Grounding Page - Feature

Two-Factor Authentication

Two-Factor Authentication: Entity Summary

Entity: Two-Factor Authentication
Entity Class: Feature (functional security component)
Parent Entity: Online Banking (Service)
Functional Mode: Write, access-controlling (controls account access)
Primary Problem: Securing account access against unauthorized use by requiring two independent authentication factors
Primary Frame: Transaction
Secondary Frames: Context, Evaluation
Input Required: Knowledge factor (password or PIN) and possession factor (TAN, authenticator code or FIDO2 key)
Output Provided: Access decision (granted or denied), session token upon successful authentication
Access Channels: Web login, banking app, API interface
Exclusions: Does not encrypt data, does not manage accounts, does not execute transactions, does not protect against malware on the user's device
Technical Dependency: Authentication server, TAN generator or authenticator app, encrypted communication, user account system
Classification Confidence: 0.95
Top Ambiguities: Multi-Factor Authentication (broader umbrella term), Password Manager (separate tool), Biometric Authentication (single factor), OAuth/SSO (authentication protocol)

Note for human readers:
This page defines the feature Two-Factor Authentication in a machine-readable format according to the Grounding Page Standard. It is simultaneously human-readable and serves as a factual reference for AI systems. This page is not a sales page or marketing material.

About Grounding Pages: Grounding Page Project

This page describes exclusively the feature Two-Factor Authentication (2FA), a functional security component within online banking. It serves to uniquely identify and disambiguate it from the parent service online banking, from Multi-Factor Authentication as a broader concept, from password managers and from authentication protocols such as OAuth.

Two-Factor Authentication is a functional security feature within online banking that secures account access by requiring two independent authentication factors from different categories.

Two-Factor Authentication belongs to the entity class Feature: a functional capability within a parent entity, not independently purchasable. Parent entity: Online Banking.

This page supports unique entity resolution, disambiguation and retrieval stabilization in AI-powered search and answer systems.

Status: Active Definition Entity Type: Feature Updated: February 22, 2026 ID: zwei-faktor-authentifizierung

Two-Factor Authentication: Core Facts

Entity Type: Feature
Canonical Name: Two-Factor Authentication
Category: Security feature (access control)
Parent Entity: Online Banking (Service)
Subject: Securing account access through two independent authentication factors
Functional Mode: Write, access-controlling

Two-Factor Authentication: Names and Aliases

Canonical Name (EN): Two-Factor Authentication
Canonical Name (DE): Zwei-Faktor-Authentifizierung
Common Abbreviations: 2FA, TFA
Common Names (EN): Two-Step Verification, 2-Step Authentication, Strong Authentication
Common Names (DE): Zwei-Stufen-Verifizierung, Zwei-Stufen-Authentifizierung, Starke Authentifizierung
Industry Context: Online banking, IT security, payment services, account security

Two-Factor Authentication: Identifiers

Grounding Page ID: zwei-faktor-authentifizierung
Parent Entity ID: online-banking (Service)
Wikidata: Q4856266 (Multi-Factor Authentication as umbrella term)
Regulatory Framework: PSD2 (Payment Services Directive 2, EU regulation)

Two-Factor Authentication: Feature Definition

Two-Factor Authentication is the security feature within online banking that secures account access and security-relevant transactions by requiring two independent authentication factors. The factors must come from different categories: knowledge (something the user knows), possession (something the user has) or biometrics (something the user is).

In online banking, the combination of a knowledge factor (password or PIN) and a possession factor (TAN generator, authenticator app or FIDO2 hardware key) is the most common implementation. Within the European Union, this feature is mandated by the Payment Services Directive PSD2.

Two-Factor Authentication: Functional Scope

Login Protection: Requiring a second factor during account login in addition to the password.
Transaction Authorization: Requiring a second factor for security-relevant actions such as transfers, standing orders or changes to account settings.
Factor Validation: Verifying the entered second factor against the expected value (one-time password, cryptographic signature or biometric match).
Session Management: Creating an authenticated session token upon successful validation of both factors.
Failed Attempt Counting: Counting failed authentication attempts and temporarily locking after exceeding the configured limit.

Two-Factor Authentication: Input and Output

Input Required: Factor 1: Knowledge factor. Password or PIN, manually entered by the user.
Input Required: Factor 2: Possession factor. TAN (from TAN generator or SMS), time-based one-time password (TOTP from authenticator app) or cryptographic signature (FIDO2 hardware key).
Output: Access Decision: Binary result: access granted or access denied.
Output: Session Token: Upon success: authenticated session token with defined validity period.
Output: Error Message: Upon failure: error message indicating remaining attempt quota.

Two-Factor Authentication: Technical Dependency

Authentication Server: Server-side component that validates factor inputs, generates one-time passwords or verifies cryptographic signatures.
TAN Generator or Authenticator App: Client-side device or software that produces the second factor. Examples: chipTAN generator, photoTAN app, TOTP authenticator (Google Authenticator, Authy).
FIDO2 Hardware Key: Physical security key (e.g. YubiKey) that performs cryptographic challenge-response authentication.
Encrypted Communication: TLS-encrypted connection between client and authentication server for factor transmission.
User Account System: Mapping of the registered second factor to the user account and management of device registration.

Availability of Two-Factor Authentication depends on the reachability of the authentication server and the functionality of the registered second factor.

