Product
protect4use

Multi-factor Authentication for Online Services

Online services with high security and data protection requirements no longer offer sufficient protection with the usual user name and password authentication. secunet protect4use protects digital identities against increasing threats on the Internet and enables compliance with significantly increased legal requirements.
HIGH SECURITY

According to the current guidelines of the German Federal Office for Information Security.

DEVELOPED IN GERMANY

secunet is the German cyber security champion and security partner of the Federal Republic of Germany.

DATA PRIVACY BY DESIGN

By integrating with existing systems, all user data remains with the service operator.

Protection of digital identity through secure authentication
In addition to a particularly secure and, at the same time, user-friendly login, protect4use enables the audit-proof authorization of transactions as well as the electronic submission of digitally signed data or documents.
  • Scalable server application: From a few hundred to many millions of users
  • Secure: Different requirements can be covered flexibly, up to the highest trust level
  • User-oriented: For all relevant platforms & browsers on desktop and mobile devices
  • Variable branding with your logo or integration into existing programs or apps

Options: Smartcards, electronic ID card/eID service, interfaces to ID providers/identification services, remote triggering of qualitied digital signatures and seals

 

The Corona pandemic has clearly shown us the importance of functioning and secure IT infrastructures. The German Minister of the Interior therefore called for IT security to be considered from the outset in all digitization projects. In particular, the implementation of the Online Access Act poses major challenges for public administration. Web offerings are to be user-oriented, while at the same time security and data protection are top priorities. The legal requirements for this have risen sharply: OZG, eIDAS-VO, DSGVO, ISO 27002 and IT baseline protection guidelines of the German Federal Office for Information Security demand appropriate protective measures according to the current state of the art.

The digital transformation poses major challenges for operators of online services. Access to confidential information must be restricted, and users' personal data and access to critical infrastructures must be specially protected. The legal requirements for this have risen sharply: GDPR, ISO 27002 and IT baseline protection guidelines of the German Federal Office for Information Security demand appropriate protection measures according to the current state of the art. In view of the urgent need for action, the question arises as to what extent our own developments are economically and security-wise compatible with the current threat situation and the increased expectations of users.


Authenticity refers to the genuineness of a given identity or the unquestionable authorship of a piece of information, e.g., a message or a document. The term is used not only when the identity of persons is checked, but also for IT components or applications.


An authorization is the granting of rights to a person, IT component or application to perform a specific action after successful → authentication.


With a focus on a possible theft of the → digital identity, the following threats and attack scenarios play a role:

Password attacks

In a brute force attack, a → password or key is determined by automatically trying out all or a large part of the possible values. In contrast, a dictionary attack tries through a password list if it can be assumed that the → password consists of a meaningful character combination or one that has already been used elsewhere.

Man-in-the-middle attack

In a man-in-the-middle attack, an attacker interposes himself between the communication partners, has at least partial control over the data traffic with his system, and can view and manipulate the information at will. He pretends to be the other partner to the communication partners.

Phishing

In phishing, users are tricked into authenticating themselves to a fake website and disclosing their → password and online banking TANs, for example.

Malware/malicious software

Malware is a term for malicious, often multifunctional programs. Once a system is infected, they can often reload additional malicious programs from the Internet that cause further damage. Typical targets are spying on data, looting bank accounts, blackmail, displaying advertisements or setting up a botnet. Typical types of malware are: Viruses, worms, Trojans, ransomware, rootkits, keyloggers and spyware/adware.


A biometric feature is a unique personal characteristic that is used to verify the identity of a person. A distinction is made between physiological features, such as fingerprint patterns or facial geometry, and behavioral features, such as the frequency profile of the voice or the way the signature is generated.

When biometric features are captured, a so-called pattern is extracted as a reference. This pattern can then be used for a biometric comparison. If a defined level of match is achieved, the person is considered to be identified or verified.


