Paradoks Keamanan Autentikasi Dua Faktor (2FA): Systematic Literature Review terhadap Kesenjangan Protokol Teoretis dan Kegagalan Implementasi Praktis

Authors

DOI:

https://doi.org/10.52158/h9qv3j56

Keywords:

application security, cybersecurity, exploitation, systematic literature review, two-factor authentication

Abstract

Two-Factor Authentication (2FA) has been widely adopted as a fundamental security standard, yet sophisticated cyberattacks continue to exploit security loopholes that often lie not in the protocol itself, but in its implementation. This study aims to systematically synthesize current scientific literature to uncover the root causes of the gap between the theoretical security of 2FA protocols and practical exploitation risks in the field. Using the Systematic Literature Review (SLR) method with PRISMA guidelines, 43 high-quality articles (Q1-Q4) from the Scopus database published between 2020 and 2025 were analyzed using thematic synthesis. The findings reveal a central paradox where, although 2FA protocols are becoming mathematically stronger, 88% of failure points have shifted to implementation fundamentals; the most critical weaknesses identified are the storage of secret keys in plaintext format on client applications and the effectiveness of social engineering attacks against users. This study concludes that real-world 2FA security is determined more by the quality of implementation code and user awareness than by the cryptographic strength of the protocol alone, implying that industry priorities must shift from developing new protocols to enforcing secure implementation audits and continuous user education.

Downloads

Download data is not yet available.

Author Biography

  • Syafrial Fachri Pane, Universitas Logistik dan Bisnis Internasional

    Syafrial Fachri Pane was born in Medan, North Sumatra in April 1988. He obtained his bachelor of informatics degree from Pasundan University and master of informatics from Bina Nusantara University, Bandung, in 2019 and 2021, respectively. Currently, she is pursuing her doctoral program at Telkom University, Bandung. He is involved in data science and machine learning research. He is also a lecturer at the University of Logistics and International Business (ULBI), Bandung. His research interests include data analytics and machine learning. His research dissertation focuses on Hybrid Multi-objective Metaheuristic Machine Learning for Pandemic Modelling.

References

[1] M. F. Ayub, S. Shamshad, K. Mahmood, S. K. H. Islam, R. M. Parizi, and K. K. R. Choo, “A Provably Secure Two-Factor Authentication Scheme for USB Storage Devices,” IEEE Trans. Consum. Electron., vol. 66, no. 4, pp. 396–405, 2020, doi: 10.1109/TCE.2020.3035566.

[2] S. Kaur, G. Kaur, and M. Shabaz, “A secure two-factor authentication framework in cloud computing,” Secur. Commun. Networks, vol. 2022, pp. 1–9, 2022, doi: 10.1155/2022/7540891.

[3] I. ul haq, J. Wang, and Y. Zhu, “Secure two-factor lightweight authentication protocol using self-certified public key cryptography for multi-server 5G networks,” J. Netw. Comput. Appl., vol. 161, no. April, pp. 1–11, 2020, doi: 10.1016/j.jnca.2020.102660.

[4] K. Munonye and M. Péter, “Machine learning approach to vulnerability detection in OAuth 2.0 authentication and authorization flow,” Int. J. Inf. Secur., vol. 21, no. 2, pp. 223–237, 2022, doi: 10.1007/s10207-021-00551-w.

[5] X. Yin, J. He, Y. Guo, D. Han, K.-C. Li, and A. Castiglione, “An efficient two-factor authentication scheme based on the Merkle tree,” Sensors, vol. 20, no. 20, p. 5735, 2020, doi: 10.3390/s20205735.

[6] W. Bian, P. Gope, Y. Cheng, and Q. Li, “Bio-AKA: An efficient fingerprint based two factor user authentication and key agreement scheme,” Futur. Gener. Comput. Syst., vol. 109, pp. 45–55, 2020, doi: 10.1016/j.future.2020.03.034.

[7] Q. Wang, D. Wang, C. Cheng, and D. He, “Quantum2FA: Efficient Quantum-Resistant Two-Factor Authentication Scheme for Mobile Devices,” IEEE Trans. Dependable Secur. Comput., vol. 20, no. 1, pp. 193–208, 2023, doi: 10.1109/TDSC.2021.3129512.

[8] J. Berrios, E. Mosher, S. Benzo, C. Grajeda, and I. Baggili, “Factorizing 2FA: Forensic analysis of two-factor authentication applications,” Forensic Sci. Int. Digit. Investig., vol. 45, p. 301569, 2023, doi: 10.1016/j.fsidi.2023.301569.

[9] C. M. Chen, S. Liu, X. Li, S. Kumari, and L. Li, “Design and Analysis of a Provable Secure Two-Factor Authentication Protocol for Internet of Things,” Secur. Commun. Networks, vol. 2022, 2022, doi: 10.1155/2022/4468301.

