High Security Authentication. Passwordless.
According to the current guidelines of the German Federal Office for Information Security.
secunet is the German cyber security champion and security partner of the Federal Republic of Germany.
By integrating with existing systems, all user data remains with the service operator.
The Corona pandemic has clearly shown us the importance of functioning and secure IT infrastructures. The German Minister of the Interior therefore called for IT security to be considered from the outset in all digitization projects. In particular, the implementation of the Online Access Act poses major challenges for public administration. Web offerings are to be user-oriented, while at the same time security and data protection are top priorities. The legal requirements for this have risen sharply: OZG, eIDAS-VO, GDPR, ISO 27002 and IT baseline protection guidelines of the German Federal Office for Information Security demand appropriate protective measures according to the current state of the art.
Critical infrastructures, utilities, ICT
The digital transformation poses major challenges for operators of online services. Access to confidential information must be restricted, and users' personal data and access to critical infrastructures must be specially protected. The legal requirements for this have risen sharply: GDPR, ISO 27002 and IT baseline protection guidelines of the German Federal Office for Information Security demand appropriate protection measures according to the current state of the art. In view of the urgent need for action, the question arises as to what extent our own developments are economically and security-wise compatible with the current threat situation and the increased expectations of users.
Secure authentication - Important technical terms explained easily
Authentication is the proof of → authenticity. A defined procedure is used to determine whether someone is really who they claim to be or whether the data in question actually originates from a claimed author. The process of checking the proof of authentication is often referred to as authentication. Colloquially, no distinction is often made between the two terms.
Multi-factor authentication (MFA)
In multi-factor authentication, authentication is based on several different and independent factors from the following three categories:
- Knowledge: Secret information, such as → passwords or → PINs.
- Possession: IT components, e.g. smartcards or cell phones with a → secure element that can be uniquely identified and cannot be counterfeited or copied.
- Being: Individual → biometric characteristics of a person, such as fingerprint or face.
Two-factor authentication (2FA)
Two-factor authentication is a special case of multi-factor authentication in which authentication is based on two different factors. It is recommended in the IT-Grundschutz (IT baseline protection) catalogs of the German Federal Office for → Information Security. For web services with high security and data protection requirements, it is the state of the art to be used in order to comply with the → General Data Protection Regulation and specific laws. In particular, this applies to e-government, banking, healthcare, and critical infrastructures.
With two-channel authentication, authentication takes place via two different communication channels. Ideally, not only different communication channels are used, but also different devices (e.g., PC and smartphone). Two-channel authentication can be based on the knowledge factor alone, and is therefore not necessarily also two-factor authentication.
In this case, security information is transmitted via a separate, independent communication channel during authentication. Out-of-band authentication occurs, for example, when one-time passwords (see → Passwords) are sent as SMS-TANs over the mobile network during online banking on a desktop computer.
Authenticity refers to the genuineness of a given identity or the unquestionable authorship of a piece of information, e.g., a message or a document. The term is used not only when the identity of persons is checked, but also for IT components or applications.
An authorization is the granting of rights to a person, IT component or application to perform a specific action after successful → authentication.
Threats on the Internet
With a focus on a possible theft of the → digital identity, the following threats and attack scenarios play a role:
In a brute force attack, a → password or key is determined by automatically trying out all or a large part of the possible values. In contrast, a dictionary attack tries through a password list if it can be assumed that the → password consists of a meaningful character combination or one that has already been used elsewhere.
In a man-in-the-middle attack, an attacker interposes himself between the communication partners, has at least partial control over the data traffic with his system, and can view and manipulate the information at will. He pretends to be the other partner to the communication partners.
In phishing, users are tricked into authenticating themselves to a fake website and disclosing their → password and online banking TANs, for example.
Malware is a term for malicious, often multifunctional programs. Once a system is infected, they can often reload additional malicious programs from the Internet that cause further damage. Typical targets are spying on data, looting bank accounts, blackmail, displaying advertisements or setting up a botnet. Typical types of malware are: Viruses, worms, Trojans, ransomware, rootkits, keyloggers and spyware/adware.
A biometric feature is a unique personal characteristic that is used to verify the identity of a person. A distinction is made between physiological features, such as fingerprint patterns or facial geometry, and behavioral features, such as the frequency profile of the voice or the way the signature is generated.
When biometric features are captured, a so-called pattern is extracted as a reference. This pattern can then be used for a biometric comparison. If a defined level of match is achieved, the person is considered to be identified or verified.
General Data Protection Regulation (DSVGO)
Regulation on the EU-wide standardization of rules for the processing of personal data, which is intended to ensure the protection of personal data and guarantee the free movement of data. Compliance with key principles, such as purpose limitation and data minimization, also applies to any contract processing with service providers and must be demonstrated by the data controller. Among other things, companies must protect your data from unauthorized access during processing in accordance with the current state of the art.
