Product
protect4use

Multi-factor authentication for web services

Web service operators with high security and privacy requirements know: Usual authentications with user name and password are no longer sufficient. The reasons for this are the vulnerability to attacks and new legal standards. secunet protect4use protects the digital identity through secure authentication with strong cryptography. All user data remains with the operator or its service provider.

All benefits of protect4use at a glance

Easy

secunet protect4use avoids costly and difficult-to-calculate in-house developments. The maintenance is done by us

Future-proof

With additional token types and new cryptographic methods or standards, protect4use can also be integrated at any time in the future.

Flexible

Individual look & feel: Branding and UI content of protect4use are configurable.

Secure

protect4use flexibly covers a wide range of security requirements.

User-friendly

With mobile devices as a second factor for desktop computers, unlocking is easily done by e.g. PIN, password, fingerprint or face.

Protection of digital identity through secure authentication
In addition to a particularly secure login, protect4use enables the audit-proof authorization of transactions as well as the electronic submission of digitally signed data or documents.

Authenticity refers to the genuineness of a given identity or the unquestionable authorship of a piece of information, e.g., a message or a document. The term is used not only when the identity of persons is checked, but also for IT components or applications.


An authorization is the granting of rights to a person, IT component or application to perform a specific action after successful → authentication.


With a focus on a possible theft of the → digital identity, the following threats and attack scenarios play a role:

Password attacks

In a brute force attack, a → password or key is determined by automatically trying out all or a large part of the possible values. In contrast, a dictionary attack tries through a password list if it can be assumed that the → password consists of a meaningful character combination or one that has already been used elsewhere.

Man-in-the-middle attack

In a man-in-the-middle attack, an attacker interposes himself between the communication partners, has at least partial control over the data traffic with his system, and can view and manipulate the information at will. He pretends to be the other partner to the communication partners.

Phishing

In phishing, users are tricked into authenticating themselves to a fake website and disclosing their → password and online banking TANs, for example.

Malware/malicious software

Malware is a term for malicious, often multifunctional programs. Once a system is infected, they can often reload additional malicious programs from the Internet that cause further damage. Typical targets are spying on data, looting bank accounts, blackmail, displaying advertisements or setting up a botnet. Typical types of malware are: Viruses, worms, Trojans, ransomware, rootkits, keyloggers and spyware/adware.


A biometric feature is a unique personal characteristic that is used to verify the identity of a person. A distinction is made between physiological features, such as fingerprint patterns or facial geometry, and behavioral features, such as the frequency profile of the voice or the way the signature is generated.

When biometric features are captured, a so-called pattern is extracted as a reference. This pattern can then be used for a biometric comparison. If a defined level of match is achieved, the person is considered to be identified or verified.


Regulation on the EU-wide standardization of rules for the processing of personal data, which is intended to ensure the protection of personal data and guarantee the free movement of data. Compliance with key principles, such as purpose limitation and data minimization, also applies to any contract processing with service providers and must be demonstrated by the data controller. Among other things, companies must protect your data from unauthorized access during processing in accordance with the current state of the art.

Personal data includes any information that can be used to directly or indirectly identify a natural person. The highest level of protection is afforded to the special categories of personal data referred to in Article 9 of the GDPR, such as information on racial and ethnic origin, political opinions, religious and philosophical beliefs. The same applies to genetic and biometric data, health data, and information about sex life or sexual orientation. Such data may only be processed in exceptional cases, and very high technical and organizational requirements must be met to prevent unauthorized access.

Failure to comply with these principles and accountability can result in fines of up to EUR 20 million or up to 4% of a company's total annual global sales. If a personal data breach occurs, it must be reported to the data protection authority within 72 hours. If there is a high risk to the personal rights and freedoms of data subjects, they must also be informed immediately.


A digital identity, often also called an electronic identity, is used for the unique identification of persons or objects by computers. Real persons are represented by their digital identity(ies) in the virtual world. Identity theft is the misuse by third parties. See also → Threats on the Internet.


A digital signature is special control information that is attached to a message or file. On the one hand, it can be used to determine who generated it. On the other hand, it makes it possible to verify → authenticity and authenticity. In the asymmetric → encryption most commonly used for this purpose, the digital signature is generated with a secret private key and can be checked by anyone with the associated public key.

Electronic signature

In contrast, "electronic signature" is a legal term. The range of possible manifestations extends from simple and advanced electronic signatures, which are not necessarily based on digital signatures, to the qualified electronic signature as a very secure form of digital signature.


The term "electronic proof of identity" is used as a fixed synonymous term for → digital identity, particularly in the area of e-government. An eID enables secure digital proof of identity, e.g. vis-à-vis service providers on the Internet or at border controls. In Germany, this requires the → electronic ID card and an eID server authorized to read data.


Identity document issued by Germany since November 1, 2010. Technically, the electronic ID card is a contactless chip card with optical security features. Two fingerprints can also be stored on the ID card as a → biometric feature to prevent forgery. In addition to the actual ID function vis-à-vis sovereign authorities, the electronic ID card offers the → eID function, which is supported in the same way both by the electronic residence permit (eAT) for non-EU foreigners and by the planned eID card for EU citizens of other countries.


The FIDO (Fast IDentity Online) initiative, founded by the companies Google and PayPal, aims to replace conventional logins on the Internet with a significantly more secure procedure that is just as simple. It can be used either instead of a → password or in addition, as a second factor. At the core of the FIDO identity is a secret permanently linked to the security key in the form of a random number that is different for each security key and cannot be read or extracted. The hardware-bound private key remains in the possession of the user and is not stored on public servers. Each access, e.g., at login, must be authorized.

