For several years now, the consensus in IT security has been that the simple login procedure with name and password alone is neither up-to-date nor secure enough for an increasingly networked and thus more attack-prone online world. [1, 2, 3, 4, 5]
Multi-factor authentication (MFA) provides a significant increase in security. The simplest version of this is two-factor authentication (2FA), which everyone has certainly encountered at some point. Although this system is slowly becoming established in one form or another, many people only use MFA where they are coerced or even forced to do so. This blogpost is intended to clarify what MFA is exactly, why it brings significantly higher security and where it can be used everywhere. [1, 2, 5]
What are ‘Factors’?
Factors or components are the information required to authenticate an access. These are basically divided into four categories: 
- Knowledge: This includes, for example, the classic password. In principle, only the actual authorized person knows this password, but it turns out that others could also either guess it or learn it through security loopholes.
- Possession: Possession factors include all physical objects that can be used for authentication, such as a key or a bank card. Again, the object could be stolen by others if necessary.
- Inherence: Factors that describe what or who you are usually refer to biometric identifiers. Factors such as fingerprints, iris matches, or differences in voice profiles are in almost all cases unique to an individual person. One disadvantage here, however, is that this factor, unlike a password or bank card, cannot be exchanged. If a third party succeeds in creating an (almost) perfect copy, the factor will be irretrievably compromised forever.
- Location: The last factor that is often counted is location, even though in most cases this is only an additional check. We know this from online services, for example, which ask for a new confirmation if you want to log into the account from other devices or from another city.
Furthermore, there are also procedures that cannot be clearly assigned. These include, for example, sending a “one-time password” (OTP) to an e-mail address. Access to a mail account does not fit inherence, since others could also have access, nor does it fit possession, since it is of course not a physical object. It also has no physical properties, such as perfect excludability and rivalry.
All four categories have different advantages on their own, but no factor is perfect. In order to compensate for weaknesses, it therefore makes sense to combine several factors with each other (i.e. a multi-factor).
An access password (factor: knowledge) can be stolen relatively easily due to insufficient security measures of a platform or because users use a weak password several times. However, if a key card (possession) is also required for authentication, it becomes much more difficult to gain unauthorized (or even unnoticed) access. Withdrawing cash from a bank account has been based on this very concept for decades.
Advantages & Disadvantages
In addition to the indisputable and considerable gain in safety due to the use of multiple factors, however, the method also generates disadvantages. These lie mainly in the inconvenience or the effort required to use it. Instead of simply being able to log into one’s own accounts with a password, the use of 2FA often requires a one-time password (OTP), for example, which is sent to the user either by e-mail or via a 2FA app. This means that logging into a web store can sometimes take twice as long. 
On the other hand, there is the gain in safety that has already been mentioned several times. Of course, this has to be weighed up and decided on a case-by-case basis. However, one should admit that the additional security is much more important than the time saved in a few seconds when logging in to a platform once. In practical everyday use, there are few if any applications and situations in which the disadvantages of multi-factor authentication outweigh the advantages. The use of at least two factors (2FA) is therefore actually always sensible. [3, 4, 6]
Even though the German Federal Office for Information Security (BSI) rates various MFA and 2FA procedures differently in terms of their security, they attest to every MFA procedure having considerably higher protection than a simple login procedure with only a single factor (simple password procedure). 
Multi-Factor Authentication in the ViOffice Cloud
Of course, the ViOffice Cloud also offers the possibility of two-factor authentication. And even if we do not want to force this on our users, we appeal to them to activate it urgently in order to protect the security of their own data and information.
Several methods of 2FA can be used in ViOffice Cloud:
- Confirmation of login by another device that is already logged in.
- Confirmation of login with a one-time password (OTP) via e-mail.
- Confirmation of login with a one-time password (OTP) via 2FA app (e.g. Aegis for Android, Raivo for iOS or Authenticator for GNU/Linux smartphones).
Which of the methods is used is left up to the users. Several can also be selected and decided as needed. The important thing here is that MFA/2FA is used at all and that it is as easy as possible for users to get started. Ideally, the second factor (e.g., the OTP via app) should not be received via the same device that is used to log in. We recommend using a 2FA app instead of the one-time password via email whenever possible. More information about using 2FA in ViOffice Cloud can be found in our helpcenter.
- IBM (2022): 2FA (Zwei-Faktor-Authentifizierung). Abgerufen: 23.08.2022. URL: https://www.ibm.com/de-de/topics/2fa
- IBM (2022): Mehrfaktorauthentifizierung. Abgerufen: 23.08.2022. URL: https://www.ibm.com/de-de/topics/multi-factor-authentication
- Bundesamt für Sicherheit in der Informationstechnik (2022): Zwei-Faktor-Authentisierung. Abgerufen: 23.08.2022. URL: https://www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Accountschutz/Zwei-Faktor-Authentisierung/zwei-faktor-authentisierung_node.html
- Cybersecurity & Infrastructure Security Agency (2022): Multi-Factor Authentication. Abgerufen: 23.08.2022. URL: https://www.cisa.gov/mfa
- Luber, S. & Schmitz, P. (2017): Was ist Multi-Faktor-Authentifizierung (MFA)? URL: https://www.security-insider.de/was-ist-multi-faktor-authentifizierung-mfa-a-631486/
- Bundesamt für Sicherheit in der Informationstechnik (2022): Bewertungstabellen ‘IT Sicherheit’. URL: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/2FA/it-sicherheit.pdf
Jan is co-founder of ViOffice. He is responsible for the technical implementation and maintenance of the software. His interests lie in particular in the areas of security, data protection and encryption.
In addition to his studies in economics, later in applied statistics and his subsequent doctorate, he has years of experience in software development, open source and server administration.