Personal data includes any information that can be used to directly or indirectly identify a natural person. The highest level of protection is afforded to the special categories of personal data referred to in Article 9 of the GDPR, such as information on racial and ethnic origin, political opinions, religious and philosophical beliefs. The same applies to genetic and biometric data, health data, and information about sex life or sexual orientation. Such data may only be processed in exceptional cases, and very high technical and organizational requirements must be met to prevent unauthorized access.
Failure to comply with these principles and accountability can result in fines of up to EUR 20 million or up to 4% of a company's total annual global sales. If a personal data breach occurs, it must be reported to the data protection authority within 72 hours. If there is a high risk to the personal rights and freedoms of data subjects, they must also be informed immediately.
A digital identity, often also called an electronic identity, is used for the unique identification of persons or objects by computers. Real persons are represented by their digital identity(ies) in the virtual world. Identity theft is the misuse by third parties. See also → Threats on the Internet.
A digital signature is special control information that is attached to a message or file. On the one hand, it can be used to determine who generated it. On the other hand, it makes it possible to verify → authenticity and authenticity. In the asymmetric → encryption most commonly used for this purpose, the digital signature is generated with a secret private key and can be checked by anyone with the associated public key.
In contrast, "electronic signature" is a legal term. The range of possible manifestations extends from simple and advanced electronic signatures, which are not necessarily based on digital signatures, to the qualified electronic signature as a very secure form of digital signature.
Electronic proof of identity (eID)
The term "electronic proof of identity" is used as a fixed synonymous term for → digital identity, particularly in the area of e-government. An eID enables secure digital proof of identity, e.g. vis-à-vis service providers on the Internet or at border controls. In Germany, this requires the → electronic ID card and an eID server authorized to read data.
Electronic identity card (nPA)
Identity document issued by Germany since November 1, 2010. Technically, the electronic ID card is a contactless chip card with optical security features. Two fingerprints can also be stored on the ID card as a → biometric feature to prevent forgery. In addition to the actual ID function vis-à-vis sovereign authorities, the electronic ID card offers the → eID function, which is supported in the same way both by the electronic residence permit (eAT) for non-EU foreigners and by the planned eID card for EU citizens of other countries.
The FIDO (Fast IDentity Online) initiative, founded by the companies Google and PayPal, aims to replace conventional logins on the Internet with a significantly more secure procedure that is just as simple. It can be used either instead of a → password or in addition, as a second factor. At the core of the FIDO identity is a secret permanently linked to the security key in the form of a random number that is different for each security key and cannot be read or extracted. The hardware-bound private key remains in the possession of the user and is not stored on public servers. Each access, e.g., at login, must be authorized.
The biggest weakness is the threat of considerable problems in the event of possible loss, theft or defect. In practical terms, smartphones unfortunately cannot be used as FIDO security keys for a desktop computer, despite the technical requirements. Also, cross-platform use of FIDO2 USB sticks is not possible or only possible to a limited extent. Existing FIDO1 sticks can unfortunately no longer be used with the current FIDO2. Overall, this means that distribution is low.
Identity Provider (IDP)
The basic principle is that you only have to register once with your identity provider and thus gain access to other web services. Without having to fill in address data, confirmation e-mails and, above all, without an additional → password.
With web services and smartphone apps, you often see the option "Sign in with" Google/Apple/Facebook/Amazon. German alternatives to this are, for example, Verimi, NetID, IDnow, WebID, ID4me, Keyp and Yes. This is convenient and, thanks to the technology in the background (e.g. OAuth 2.0 at Google), quite secure at first glance - if you keep your account secure with the respective provider. Of course, providers get to know exactly which services you use and how often, and some also make no secret of the fact that user profiles and data are part of their business model. What is actually new, however, is that it is no longer the user who proves who he is, but a third party who confirms this to him. This gives the user control over his → digital identity and creates a strong dependency. It should also be borne in mind that almost every company with such valuable data has already been successfully attacked by hackers, and there is always a desire on the part of intelligence services.
Identity and Access Management (IAM or IdAM)
Identity and Access Management refers to a combined system for managing → digital identities (as a stand-alone system also "IdM") and authorizations in companies. The following typical processes are covered:
- Identification: Who or what is it about?
- Registration: Process to obtain a user account.
- → Authentication: Proof of → authenticity
- → Authentication: verification of proof
- → Authorization: granting of rights
Examples of further functions of such systems are identity provision and use across company boundaries (federated identity management) and the possibility for users themselves to change their profile data, manage access data and registered devices, and request unblocking of access if necessary (user self services).
In the context of the protection goals of confidentiality, integrity and availability of information and information technology, IT security refers to a state in which the risks present in the use of information technology due to → threats and vulnerabilities are reduced to an acceptable level by appropriate measures.
