Why Two-Factor Authentication (2FA) is Essential

‍Table of contents

1. The Growing Threat of Cybercrime
2. 2FA as an Effective Protective Measure
3. Legal Requirements
4. Multi-Factor Authentication (MFA) with Microsoft
5. Conclusion
6. References

In today's digital world, companies and individuals are facing ever greater challenges when it comes to protecting sensitive data. Passwords alone no longer provide sufficient security, as cybercriminals are constantly developing new methods to crack or steal them. This is where Two-Factor Authentication (2FA) comes into play, providing an additional shield against unauthorized access and thus becoming an indispensable part of modern security strategies.

In addition to the password, this technology requires a second form of proof, such as a code from an authenticator app or a security key. Below, we take a look at the growing threat of cybercrime and explain why 2FA is an effective protection measure. We also look at how legal requirements are influencing the adoption of Multi-Factor Authentication and what advantages this method offers over traditional authentication methods.

1. The Growing Threat of Cybercrime

The digital world has become a battleground where cybercriminals are using increasingly sophisticated methods to infiltrate systems and steal sensitive data.

In its Digital Defense 2023 report, Microsoft sounded the alarm and called on companies to be more vigilant 1. This warning is no coincidence, as the threat landscape has changed dramatically in recent years.

Current statistics on hacker attacks

The figures speak for themselves: cybercrime causes enormous economic damage every year. Cybercrime leads to considerable economic losses every year. A study by the industry association Bitkom e.V. found that the total damage caused by cyber attacks amounted to 148 billion euros in 2023 2. This figure illustrates the immense financial burden that companies and organizations have to bear as a result of cyberattacks.

The increase in so-called foreign crimes is particularly worrying. These cybercrimes, which are committed from outside Germany or from unknown locations but result in damage in Germany, have increased continuously since they were first recorded in 2020. In 2023, an increase of 28% was recorded compared to the previous year 2. This shows that cybercrime is a global problem that does not stop at national borders.

However, there is a positive trend in the clearance rate. In 2023, this rose by three percentage points to 32.2% 2. This indicates that law enforcement agencies are improving their ability to combat cybercrime.

Common attack methods

Cybercriminals use a variety of methods to penetrate systems and cause damage. The most common attack vectors include:

1. Phishing and social engineering: These methods aim to trick users into disclosing sensitive information. Fraudulent emails or websites are used to steal data or spread malware 2.
2. Ransomware: This form of malware encrypts data on infected systems and demands a ransom for decryption. In 2023, over 800 companies and institutions reported ransomware attacks 2.
3. DDoS attacks (Distributed Denial of Service): These attacks aim to make services inaccessible by flooding servers or networks with an overwhelming amount of traffic 3.
4. Malware: Various types of malware such as viruses, worms and Trojans can infiltrate systems through infected links, unsafe software downloads or malicious email attachments 3.
5. SQL injection and cross-site scripting: These techniques exploit vulnerabilities in web applications to gain unauthorized access to databases or inject malicious code into websites 4.

The BSI has also registered a worrying increase in vulnerabilities in software products. With an average of almost 70 new vulnerabilities per day, an increase of around 25% was recorded compared to the previous year. It is particularly alarming that around one in six of these vulnerabilities is classified as critical 5.

Consequences of data leaks for companies

The effects of cyberattacks and data leaks on companies are diverse and often devastating:

1. Financial losses: The average cost of a data breach worldwide is around 4.35 million US dollars. In the USA, the average is as high as 9.44 million US dollars 1.
2. Damage to reputation: The loss of trust among customers and partners can have serious long-term consequences 1.
3. Legal consequences: Companies must expect legal disputes and regulatory penalties from supervisory authorities 1.
4. Business interruptions: Cyberattacks can lead to production stoppages and thus to considerable losses in sales 3.
5. Data loss: The theft of sensitive data can have far-reaching consequences, especially when it comes to personal data, financial information or trade secrets 3.

The increasing professionalization of cybercrime, particularly through the concept of "cybercrime-as-a-service", presents companies with new challenges 5. To counter these threats, it is essential to invest in cyber security, train employees and promote a culture of vigilance. This is the only way for companies to protect their digital assets and ensure the integrity of their systems.

2. 2FA as an Effective Protective Measure

Two-Factor Authentication (2FA) has proven to be an effective method to significantly improve the security of online accounts. It requires users to confirm their identity through two different components, which significantly increases protection against unauthorized access 6. This additional layer of security makes it much harder for cybercriminals to gain access to sensitive information, even if they have cracked a user's password 7.

