the technology in the background, which then feeds the output medium mentioned above.
There are various technologies, some of which differ fundamentally in methodology, but the result for us users is the same in and of itself - more security.

  • SMS: The absolute minimum variant you should use. It is considered the least secure 2FA method. Although this is the truth, activating 2FA via SMS still means a massive improvement in security compared to the classic use without.
  • Auth-code app Means another app on your device, but definitely a useful one. Once set up, the app will generate codes at regular intervals that you can use to log in. The procedure is very simple:
  1. Install the Authenticator app on your smartphone (if you haven't already done so).
  2. Switch to the security settings of the service for which you want to use the app.
  3. Select 2FA (if this option is available). The service will then show you a QR code that you can scan with the 2FA app.
  4. Scan the code with your app.
  5. Use the currently generated code
  • Stick To confirm the set-up, you only need to connect the stick to the device you are using for the login and press the confirmation button (or enter the PIN or similar, depending on the model). So it's very straightforward. There are different models that support different types of connection:
  • USB
  • NFC (you may already know this from contactless payment)
  • Bluetooth

Where to get these sticks:

There are many providers, but probably the best-known is Yubico.

Here you'll get to their page..

The sticks are, by design, considered the safest of the three methods.

Click here if you want to read a bit about the cryptography behind the sticks

During registration, two cryptographic keys are created: one private and one public. The public key is stored on the server, the private key on the stick, which never leaves the device. The private key is used to encrypt the registration, which is transmitted to the server and can only be decrypted by the public key. If someone tries to transmit a fake login confirmation, logically encrypted with a fake private key, the public key decryption will expose the fraud and the service will deny access to your customer account.

Now that we've covered the basic points for 2FA, you may be wondering if you should enable this feature for all your services. The honest answer is yes.
But it may be less relevant for unimportant services. As a rule of thumb, as soon as the customer account contains important personal information (especially bank details) and could be misused for identity theft, you should secure your access with two-factor authentication.

There are also certain convenience functions that simplify access, but these should be taken with a grain of salt.

Of course, this does not mean that functions such as "stay logged in" should be avoided, but definitely that you accept a security risk with them. This is not only because if your device is stolen, your customer accounts would be open, but also if someone infects your device with malware and you have remote access (i.e. no physical access is required).

I hope I could make you understand the importance of 2FA and it will seem a little less annoying next time.
If you like the article, feel free to send it to friends and acquaintances so that they don't end up with serious problems that could easily have been avoided.

If you still have some time to spare, you are welcome to pick up two bonus tips:

Make yourself aware of social engineering:

Even the best 2FA is useless if the codes are given to third parties. This may sound obvious, but unfortunately there are enough cases where fraudsters manage to convince users to give out codes.

Since these fraudsters are trained to look trustworthy, it is not surprising. This is called "social engineering" and the most common characteristic of such a scam is time pressure and the exploitation of emotions (fear, joy, etc.).

The scam can take many different forms, but the goal is always the same: to get an immediate reaction from you. Don't get involved and calmly check the situation: why is it necessary to give out the code? Can I trace the reason back to the service provider in the web or application interface? What do other users write about similar contact attempts? It never hurts to do a little research.

Use Plus-Addressing to register your services

You can increase your security even more by not only using 2FA, but also registering for services with different email addresses. So that you don't need dozens of different ones, you can use plus-addressing (provided your provider supports it). Here kannst du mehr über dieses Vorgehen erfahren.

Recent posts