[10] X. Hu, C. Liu, S. Liu, J. Li, and X. Cheng, “A vulnerability in 5G authentication protocols and its countermeasure,” IEICE Trans. Inf. Syst., vol. E103D, no. 8, pp. 1806–1809, 2020, doi: 10.1587/transinf.2019FOL0001.

[11] G. Ali, M. A. Dida, and A. Sam, “Two-factor authentication scheme for mobile money: a review of threat models and countermeasures,” Futur. Internet, vol. 12, no. 10, p. 160, 2020, doi: 10.3390/fi12100160.

[12] T. Fei and W. Wang, “The vulnerability and enhancement of AKA protocol for mobile authentication in LTE/5G networks,” Comput. Networks, vol. 228, 2023, doi: 10.1016/j.comnet.2023.109685.

[13] K. Marky et al., “‘Nah, it’s just annoying!’ A deep dive into user perceptions of two-factor authentication,” ACM Trans. Comput. Interact., vol. 29, no. 5, pp. 1–32, 2022, doi: 10.1145/3503514.

[14] K. Hussain, N. Z. Jhanjhi, H. M. ur-Rahman, J. Hussain, and M. Hasan Islam, “Using a systematic framework to critically analyze proposed smart card based two factor authentication schemes,” J. King Saud Univ. - Comput. Inf. Sci., vol. 33, no. 4, pp. 417–425, 2021, doi: 10.1016/j.jksuci.2019.01.015.

[15] M. N. Sudha, M. Rajendiran, M. Specht, K. S. Reddy, and S. Sugumaran, “A low-area design of two-factor authentication using DIES and SBI for IoT security,” J. Supercomput., vol. 78, no. 3, pp. 4503–4525, 2022, doi: 10.1007/s11227-021-04022-w.

[16] K. Liu et al., “A robust and effective two-factor authentication (2FA) protocol based on ECC for mobile computing,” Appl. Sci., vol. 13, no. 7, p. 4425, 2023, doi: 10.3390/app13074425.

[17] K. Busse, S. Amft, D. Hecker, and E. von Zezschwitz, “‘Get a Free Item Pack with Every Activation!,’” I-Com, vol. 18, no. 3, pp. 217–236, 2019, doi: 10.1515/icom-2019-0012.

[18] K. M. Quadry, A. Govardhan, and M. Misbahuddin, “Design, analysis, and implementation of a two-factor authentication scheme using graphical password,” Int. J. Comput. Netw. Inf. Secur., vol. 13, no. 3, pp. 39–51, 2021, doi: 10.5815/IJCNIS.2021.03.04.

[19] K. Yacouba, O. Ghizlane, and E. Said, “Securing communication 2FA using post-quantic cryptosystem: Case of QC-MDPC- McEliece Cryptosystem,” Int. J. Inf. Secur. Priv., vol. 14, no. 2, pp. 102–115, 2020, doi: 10.4018/IJISP.2020040106.

[20] E. M. Elshamy, A. I. Hussein, H. F. A. Hamed, M. A. Abdelghany, and H. M. Kelash, “Voice over internet protocol voicemail security system using two factor authentication and biometric prints with new efficient hybrid cryptosystem,” Multimed. Tools Appl., vol. 80, no. 7, pp. 9877–9893, 2021, doi: 10.1007/s11042-020-09986-0.

[21] V. Baneş, C. Ravariu, B. Appasani, and A. Srinivasulu, “A Novel Two-Factor Authentication Scheme for Increased Security in Accessing the Moodle E-Learning Platform,” Appl. Sci., vol. 13, no. 17, 2023, doi: 10.3390/app13179675.

[22] K. A. Kamiński, A. P. Dobrowolski, Z. Piotrowski, and P. Ścibiorek, “Enhancing Web Application Security: Advanced Biometric Voice Verification for Two-Factor Authentication,” Electron., vol. 12, no. 18, pp. 1–19, 2023, doi: 10.3390/electronics12183791.

[23] D. Amalfitano, M. Júnior, A. R. Fasolino, and M. Delamaro, “A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile Apps,” J. Syst. Softw., vol. 224, no. January, p. 112364, 2025, doi: 10.1016/j.jss.2025.112364.

[24] M. Fotouhi, M. Bayat, A. K. Das, H. A. N. Far, S. M. Pournaghi, and M. A. Doostari, “A lightweight and secure two-factor authentication scheme for wireless body area networks in health-care IoT,” Comput. Networks, vol. 177, p. 107333, 2020, doi: 10.1016/j.comnet.2020.107333.

[25] C. M. Chen, Z. Li, S. A. Chaudhry, and L. Li, “Attacks and Solutions for a Two-Factor Authentication Protocol for Wireless Body Area Networks,” Secur. Commun. Networks, vol. 2021, 2021, doi: 10.1155/2021/3116593.

[26] D. Bao and L. You, “Two-factor identity authentication scheme based on blockchain and fuzzy extractor,” Soft Comput., vol. 27, no. 2, pp. 1091–1103, 2023, doi: 10.1007/s00500-021-05936-6.

[27] S. Mo, W. Feng, M. Huang, S. Feng, Z. Wang, and Y. Li, “Two-factor authentication for intellectual property transactions based on improved zero-knowledge proof,” Sci. Rep., vol. 15, no. 1, pp. 1–15, 2025, doi: 10.1038/s41598-025-89597-7.

[28] C. Huang, B. Wang, Z. Bao, and W. Qi, “2FAKA-C/S: A Robust Two-Factor Authentication and Key Agreement Protocol for C/S Data Transmission in Federated Learning,” Appl. Sci., vol. 14, no. 15, 2024, doi: 10.3390/app14156664.

[29] R. Bruzgiene and K. Jurgilas, “Securing remote access to information systems of critical infrastructure using two-factor authentication,” Electron., vol. 10, no. 15, 2021, doi: 10.3390/electronics10151819.

[30] B. D. Deebak, “Federated Learning-Based Lightweight Two-Factor Authentication Framework with Privacy Preservation for Mobile Sink in the Social IoMT," Electron., vol. 12, no. 05, 2023, doi: 10.3390/electronics12051250.

[31] F. Shohaimay and E. S. Ismail, “Improved and Provably Secure ECC-Based Two-Factor Remote Authentication Scheme with Session Key Agreement,” Mathematics, vol. 11, no. 1, pp. 1–22, 2023, doi: 10.3390/math11010005.

[32] S. Bamashmos, N. Chilamkurti, and A. S. Shahraki, “Two-Layered Multi-Factor Authentication Using Decentralized Blockchain in an IoT Environment,” Sensors, vol. 24, no. 11, 2024, doi: 10.3390/s24113575.

[33] M. J. Hossain, C. Xu, C. Li, S. M. H. Mahmud, X. Zhang, and W. Li, “ICAS: Two-factor identity-concealed authentication scheme for remote-servers,” J. Syst. Archit., vol. 117, no. February, p. 102077, 2021, doi: 10.1016/j.sysarc.2021.102077.

[34] A. Derhab, M. Belaoued, M. Guerroumi, and F. A. Khan, “Two-Factor Mutual Authentication Offloading for Mobile Cloud Computing,” IEEE Access, vol. 8, pp. 28956–28969, 2020, doi: 10.1109/ACCESS.2020.2971024.

[35] Y. Oren and D. Arad, “Toward Usable and Accessible Two-Factor Authentication Based on the Piezo-Gyro Channel,” IEEE Access, vol. 10, pp. 19551–19557, 2022, doi: 10.1109/ACCESS.2022.3150519.

[36] A. A. S. Alqahtani, T. Alshayeb, M. Nabil, and A. Patooghy, “Leveraging Machine Learning for Wi-Fi-Based Environmental Continuous Two-Factor Authentication,” IEEE Access, vol. 12, no. January, pp. 13277–13289, 2024, doi: 10.1109/ACCESS.2024.3356351.

[37] Y. Zhang, D. Han, A. Li, L. Zhang, T. Li, and Y. Zhang, “MagAuth: Secure and Usable Two-Factor Authentication With Magnetic Wrist Wearables,” IEEE Trans. Mob. Comput., vol. 22, no. 1, pp. 311–327, 2023, doi: 10.1109/TMC.2021.3072598.

[38] H. Zhu, W. Jin, M. Xiao, S. Murali, and M. Li, “Blinkey: A two-factor user authentication method for virtual reality devices,” Proc. ACM Interactive, Mobile, Wearable Ubiquitous Technol., vol. 4, no. 4, 2020, doi: 10.1145/3432217.

[39] P. V. Bhole, Z. Li, S. Bokolia, T. Oh, G. W. Tigwell, and R. L. Peiris, “Haptic2FA: Haptics-Based Accessible Two-Factor Authentication for Blind and Low Vision People,” Proc. ACM Human-Computer Interact., vol. 8, no. MHCI, 2024, doi: 10.1145/3676509.

[40] N. Ghose, K. Gupta, L. Lazos, M. Li, Z. Xu, and J. Li, “ZITA: Zero-Interaction Two-Factor Authentication Using Contact Traces and In-Band Proximity Verification,” IEEE Trans. Mob. Comput., vol. 23, no. 5, pp. 6318–6333, 2024, doi: 10.1109/TMC.2023.3321514.

[41] W. Wang, G. Li, Z. Chu, H. Li, and D. Faccio, “Two-Factor Authentication Approach Based on Behavior Patterns for Defeating Puppet Attacks,” IEEE Sens. J., vol. 24, no. 6, pp. 8250–8264, 2024, doi: 10.1109/JSEN.2024.3355694.

[42] Z. Yang and J. Kong, “Cue-based Two Factor Authentication,” 2024, doi: 10.1016/j.cose.2024.104068.

[43] T. A. Burganova, D. R. Fakhreeva, and N. N. Fakhreev, “Method of Two-Factor Authentication of Electronic Documents Using Enhanced Encrypted Non-Certified Digital Signature with the Use of Security Token with Biometric Data,” Telfor J., vol. 15, no. 2, pp. 50–55, 2023, doi: 10.5937/TELFOR2302050B.

[44] S. F. Pane, D. I. Haq, and M. A. H. Siregar, “Security Analysis of Two-Factor Authentication Applications: Vulnerabilities in Data Storage and Management,” 2025, doi: 10.12928/mf.v7i2.13312¬¬¬¬¬¬.

Downloads

Published

2026-06-04

Issue

Vol. 7 No. 1 (2026): Juni 2026 (In progress)

Section

Articles

License

Copyright (c) 2026 Dzikri Izzatul Haq, Syafrial Fachri Pane

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Pernyataan Hak Cipta dan Lisensi

Dengan mengirimkan manuskrip ke Journal of Applied Computer Science and Technology (JACOST), penulis setuju dengan kebijakan ini. Tidak diperlukan persetujuan dokumen khusus.

  1. Hak cipta pada setiap artikel adalah milik penulis.
  2. Penulis mempertahankan semua hak mereka atas karya yang diterbitkan, tak terbatas pada hak-hak yang diatur dalam laman ini.
  3. Penulis mengakui bahwa Journal of Applied Computer Science and Technology (JACOST) sebagai yang pertama kali mempublikasikan dengan lisensi Creative Commons Atribusi 4.0 Internasional (CC BY-SA).
  4. Penulis dapat memasukan tulisan secara terpisah, mengatur distribusi non-ekskulif  dari naskah yang telah terbit di jurnal ini kedalam versi yang lain (misal: dikirim ke respository institusi penulis, publikasi kedalam buku, dll), dengan mengakui bahwa naskah telah terbit pertama kali pada Journal of Applied Computer Science and Technology (JACOST);
  5. Penulis menjamin bahwa artikel asli, ditulis oleh penulis yang disebutkan, belum pernah dipublikasikan sebelumnya, tidak mengandung pernyataan yang melanggar hukum, tidak melanggar hak orang lain, tunduk pada hak cipta yang secara eksklusif dipegang oleh penulis.
  6. Jika artikel dipersiapkan bersama oleh lebih dari satu penulis, setiap penulis yang mengirimkan naskah menjamin bahwa dia telah diberi wewenang oleh semua penulis bersama untuk menyetujui hak cipta dan pemberitahuan lisensi (perjanjian) atas nama mereka, dan setuju untuk memberi tahu rekan penulis persyaratan kebijakan ini.  Journal of Applied Computer Science and Technology (JACOST) tidak akan dimintai pertanggungjawaban atas apa pun yang mungkin timbul karena perselisihan internal penulis.

Lisensi :

Journal of Applied Computer Science and Technology (JACOST) diterbitkan berdasarkan ketentuan Lisensi Creative Commons Atribusi 4.0 Internasional (CC BY-SA). Lisensi ini mengizinkan setiap orang untuk :.

  • Adaptasi — menggubah, mengubah, dan membuat turunan dari materi ini untuk kepentingan apapun.

Lisensi :

  • Atribusi — Anda harus mencantumkan nama yang sesuai, mencantumkan tautan terhadap lisensi, dan menyatakan bahwa telah ada perubahan yang dilakukan. Anda dapat melakukan hal ini dengan cara yang sesuai, namun tidak mengisyaratkan bahwa pemberi lisensi mendukung Anda atau penggunaan Anda.

  • BerbagiSerupa — Apabila Anda menggubah, mengubah, atau membuat turunan dari materi ini, Anda harus menyebarluaskan kontribusi Anda di bawah lisensi yang sama dengan materi asli.

How to Cite

[1]
“Paradoks Keamanan Autentikasi Dua Faktor (2FA): Systematic Literature Review terhadap Kesenjangan Protokol Teoretis dan Kegagalan Implementasi Praktis”, J. Appl. Comput. Sci. Technol., vol. 7, no. 1, pp. 22 – 31 , Jun. 2026, doi: 10.52158/h9qv3j56.