How different 2FA methods work

There are a variety of 2FA methods that can be used depending on requirements and preferences:

1. SMS-based 2FA: With this method, the user receives a one-time code via SMS on their smartphone 8.
2. Authenticator apps: These apps regularly generate new codes directly on the user's device and offer a more secure version of Two-Factor Authentication (2FA) as they are less susceptible to phishing attacks compared to traditional SMS codes 8.
3. Physical security keys: Hardware devices, such as FIDO2 security keys, are used for login and offer a high level of security 8.
4. Biometric procedures: Individual physical characteristics, such as fingerprints or facial recognition, are used for authentication 8.
5. Push notifications: Some services send a notification to a trusted device, which the user must approve for confirmation 8.

Comparison of security levels

The various 2FA methods offer different levels of security:

1. Knowledge factors: Although passwords are widely used, they are considered the most vulnerable type of authentication factor 6.
2. Ownership factors: Software tokens and hardware tokens offer a higher level of security as they must be physically owned by the user 6.
3. Inherent factors: Biometric features such as fingerprints or facial features are the most difficult to crack, but can be devastating if compromised 6.
4. Behavioral factors: These check the identity based on behavioral patterns such as IP address range or typing speed 6.

It is important to note that true 2FA systems use two factors from different categories to maximize security 6.

User experience and acceptance

Despite the increased security, the implementation of 2FA can affect the user experience:

1. Prolonged login process: Multi-Factor Authentication can slightly prolong the login process 9.
2. Risk of loss of access: If users no longer have access to their possession-based factor, they may lose access to the corresponding service 9.
3. Lack of uniformity: A uniform 2FA standard has not yet been established, which can lead to confusion among users 10.
4. Cluster of usage strategies: Different websites implement different 2FA strategies, which affects the consistency of the user experience 10.

To increase acceptance, it is advisable to activate 2FA as soon as an online service enables it 9. Although this function is deactivated by default for many services, it is still available. It is therefore advisable to check the login methods 9.

Despite possible inconveniences, the German Federal Office for Information Security (BSI) strongly advises against deactivating Two-Factor Authentication 9. The advantages of increased security clearly outweigh the minor disadvantages of using it.

In summary, Two-Factor Authentication (2FA) is an extremely effective security measure that significantly reduces the risk of unauthorized access, even if the password has been stolen 8. It makes phishing attacks more difficult and increases users' confidence in the protection of their accounts 8. Although the implementation and use of 2FA can present certain challenges, the security benefits far outweigh the potential inconveniences.

3. Legal Requirements

GDPR and other relevant regulations

The General Data Protection Regulation (GDPR) forms the legal framework for the protection of personal data in the European Union. Although the GDPR does not make any specific technical provisions, it requires that an adequate level of data protection must be ensured 11. This can be achieved through technical organizational measures (TOM), which include securing systems with a login 11.

In this context, traditional authentication with a user name and password can be sufficient in many cases 11. However, Two-Factor Authentication (2FA) offers a higher level of security. Depending on the type of data processed and the existing risks, it may therefore be advisable to opt for 2FA 11.

In the area of information security, 2FA is becoming increasingly important. In the SME sector in particular, more and more companies are seeking certification or want to maintain it 11. Depending on the chosen standard, it may be necessary to secure access via 2FA as part of information security 11.

Obligation for 2FA in e-commerce

In the e-commerce sector, the situation has changed fundamentally as a result of the European Union's revised Payment Service Directive II (PSD II). This directive requires strong customer authentication for all electronic payments 12.

This means that purchases in online stores that are paid for by credit or debit card, PayPal or Klarna must be approved with Two-Factor Authentication 12.

PSD II stipulates that the identity of the payer must be verified on the basis of at least two factors from the following three categories (12):

1. Knowledge (e.g. a password)
2. Possession e.g. a smartphone for receiving TAN codes or a card that is used via a card reader
3. Inherence/biometrics (e.g. a fingerprint or facial scan)

Although the responsibility for implementing this procedure lies mainly with payment providers such as banks, credit card companies, PayPal or Klarna, online merchants should ensure that the payment methods they offer comply with the new guidelines 12.

It should be noted that the German Federal Financial Supervisory Authority (BaFin) has granted a temporary deferral for card payments 13. Despite this postponement, the national regulations of the Payment Services Supervision Act (ZAG) have applied as planned since September 14, 2019 13. Section 55 ZAG, which regulates Two-Factor Authentication, is likely to be regarded as a market conduct rule and therefore relevant under fair trading law 13.

Liability risks in the event of non-implementation

Failure to implement 2FA can result in significant liability risks for companies. Although 2FA is not required by law in all areas, it is increasingly recommended as best practice 14. Companies that do not implement adequate security measures risk not only financial damage, but also reputational damage in the event of a cyberattack 14.

Stricter regulations apply in certain sectors. In the financial sector, PSD2 requires strong customer authentication for all electronic payments, for example to prevent the misuse of credit cards 14. In healthcare, the Health Insurance Portability and Accountability Act (HIPAA) regulations in the US require the use of a second factor to protect electronic patient data 14.

In light of the increasing number of cyberattacks and data breaches, the introduction of strong authentication methods is becoming more and more important. Governments and regulators are placing increasing emphasis on user security, which is putting pressure on companies to implement more secure authentication methods 14.