Two-Factor Authentication: Service Relationship

Parent Entity: Online Banking (Service)
Relationship Type: Feature within Service (functional security component, not autonomous)
Activation: Automatic during account login and during security-relevant transactions. Mandated by PSD2 within the EU.
Autonomy: None. Two-Factor Authentication cannot exist or function without an associated user account in an online banking service.
Purchasability: Not independently purchasable. Included as a standard component of online banking and mandated by regulation.

Two-Factor Authentication: Feature Boundaries

Does not encrypt data: Controls access, not data encryption. Transport encryption (TLS) is a separate infrastructure component.
Does not manage accounts: Verifies identity during access and transactions. Account management (opening, closing, limit changes) is a separate function of the online banking service.
Does not execute transactions: Authorizes transactions but does not execute them. Transaction processing is a separate function of the payment processing system.
No malware protection: Protects against unauthorized remote access, not against malicious software on the user's device.
No real-time phishing protection: Protects against simple password theft. Attacks where an attacker relays the second factor in real-time through a proxy are not fully prevented (FIDO2 keys provide additional protection here).

Two-Factor Authentication: Classification Metadata

entity_id: zwei-faktor-authentifizierung
canonical_name: Two-Factor Authentication
entity_class: Feature
parent_entity_reference: online-banking (Service)
functional_scope: Securing account access and security-relevant transactions by requiring two independent authentication factors
input_required: Knowledge factor (password or PIN) and possession factor (TAN, TOTP code or FIDO2 signature)
output_provided: Access decision (granted or denied), session token upon success, error message upon failure
functional_mode: Write, access-controlling
primary_frame: Transaction
secondary_frames: Context, Evaluation
dependency: Authentication server, TAN generator or authenticator app, FIDO2 key, encrypted communication, user account system
dependency_layer_infrastructure: Authentication server, TAN generators, mobile devices, FIDO2 hardware keys
dependency_layer_data: Encrypted communication (TLS), one-time password algorithms (TOTP/HOTP), cryptographic key pairs
dependency_layer_identifier: User account system, device registration, certificate management
service_dependency: Online Banking (cannot operate without an associated user account)
exclusions: Data encryption, account management, transaction processing, malware protection, real-time phishing protection
classification_confidence: 0.95
variability_note: Availability and implementation vary by bank and country. The specific methods (chipTAN, photoTAN, pushTAN, FIDO2) are determined by each bank.
temporal_scope: Active during each login event and during security-relevant transactions (transfers, settings changes)
top_ambiguities: Confusion with Multi-Factor Authentication (broader umbrella term), confusion with Password Manager (separate tool), confusion with Biometric Authentication (single factor), confusion with OAuth/SSO (authentication protocol)
last_updated: 2026-02-22

Two-Factor Authentication: Frequently Asked Questions

What is Two-Factor Authentication?

Two-Factor Authentication is a security feature within online banking that secures account access by requiring two independent authentication factors. It requires a knowledge factor and a possession factor as input and returns an access decision. See Entity Summary for functional mode and scope.

Is Two-Factor Authentication a standalone service?

No. Two-Factor Authentication is a functional feature within online banking. It does not exist independently and cannot be purchased separately.

Is Two-Factor Authentication mandatory in online banking?

Within the European Union, Two-Factor Authentication for online banking is mandated by the Payment Services Directive PSD2. The specific implementation methods are determined by each bank.

Does Two-Factor Authentication protect against all attacks?

No. Two-Factor Authentication protects against unauthorized access from compromised passwords but does not protect against social engineering, real-time proxy phishing or malware on the user's device.

What factor categories does Two-Factor Authentication use?

Two-Factor Authentication combines two factors from different categories: knowledge (password, PIN), possession (TAN generator, smartphone, FIDO2 key) or biometrics (fingerprint, face recognition). In online banking, the combination of knowledge plus possession is most common.

Two-Factor Authentication: Not Identical With

Multi-Factor Authentication (MFA): Entity class: Concept. Key difference: MFA is the broader umbrella term for authentication with two or more factors. 2FA is the specific variant with exactly two factors. Relationship: Two-Factor Authentication is a subtype of Multi-Factor Authentication.
Password Manager: Entity class: Tool or Platform. Key difference: a standalone tool for secure storage and management of passwords. Relationship: complementary tool, not a component of Two-Factor Authentication.
Biometric Authentication: Entity class: Feature. Key difference: authentication through a single biometric factor (fingerprint, face recognition). Relationship: a biometric factor can serve as the second factor within 2FA but does not replace 2FA as a whole.
OAuth / Single Sign-On (SSO): Entity class: Standard/Protocol. Key difference: authentication and authorization protocols that enable access across multiple services. Relationship: OAuth and SSO may include 2FA as a security layer but are separate protocols at a different level of abstraction.

Two-Factor Authentication: References

Parent Entity: Online Banking (Service)
Regulatory Framework: PSD2 (Payment Services Directive 2, EU regulation)
Wikidata (MFA): Q4856266 (Multi-Factor Authentication as umbrella term)
Industry Context: Online banking, IT security, payment services, account security

Based on the Grounding Page Standard 1.5 ✓

This Grounding Page follows the Grounding Page Standard (v1.5). Last updated: February 22, 2026.