The biggest weakness is the threat of considerable problems in the event of possible loss, theft or defect. In practical terms, smartphones unfortunately cannot be used as FIDO security keys for a desktop computer, despite the technical requirements. Also, cross-platform use of FIDO2 USB sticks is not possible or only possible to a limited extent. Existing FIDO1 sticks can unfortunately no longer be used with the current FIDO2. Overall, this means that distribution is low.


The basic principle is that you only have to register once with your identity provider and thus gain access to other web services. Without having to fill in address data, confirmation e-mails and, above all, without an additional → password.

With web services and smartphone apps, you often see the option "Sign in with" Google/Apple/Facebook/Amazon. German alternatives to this are, for example, Verimi, NetID, IDnow, WebID, ID4me, Keyp and Yes. This is convenient and, thanks to the technology in the background (e.g. OAuth 2.0 at Google), quite secure at first glance - if you keep your account secure with the respective provider. Of course, providers get to know exactly which services you use and how often, and some also make no secret of the fact that user profiles and data are part of their business model. What is actually new, however, is that it is no longer the user who proves who he is, but a third party who confirms this to him. This gives the user control over his → digital identity and creates a strong dependency. It should also be borne in mind that almost every company with such valuable data has already been successfully attacked by hackers, and there is always a desire on the part of intelligence services.


Identity and Access Management refers to a combined system for managing → digital identities (as a stand-alone system also "IdM") and authorizations in companies. The following typical processes are covered:

  • Identification: Who or what is it about?
  • Registration: Process to obtain a user account.
  • → Authentication: Proof of → authenticity
  • → Authentication: verification of proof
  • → Authorization: granting of rights

Examples of further functions of such systems are identity provision and use across company boundaries (federated identity management) and the possibility for users themselves to change their profile data, manage access data and registered devices, and request unblocking of access if necessary (user self services).


In the context of the protection goals of confidentiality, integrity and availability of information and information technology, IT security refers to a state in which the risks present in the use of information technology due to → threats and vulnerabilities are reduced to an acceptable level by appropriate measures.

In practice, the standards of the ISO/IEC 27000 series play an important role. In German-speaking countries, an approach based on IT-Grundschutz (IT baseline protection) is widespread. The evaluation and certification of IT products and systems is often based on the ISO/IEC 15408 standard (Common Criteria). IEC 62443 deals specifically with the topic of cybersecurity in Industry 4.0.



A personal identification number is a sequence of digits known only to one or a few people, with which they can authenticate themselves to a machine. In the narrower sense, PINs are (mostly numeric) → passwords.

To prevent a PIN from being guessed by repeated attempts (enumeration attack), a system must not accept any number of incorrect entries. With web services in particular, an attacker could otherwise simply try out all possible PINs automatically. Most systems therefore block access after a certain number of incorrect PIN entries, which must then be unlocked by other means (usually by entering another PIN or by contacting the provider's customer service). In the case of ATMs, online banking and cell phones, the blocking usually occurs after three incorrect entries.


Secure element refers to a hardware security module that is installed in modern smartphones and tablets. It is usually a chip that offers cryptographic security features. The secure element protects → private keys and thus ensures a high level of security for sensitive processes, such as payment transactions or the use of a → digital identity derived from the → electronic ID card and stored on the smartphone.

However, there are also weak points when using mobile devices as part of → multi-factor authentication for web services: First, a mobile device is usually replaced by a newer model after a few years. Users should therefore be able to add and manage new devices to their profile themselves. Secondly, devices can be lost, defective or even stolen. There must then always be a way to authenticate to the web service even without this factor. And this way must be so secure that it is only open to the actual user and cannot be used by a cybercriminal.


A security token (abbreviated to "token", also translated as "security key") is a cryptographic hardware or software component for → user authentication. Often additionally secured by → password, → PIN or a → biometric feature. Examples of tokens are smartcards, USB crypto tokens or contactless tokens with Bluetooth, NFC or RFID technology. Trusted Platform Modules (TPM) in computers or the → Secure Element in smartphones can also be used as security tokens.

Without a second, independent authentication feature, a security token does not provide reliable protection against tampering, loss, or attack. It can be destroyed or lost. Unlike computers and smartphones, the use of additional, external hardware tokens incurs costs for production, registration and/or personalization, distribution, and the provision of infrastructure in the form of readers or software. A possible target of attack is the communication between token and reader. In the case of radio transmissions in particular, it should be borne in mind that these may still be recorded at a great distance.


After an initial login at a workstation, an SSO system takes over the automatic login of this user to further services and devices for which he has → authorization.


Encryption is used to protect data from unauthorized access or to be able to transmit messages confidentially. During encryption, data is converted in such a way that the original data can only be recovered, i.e. decrypted, by using a secret key. For encryption and decryption, the same key is used for symmetric methods, and different keys (a private and a public key) are used for asymmetric methods.

In the web browser, data connections are secured by HTTPS, which stands for the use of the HTTP Internet protocol with SSL/TLS encryption and integrity protection.


Version 2.6 (approx. 67 MB)

at Google Play

at Apple App Store

Contact request
Do you still have questions about protect4use?
Do you still have questions about protect4use?

Send us an inquiry via the contact form. We are happy to help.

Contact form protect4use

Page 1