Two-Factor Authentication

What is two-factor authentication in simple terms?

Two-factor authentication (2FA) or multi-factor authentication (MFA) are security mechanisms. Two (2FA) or multiple (MFA) methods of proving the user’s identity are required to access an account or platform. Instead of using just a single password, a second code or confirmation step is required, often using another device such as a smartphone. Additional authentication methods can take several forms: something the user knows (password), something the user has (smartphone, token) and something that the user is (biometric authentication using fingerprint or face recognition). By combining multiple authentication methods, MFA offers an increased level of security and thus protects against unauthorized access of sensitive data or resources.

MFA is also a requirement for “Strong Customer Authentication” (SCA), which is mandated by the EU’s Payments Service Directive (PSD2) and applies within the EEA and UK. MFA is mandated to increase the security of electronic payments. SCA requires two or more authentication methods.

Why is two-factor authentication important to the security of payments?

2FA plays an important role in securing payments by providing an additional layer of security that makes it more difficult for malicious actors to access accounts or initiate fraudulent transactions. Even if an attacker gains access to the password, they still require the second factor in order to log in and initiate a payment. This makes gaining access far harder, increasing the security of payment processes, particularly online.

Furthermore, the owner of the account is directly informed that a third party has attempted to log in to their account, allowing the owner to change their password.

This increased security reduces the risk of payments fraud and chargebacks, safeguards the reputation of businesses and increases trust among consumers that their payment data is secure. Two-factor authentication can thus help minimize financial losses due to fraudulent activities and safeguard the integrity of payment systems.

What various types of authentication methods are used for two-factor authentication for payments?

Two-factor authentication for payments can use different types of authentication methods to verify the identity of the consumer and increase transaction security. Typical factors include something the customer knows (e.g. a password or PIN), something the customer has (e.g. a smartphone or smartcard) and something that the customer is (e.g. biometrics like fingerprints or face recognition). This increases security, as even if one factor is compromised, the attacker still needs to circumvent the second factor. The wide range of available methods allows merchants to customize their payment systems to meet the needs of their consumers.

Card schemes like Mastercard and Visa often use their own MFA methods to increase security. One example is Visa Secure. For each online transaction, Visa Secure verifies the identity and creditworthiness of the cardholder by establishing a secure connection between the online shop and the issuing bank. The customer is asked to enter their password to confirm their identity. This protects cardholders from fraud, while also protecting merchants by guaranteeing that they will receive payment.

How does the need to comply with requirements like PCI DSS affect the implementation of two-factor authentication in payment systems?

Complying with requirements such as PCI DSS has a significant impact on the implementation of two-factor authentication in payment systems for merchants. PCI DSS outlines stringent security standards for processing, storing and transferring card data, in order to safeguard the security of transactions and prevent fraud. PCI DSS requires merchants to implement additional security measures like two-factor authentication. This helps merchants reduce the risks of fraud, ensure they comply with data protection regulation, increase trust among their customer base and avoid sanctions or fines imposed for non-compliance.

Can two-factor authentication be compromised, and what measures can be taken to minimize these risks?

While two-factor authentication (2FA) is generally viewed as a very secure method of protecting accounts, it can still be compromised. Merchants should ensure that the 2FA method they are using effectively protects consumers without being a significant burden. The following measures can help reduce the risks of an account being compromised:

Strong authentication methods: Some authentication methods like SMS codes are more easily compromised than others. More secure methods like authentication apps and physical security keys can reduce this risk, especially regarding phishing attempts.
Active monitoring: Merchants should implement systems that monitor and identify suspicious activity, in particular regarding the authentication of customers. This could include logging authentication events and monitoring anomalies in order to identify potential attacks at an early stage.

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months

Glossary

Two-Factor Authentication