What is actually... Two-factor authentication?

One of the biggest concerns of many companies is the theft of internal data. In view of the increased reports of data theft in recent months, this is not entirely unjustified. The consequences of such an incident are usually not only financial damage, but also loss of trust and image among customers. Cyber criminals usually obtain sensitive data through legitimate access data by directly attacking the database with the access data, or by persuading authorised persons to disclose it through targeted phising attacks.

Two years ago, the security company Rapid 7 subjected 268 companies to a penetration test and actively attacked their current security measures. It found that just 15% of the companies used two-factor authentication to protect confidential data. Even an automatic account lock, which is activated in the event of several incorrect access attempts within a very short time, as would be the case with a brute force attack, for example, was only in place in 20% of the companies.

In order to be able to protect oneself despite a successful brute force attack, there is the so-called two-factor authentication. As the name suggests, this consists of two factors: something you know, for example a password, and something you have, classically in the form of a token. When used extensively and correctly, two-factor authentication can be a very effective security measure. This technology is also used by Google, which claims to have had no cases of account theft since the introduction of a token-based system.

Tokens generate numerical codes at regular intervals using a unique cryptographic key. Since these are only valid for a very short time, you have to have the device with you to log into your account. Tokens come in different types. The simplest and most primitive form of a token is sending a one-time code via SMS to a mobile phone, such as is used by banks in the form of a TAN to verify an online transaction. However, since SMS are transmitted in plain text over the radio network, this method is probably only an attractive solution for very few companies (and most banks). Tokens are also available as standalone apps for smartphones, which offer significantly higher security. Since the one-time code is generated directly on the device in this case, access to the wireless network is also not necessary. Furthermore, the code generation also works offline. This is very convenient when you are in the server room in the basement and there is no network in the thick concrete building.

However, there are also hardware-based solutions, for example in the form of a small, dedicated device with an LCD display that generates and displays a code at the touch of a button. Such a solution is available from Fortinet in the form of the FortiToken. Fortinet also offers tokens that are connected to a USB port and can authenticate an account at the touch of a button.