In practice, the standards of the ISO/IEC 27000 series play an important role. In German-speaking countries, an approach based on IT-Grundschutz (IT baseline protection) is widespread. The evaluation and certification of IT products and systems is often based on the ISO/IEC 15408 standard (Common Criteria). IEC 62443 deals specifically with the topic of cybersecurity in Industry 4.0.
A classic password is a string of characters that a user uses to prove that he or she has access authorization to a closed system. Either the password itself or a check value derived from it must be stored in this system for verification. In the context of → multi-factor authentication, classic passwords are a knowledge-based factor.
One-Time Password (OTP)
A one-time password can only be used for one -> authentication and is invalid afterwards. This means that no damage is caused if it is spied out. One-time passwords can either be taken from a previously created static list or generated dynamically on the basis of a secret key (so-called start value or seed). There are three different procedures for this:
- Time-based (TOTP)
- Event-based (HOTP)
- Server request/challenge response algorithm (OCRA)
Time- and event-based one-time passwords can be generated using a special device ("OTP token") or software (e.g. Google Authenticator).
In the context of → multi-factor authentication, one-time passwords are more likely to be assigned to the possession factor than classic passwords. One-time passwords do not protect against all → threats and attack scenarios, e.g. only to a limited extent against → man-in-the-middle attacks or Trojans. On computers and smartphones, malware could also gain access to software-generated OTP codes or the key. SMS TANs for online banking have also already been successfully tapped.
A password safe or password manager is a program for secure password management whose encrypted database is protected by a central master password. This means that users only have to remember one password. It can often be used to generate passwords of different strengths. Since users no longer remember individual passwords, they quickly become dependent on their password database. The use as a cloud-based service seems very convenient at first glance. However, one should be able to fully trust the respective provider and its security precautions. Attack scenarios: Due to the valuable access data, password managers are among the most popular targets of cyber criminals. Investigations have shown, for example, that with widespread password managers, passwords remain in memory for an unnecessarily long time, even when the program is locked. Passwords stored unencrypted in web browsers are also a security vulnerability and should definitely be protected by a master password.
Personal Identification Number (PIN)
A personal identification number is a sequence of digits known only to one or a few people, with which they can authenticate themselves to a machine. In the narrower sense, PINs are (mostly numeric) → passwords.
To prevent a PIN from being guessed by repeated attempts (enumeration attack), a system must not accept any number of incorrect entries. With web services in particular, an attacker could otherwise simply try out all possible PINs automatically. Most systems therefore block access after a certain number of incorrect PIN entries, which must then be unlocked by other means (usually by entering another PIN or by contacting the provider's customer service). In the case of ATMs, online banking and cell phones, the blocking usually occurs after three incorrect entries.
Secure element refers to a hardware security module that is installed in modern smartphones and tablets. It is usually a chip that offers cryptographic security features. The secure element protects → private keys and thus ensures a high level of security for sensitive processes, such as payment transactions or the use of a → digital identity derived from the → electronic ID card and stored on the smartphone.
However, there are also weak points when using mobile devices as part of → multi-factor authentication for web services: First, a mobile device is usually replaced by a newer model after a few years. Users should therefore be able to add and manage new devices to their profile themselves. Secondly, devices can be lost, defective or even stolen. There must then always be a way to authenticate to the web service even without this factor. And this way must be so secure that it is only open to the actual user and cannot be used by a cybercriminal.
A security token (abbreviated to "token", also translated as "security key") is a cryptographic hardware or software component for → user authentication. Often additionally secured by → password, → PIN or a → biometric feature. Examples of tokens are smartcards, USB crypto tokens or contactless tokens with Bluetooth, NFC or RFID technology. Trusted Platform Modules (TPM) in computers or the → Secure Element in smartphones can also be used as security tokens.
Without a second, independent authentication feature, a security token does not provide reliable protection against tampering, loss, or attack. It can be destroyed or lost. Unlike computers and smartphones, the use of additional, external hardware tokens incurs costs for production, registration and/or personalization, distribution, and the provision of infrastructure in the form of readers or software. A possible target of attack is the communication between token and reader. In the case of radio transmissions in particular, it should be borne in mind that these may still be recorded at a great distance.
After an initial login at a workstation, an SSO system takes over the automatic login of this user to further services and devices for which he has → authorization.
Encryption is used to protect data from unauthorized access or to be able to transmit messages confidentially. During encryption, data is converted in such a way that the original data can only be recovered, i.e. decrypted, by using a secret key. For encryption and decryption, the same key is used for symmetric methods, and different keys (a private and a public key) are used for asymmetric methods.
In the web browser, data connections are secured by HTTPS, which stands for the use of the HTTP Internet protocol with SSL/TLS encryption and integrity protection.
Send us an inquiry via the contact form. We are happy to help.