Back to overview

Multi-factor authentication

Reading time approx. 5 minutes

Multi-factor authentication (MFA for short) refers to multi-level procedures for electronic login or authentication in which users must provide two or more "factors" (i.e. characteristics). The term refers to logins for websites, software applications or IT networks.

Why use MFA?

For many years, it was common practice for users to authenticate themselves to websites or services with just one factor. For example, with a password for accessing their personal email inbox, a PIN for accessing online banking or a TAN for an online bank transfer. However, this is now considered too insecure. After all, it must always be assumed that users will use insecure passwords or use the same password for multiple services. This increases the vulnerability to dictionary attacks and brute force attacks; password databases can be hacked and debit cards can be stolen. See also our blog post on the topic of "Password security".

More and more service providers are therefore switching to MFA and requesting additional information from users. This information can be easily provided by the "authentic user", but is very difficult for cyber criminals to obtain. Two factors are usually used (2FA = 2-factor authentication). However, the use of three factors is now quite common (e.g. password, device ID and fingerprint).

Nevertheless, MFA is only as secure as the transmission medium. The third factor only makes sense if it is kept separate from the second factor. It is therefore not recommended, for example, to have the banking app and the push TAN app on the same smartphone.

MFA is used to protect personal data from unauthorised access by third parties. The most command areas where MFA is used are: banking, social media channels, public authorities, insurance companies and internal company access for employees. MFA is recommended or even mandatory in many industries and authorities.

What Types of Factors exist?

The characteristics (factors) that must be specified for authentication can be categorised into the following currently common areas:

  • Knowledge describes "something that the user knows", i.e. information known only to the user. This includes, for example, a password, a PIN/PUK or an answer to a security question. Knowledge factors are the easiest to hack.
  • Possession refers to "something that the user has", i.e. a physical object that only the user owns. This includes, for example, a debit card, an ID card, a smartphone, a USB stick or a dongle. This also includes one-time passwords (OTPs) that are sent to a mobile phone or OTPs generated by smartphone apps. Possession factors are more difficult to hack, but can be stolen, lost or broken.
  • Inherence describes "something that the user is". This includes biometric features such as fingerprints, voice scans, facial scans, iris recognition and behavioural biometric data such as keystroke dynamics. Their advantage is that they cannot be forgotten or lost and are difficult to replicate. On the other hand, they cannot be changed if the underlying database is compromised.
  • The location where the user is located can also be a factor type, e.g. checking the IP address range from which the user usually logs in.

The authentication process could work as follows:

  • A user enters a login name and password to access an account.
  • A second factor is required, e.g. a fingerprint, a PIN or a one-time password (OTP).
  • The user specifies the requested factor based on the information they previously provided when setting up the account.

How are the Factors generated?

There is now a wide range of technical processes for generating the second factor in users or transferring it to users. Some examples of this are:

  • Smartphone apps (e.g. Google Authenticator, Microsoft Authenticator, TAN generator apps)
  • TAN generators as hardware (e.g. a debit card is inserted, a barcode or QR code is read and the TAN is generated)
  • SMS for mobile TAN procedures
    • e.g. for online banking
    • It is not advisable to use SMS, as their transmission is unencrypted and can be easily manipulated or redirected. This is why many banks no longer offer this method.
  • Web browser (add-ons for an authenticator app, for example)
  • Sensors
    • Fingerprint scanner (fingerprints are " identical " for approximately every 1 billion people.
    • Facial recognition
    • Iris scan
    • Vein scan (a scan of the palm of the hand is even more secure than a fingerprint)
  • Desktop clients
    • These know the secret and generate a code that is valid for a short time (e.g. KeePass)
  • Key file
    • Certificate (transparent for the user, so the user does not have to actively intervene, as the certificate only needs to be available at a known location)
    • SSH key
  • Hardware
    • Debit card (as the first factor in addition to the PIN)
    • Electronic ID card (with reader)
  • Device authentication
    • The user uses a device with a unique and stored ID

Legal Regulations

The revised Payment Services Directive 2 (PSD2) for payment service providers was adopted at European level in 2015. Since 2021, this has required banks to confirm transactions using two independent characteristics from the categories of knowledge, possession and inherence. For credit card transactions, there is the global standard PCI-DSS (Payment Card Industry Data Security Standard), which has required MFA, among other things, since 2022.


In general, it should be noted that setting up the other factors is usually complicated. Specifically, applications must be installed and linked to the user's profile via another channel using QR codes. In some cases, this requires several devices and apps.

In the event of a hardware change, e.g. due to a defect or complete loss of the smartphone, considerable effort is required to migrate the secrets. If the key file is lost, all the secrets will have to be obtained again.


Digital security is crucial in today's world, as both companies and users store sensitive information online. Therefore, access to this data by unauthorised persons must be prevented. MFA serves as an additional layer of security to protect accounts from unauthorised access, even if the password has been stolen beforehand.