Definitions

Processes in the context of a logon

  • Authentication is the transmission of your access data (e. g. user name and password) and the verification of these access data.
  • Authorization is the permission to use the requested service.
  • Accounting is the recording of who has used the service, when, how and from where,
  • and identification links the access data to persons or identities.

Authentication token

"Token" refers to any object that can generate, store, and transmit information for the purpose of identification and authentication.

A distinction is made between 3 different types:

  • Connected
    Here, a specific hardware must be connected to a device.
    Example: bank card that is inserted into the reader.
  • Contactless
    A hardware component must be brought close to a device.
    Example: ATM card with NFC chip.
  • Separate
    A hardware or software component that either generates a code or in which a question must be confirmed.
    Example: Online banking and authentication with app of the bank.

2FA methods for separate tokens

There are a variety of methods, including.
  • TAN lists
    Shouldn't really be used anywhere anymore.
  • SMS
    Is now rarely used, as it is sufficient here to obtain a copy of the SIM card in order to obtain a valid 2nd factor.
  • HOTP
    This generates one-time passwords (OTP) that are valid in a specific order, similar to the TANs used in the past.
  • TOTP
    The password is only valid for a limited time (30/60 seconds).
  • Push
    You have to confirm via your 2nd factor that you are logging in. Is often additionally secured by having to click on a specific selection field.
  • FIDO2
    There must be compatible hardware on or near the device you want to log in with, which is registered for this user and which performs the authentication. So basically it's a combination of connected/contactless and disconnected and probably offers the highest protection.

Other terms

  • Account
    An account is a combination of a user ID/user name and a password. These two elements form the so-called access data.
  • MFA
    If the 2nd factor is secured with an additional factor (PIN, biometrics such as fingerprint or facial recognition, …), this is referred to as multi-factor authentication.
  • MitM
    In a man-in-the-middle attack, an attacker tries to lure you to a page that has been copied from the page you actually want to access.
    The data you enter there is then used to log into the "real" system in your place, and the attacker then has access to your data.
    If this happens within the validity period of a 2nd factor, even a 2nd factor will not protect you!
  • MFA bombing
    With push tokens, one sends as many confirmation requests until access is released (MFA fatigue).