Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

What to best use as 2nd Factor to deploy on a large scale

(Lukas Hämmerle)


You have an IdP with several 10-100k users. You want to offer 2nd-factor authentication to the user. Not all users need 2nd factor authentication. Identity-vetting is out of scope. The 2nd factor should be:

  • Cost effective (cheap)
  • Easy to deploy
  • Easy to use for end user
  • With a reliable recovery processes (in case a user loses 2nd factor)

Known 2nd factors:

  • One-Time-Password (Time-based, Hmac-based, challenge-based, on paper, via SMS as Mobile TAN):
  • Mobile ID (SIM card-signed SMS)
  • Yubikey
  • Voice TAN (OTP via landline or mobile phone)
  • Software X.509 certificate
  • Hardware X.509 certificate
  • One Time Token with hardware device
  • App (TiQR) on registration you use QCR code
  • App with push approval
  • Sound-proof (Futurae) with mobile app recording sound generated by PC speaker
  • OTP sent via Email (HAKA, Salesforce)
  • National Citizen ID (signing timestamp like with Austrian Bürgerkarte)
  • Touch ID (iOS)
  • Chip TAN (Banks)
  • Duo Security
  • Remembering Pictures
  • FIDO/U2F
  • Vicinity of a certain device (i.e. Apple Watch) via Bluetooth
  • ….


  • OTP is easy to use, cheap, it’s standardized (RFC, open-source implementation)
  • Technology used should last at least 5-6 years as technology develops (e.g. no USB on mobile phone -> bad for Yubikey)
  • Rolling out mobile based 2nd factor might not be ideal from security point of view if user is also using mobile to access service and if mobile device is compromised
  • It might be needed to support multiple mechanisms as one method might not work for all users (SURCconext e.g. supports Yubikey, SMS and TiQR, which is the most used)
  • Choosing 2nd factor generally depends on the risk to address/problem to solve
  • Authentication might need to be just a tick better than the rest to make you less attractive for an attacker
  • Whatever one chooses, it’s probably useless if targeted by a national agency (e.g. Mossad), so be pragmatic and keep it simple and user-friendly
  • OTP methods might even work on old Nokia phones (or a PC), so less dependent on smart phone.
  • Ease-of-Use (registration, deployment, support) of 2nd factor is key for adoption
  • Recovery process could also involve friends/buddies (Skype is doing something like this)