The German Federal Office for Information Security (BSI) strongly recommends setting up and using Two-Factor Authentication where possible 15. This underlines the growing importance of 2FA as a security standard.

In summary, it can be said that the legal requirements for 2FA vary depending on the industry and use case. While it is already mandatory in some areas, such as e-commerce, it is increasingly seen as best practice in other areas. Companies should carefully consider the implementation of 2FA to minimize legal risks and ensure the security of their systems and customer data.

4. Multi-Factor Authentication with Microsoft

With Microsoft, Multi-Factor Authentication (MFA) comes into play, which is an enhanced and more flexible form of 2FA. Microsoft 365 (M365) seamlessly integrates MFA and provides an additional layer of security by requiring another verification step in addition to the password. This can be done via an authentication app, SMS, phone call or hardware token, for example 16.

This is how MFA works with M365 16:

1. Login: A user logs in to M365 with their user name and password.
2. Second verification: After entering the password, a second form of authentication is required. This could be a push notification in the Microsoft Authenticator app, an SMS code, a call or another verified factor.
3. Access: After successful verification of the second factor, the user is granted access to the M365 services.

Administrators can enforce MFA (Multi-Factor Authentication) in Microsoft 365 through Conditional Access for specific scenarios and user groups. Conditional access makes it possible to require MFA only under certain conditions, based on various factors such as user location, device status or application access.

Here are some of the conditions under which admins can enforce MFA 16:

1. User group: MFA can be enforced for certain user groups, e.g. for administrators, managers or external users.
2. Location: Admins can require MFA if a user is outside a trusted location (e.g. the corporate network). For example, MFA may be required if a user is accessing from a foreign country or from an unknown network.
3. Device state: MFA can be enforced based on the state of the device, e.g. if a device does not comply with company policy (not registered, not encrypted, etc.).
4. Risk-based: Microsoft 365 may decide to request MFA based on risk assessments when suspicious sign-in activity is detected, such as sign-in attempts from unusual locations or at unusual times.
5. Application: Admins can enforce MFA for access to certain sensitive applications or services within M365, such as access to Azure portal management or other critical enterprise applications.
6. Login type: MFA can only be enforced for certain logins, e.g. for the first access or when logging in from a new device.

These conditional access rules allow for a flexible and customized MFA implementation that increases the level of security without making user access unnecessarily difficult.

5. Conclusion

Two-Factor Authentication has proven to be an effective protective measure against the growing threats in the digital space. It provides an additional layer of security that makes it much more difficult for cybercriminals to gain unauthorized access to sensitive data. Given the variety of methods by which passwords can be cracked or stolen, 2FA is proving to be a more reliable option than any password, no matter how complex. The increasing use of 2FA in various areas, from e-commerce to corporate networks, underlines its importance in modern cyber security.

To improve digital security, it is crucial that organizations and individuals take advantage of 2FA or MFA and incorporate it into their security strategies. Although implementation can be challenging at first, the long-term benefits far outweigh the short-term inconveniences. As digitalization progresses and threats continue to evolve, multi-factor and Two-Factor Authentication will undoubtedly play a key role in protecting digital identities and data.

6. References

[1] - https://www.microsoft.com/de-de/security/security-insider/microsoft-digital-defense-report-2023 [2] - https://www.bka.de/DE/AktuelleInformationen/StatistikenLagebilder/Lagebilder/Cybercrime/2023/CC_2023.html [3] - https://www.ecos.de/blog/auswirkungen-von-cyberangriffen-was-man-wissen-sollte [4] - https://www.rapid7.com/de/cybersecurity-grundlagen/types-of-attacks/ [5] - https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html [6] - https://www.ibm.com/de-de/topics/2fa [7] - https://secutain.com/wissen/einfach-erklaert-wie-funktioniert-die-2-faktor-authentifizierung [8] - https://www.ftapi.com/glossar/zwei-faktor-authentifizierung/ [9] - https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Zwei-Faktor-Authentisierung/zwei-faktor-authentisierung_node.html [10] - https://nachrichten.idw-online.de/2024/03/13/neuer-ansatz-um-den-prozess-der-zwei-faktor-authentifizierung-auf-websites-zu-vergleichen [11] - https://www.hub24.de/blog/2-faktor-authentisierung/ [12] - https://ixtenso.de/technologie/fuer-mehr-sicherheit-bei-online-zahlungen.html [13] - https://business.trustedshops.de/blog/legal/psd2-zwei-faktor-authentifizierung-verpflichtend-oder-nicht [14] - https://www.cidaas.com/de/blog/zwei-faktor-authentifizierung-pflicht/ [15] - https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Zwei-Faktor-Authentisierung/Bewertung-2FA-Verfahren/bewertung-2fa-verfahren_node.html [16] - https://learn.microsoft.com/de-de/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation