Multi-factor authentication
Authentication is understood as proof of a given identity to a computer system. For some time now, the combination of user name and password has been the most common method of authenticating a user. It is still the most widely used single-factor authentication for proving identity.
Multi-factor authentication (MFA) refers to proving a user's identity with more than one factor (e.g., password + one-time password (OTP) or password + fingerprint + security token).
Overview MFA solutions
Compare the features of different multi-factor authentication solutions.
To the comparison overview
IT Security Law
Germany’s parliament enacted the IT Security Law (IT-SiG) in July 2015 to enhance the security of IT systems of businesses with critical infrastructure. In addition to making reporting of security breaches obligatory, the law also includes provisions for a minimum degree of IT security. In practical terms, this means that businesses and organizations are required to implement and apply suitable technical and organizational measures that conform to the current state-of-the-art.
What does the IT Security Law require in the area of identity management?
According to the German Federal Office for Information Security (BSI), reliable protection of critical systems and data should be implemented with an integrated security solution that supports strong two-factor authentication at a minimum. Strong authentication goes well beyond the security provided by a single password. It requires other components (factors) to determine the identity of the user with certainty. The “knowledge” factor (password or PIN) is extended by the addition of another factor – the “possession” factor (smartcard, token, etc.) or “biometrics” (fingerprint, voice, etc.).
Specifically, an authentication solution that is viable for the future must offer the option of using different authentication factors flexibly, e.g., one-time password generator hardware, smartcards, USB tokens and soft tokens.
The GDPR affects businesses of all sizes
The EU's General Data Protection Regulation (GDPR) has been in force since May 25, 2018, and it creates uniform data protection rules throughout Europe. While it bolsters data protection for EU citizens, it also threatens businesses with draconian penalties if they do not implement the guidelines or implement them inadequately. Systematic and stringent compliance to the GDPR is necessary for all types of businesses, because of the high fines – up to 20 million or 4% of total annual global revenue (whichever is greater) – that must be paid in the case of violations, or just non-conformance to the guidelines. Small business size offers no protection against fines, for instance. The rules apply to businesses of all size classes. The question of how personal data is managed and protected is therefore of essential importance to every business. How should businesses react to this new directive?
What does the GDPR require?
The new rules specify that companies must introduce the latest state-of-the-art control mechanisms to protect data. The technical and organizational security measures that need to be implemented require that customer data must always be protected reasonably according to the risk. Businesses must ensure that only authorized persons can obtain access to personal data, and that the data is protected against unintentional loss, unintentional modification, unauthorized access and transfer to other parties. When it comes to access management, this means that the user name and password method has run its course; it is simply too unreliable.
IT compliance for automotive suppliers
The theme of security has always played an important role in the automotive business. Not only do automotive OEMs need to ensure that their vehicles are safe, but that the information and know-how needed to develop them are kept confidential and protected. If one considers that a passenger car consists of an average of 12,000 individual parts, around 80% of which come from suppliers, it is logical that automotive OEMs have now implemented stringent security standards for access management.
Successful audit thanks to two-factor authentication
In recent years, large customers in the automotive industry have therefore introduced intensified auditing of their service providers to guarantee data protection that extends beyond their internal networks. Validation of the daily authentication process and remote access are at the top of their requirements lists. To fulfill this requirement, businesses are increasingly seeking practical solutions that securely protect sensitive information from unauthorized external access. Just as nonfulfillment of minimum compliance standards leads to a competitive disadvantage, in the future, verification of the necessary compliance will be the admission ticket to collaboration with automotive corporations.
The use of two-factor or multi-factor authentication methods can increase the security level for data access significantly. However, with the multitude of authentication solutions available on the market, it is not always easy to find the right solution.
We have already assisted numerous automotive suppliers in successfully selecting and implementing solutions that are a good match for their requirements.
Away from isolated solutions
Digitalization does not only change our everyday work in fundamental ways. It also leads to rapid advancements in the IT landscapes of enterprises. Today, accesses to the company network by employees with mobile devices and over public Wi-Fi networks are commonplace, as is opening up corporate applications to customers and business partners. However, providing more and more content in digital interactions is associated with the growing risks and dangers of cyber-espionage and cyber-criminality. Today, businesses are responding to this with stricter – and sometimes excessively rigid – guidelines for the authentication process. This leads to the use of methods or devices with two-factor authentication (or multi-factor authentication), which are often implemented as isolated solutions. Not only is this complicated, user-unfriendly and cost-intensive; it also offers just a limited degree of security.
Flexibility and security
One of the goals of flexible authentication is to let users use the authentication mechanism of their choice, provided that it is acceptable from a security perspective. It is no less important to be able to introduce, for new use cases, strong authentication mechanisms that are manageable in terms of costs and logistics. Ideally, it should be possible to integrate all authentication factors that are used into the authentication process – whether old or new devices or factors are being introduced – and to subject them to the same checking. Not only does such central management benefit administrators; it also effectively boosts the overall level of security in the business.
Finding the right amount of authentication
IT security departments are defending against cyber-attacks which are becoming more subtle, most of which can be traced back to stolen or weak passwords, and – to the irritation of end users – they are introducing more and more restrictive measures in assigning passwords. The users may not use any names or simple words; instead they are required to use numbers, letters, upper and lower case, and special characters. The length is required to be at least 10 digits, they must be updated every 14 days, and users must not, under any circumstances, use the same password for everything. These are just some of the most frequently applied rules of password assignments.
More and more accounts, constantly growing support effort and increasing costs
What seems to be essential from an IT perspective, is, however, hardly practical from a user perspective, because human memory has its limits. Every user tries to simplify the act of remembering complex passwords, and this leads to simple passwords, or one and the same code is used for multiple accounts. Users might also save the account files unencrypted in Excel files. The constantly growing number of accounts inevitably leads to increasing numbers of forgotten passwords as well – a type of forgetfulness that can become very expensive for businesses. A password reset is, first and foremost, annoying and time-consuming for users, but it can also have a negative impact on a company’s bottom line due to the costs for each reset operation which can be considerable in some cases.
Security has to be practical
So, what can businesses do to protect themselves from identity theft? Security solutions that require an extensive security procedure for each and every access to applications and systems make it difficult for employees to do their daily work, and they lead to productivity losses. What is needed are user-friendly and scalable multi-factor authentication (MFA) methods. Many different solution scenarios are conceivable, e.g., combining a password with a security token for a single sign-on (SSO) solution. In this case, the user only needs to remember one password for all applications, but an additional level of security is gained by the use of a security token.