2FA: Two-Factor Authentication

Two-Factor Authentication (2FA) is a security mechanism that requires users to provide two distinct forms of identification before accessing a system, application, or credential. Unlike single-factor authentication (such as a password alone), 2FA combines two different categories of evidence, dramatically reducing the risk of unauthorized access. In the context of EUDI Wallets, 2FA is a mandatory security requirement that protects citizens' digital identity credentials across the European Union.

Authentication factors fall into three well-established categories. The first is knowledge factors, which include passwords, PINs, and security questions -- things the user knows. The second is possession factors, such as smartphones, hardware security keys, smart cards, or SIM cards -- things the user physically has. The third is inherence factors, which are biometric characteristics like fingerprints, facial geometry, iris patterns, or voice recognition -- things the user inherently is.

For a system to qualify as true 2FA, it must require factors from two different categories. Using two passwords, for example, does not constitute 2FA because both are knowledge factors. A fingerprint combined with a PIN, however, is genuine 2FA because it combines an inherence factor with a knowledge factor.

The strength of 2FA lies in its defense against different attack vectors. A stolen password alone cannot grant access if biometric verification is also required. Similarly, a stolen device is useless without the owner's PIN or biometric data.

The eIDAS 2.0 regulation mandates Level of Assurance High for EUDI Wallet implementations, which explicitly requires multi-factor authentication. In practice, EUDI Wallets typically implement 2FA by combining device possession (the smartphone containing the wallet app and its secure element) with either biometric verification (fingerprint or face recognition) or a user-chosen PIN.

When a user presents a credential from their EUDI Wallet, such as proving their age at a store or logging into a government service, the wallet first verifies the user's identity through the device's biometric sensor or PIN entry. Only after this local authentication succeeds does the wallet release the requested credential data. This ensures that even if someone gains physical access to the device, they cannot use the wallet's credentials.

The Architecture and Reference Framework (ARF) specifies that EUDI Wallet providers must support at least biometric plus device possession as the primary 2FA method, with PIN plus device possession as a fallback for accessibility reasons or when biometric sensors are unavailable.

Two-Factor Authentication is a specific subset of Multi-Factor Authentication (MFA). While 2FA requires exactly two factors, MFA can require two or more. In high-security scenarios, some EUDI Wallet operations may require three-factor authentication, combining all three categories: something you know, something you have, and something you are.

Strong Customer Authentication (SCA), mandated by the EU's Payment Services Directive 2 (PSD2), is another related concept. SCA requires two independent authentication elements from the knowledge, possession, and inherence categories, making it functionally equivalent to 2FA but specifically applied to electronic payments. As EUDI Wallets are expected to support payment-related use cases, SCA compliance is built into the wallet's authentication framework.

The EUDI Wallet's 2FA implementation is designed to satisfy both the eIDAS 2.0 Level of Assurance High requirements and the PSD2 SCA requirements simultaneously, providing a unified authentication experience across identity and payment use cases.

Consider a citizen using their EUDI Wallet to access a government tax portal. They open the wallet app on their phone (possession factor), then authenticate with their fingerprint (inherence factor). The wallet confirms the user's identity and presents the requested credential to the tax service. At no point does the user need to remember a separate password for the tax portal.

In another scenario, a user purchases age-restricted goods online. The merchant requests age verification through the EUDI Wallet protocol. The user's wallet app activates, requiring a face scan (inherence) on the user's registered device (possession). After successful 2FA, the wallet shares only the age-over-18 attestation, without revealing the user's exact birthdate or other personal information.

For offline scenarios, such as presenting an identity credential at an airport border check, the EUDI Wallet uses NFC communication with the verifier's device. The user still authenticates locally on their phone using 2FA before the credential data is transmitted, ensuring the same security level regardless of whether the transaction occurs online or in person.