Regulation on the EU-wide standardization of rules for the processing of personal data, which is intended to ensure the protection of personal data and guarantee the free movement of data. Compliance with key principles, such as purpose limitation and data minimization, also applies to any contract processing with service providers and must be demonstrated by the data controller. Among other things, companies must protect your data from unauthorized access during processing in accordance with the current state of the art.

Personal data includes any information that can be used to directly or indirectly identify a natural person. The highest level of protection is afforded to the special categories of personal data referred to in Article 9 of the GDPR, such as information on racial and ethnic origin, political opinions, religious and philosophical beliefs. The same applies to genetic and biometric data, health data, and information about sex life or sexual orientation. Such data may only be processed in exceptional cases, and very high technical and organizational requirements must be met to prevent unauthorized access.

Failure to comply with these principles and accountability can result in fines of up to EUR 20 million or up to 4% of a company's total annual global sales. If a personal data breach occurs, it must be reported to the data protection authority within 72 hours. If there is a high risk to the personal rights and freedoms of data subjects, they must also be informed immediately.


A digital identity, often also called an electronic identity, is used for the unique identification of persons or objects by computers. Real persons are represented by their digital identity(ies) in the virtual world. Identity theft is the misuse by third parties. See also → Threats on the Internet.


A digital signature is special control information that is attached to a message or file. On the one hand, it can be used to determine who generated it. On the other hand, it makes it possible to verify → authenticity and authenticity. In the asymmetric → encryption most commonly used for this purpose, the digital signature is generated with a secret private key and can be checked by anyone with the associated public key.

Electronic signature

In contrast, "electronic signature" is a legal term. The range of possible manifestations extends from simple and advanced electronic signatures, which are not necessarily based on digital signatures, to the qualified electronic signature as a very secure form of digital signature.


The term "electronic proof of identity" is used as a fixed synonymous term for → digital identity, particularly in the area of e-government. An eID enables secure digital proof of identity, e.g. vis-à-vis service providers on the Internet or at border controls. In Germany, this requires the → electronic ID card and an eID server authorized to read data.


Identity document issued by Germany since November 1, 2010. Technically, the electronic ID card is a contactless chip card with optical security features. Two fingerprints can also be stored on the ID card as a → biometric feature to prevent forgery. In addition to the actual ID function vis-à-vis sovereign authorities, the electronic ID card offers the → eID function, which is supported in the same way both by the electronic residence permit (eAT) for non-EU foreigners and by the planned eID card for EU citizens of other countries.


The FIDO (Fast IDentity Online) initiative, founded by the companies Google and PayPal, aims to replace conventional logins on the Internet with a significantly more secure procedure that is just as simple. It can be used either instead of a → password or in addition, as a second factor. At the core of the FIDO identity is a secret permanently linked to the security key in the form of a random number that is different for each security key and cannot be read or extracted. The hardware-bound private key remains in the possession of the user and is not stored on public servers. Each access, e.g., at login, must be authorized.

The biggest weakness is the threat of considerable problems in the event of possible loss, theft or defect. In practical terms, smartphones unfortunately cannot be used as FIDO security keys for a desktop computer, despite the technical requirements. Also, cross-platform use of FIDO2 USB sticks is not possible or only possible to a limited extent. Existing FIDO1 sticks can unfortunately no longer be used with the current FIDO2. Overall, this means that distribution is low.


The basic principle is that you only have to register once with your identity provider and thus gain access to other web services. Without having to fill in address data, confirmation e-mails and, above all, without an additional → password.

With web services and smartphone apps, you often see the option "Sign in with" Google/Apple/Facebook/Amazon. German alternatives to this are, for example, Verimi, NetID, IDnow, WebID, ID4me, Keyp and Yes. This is convenient and, thanks to the technology in the background (e.g. OAuth 2.0 at Google), quite secure at first glance - if you keep your account secure with the respective provider. Of course, providers get to know exactly which services you use and how often, and some also make no secret of the fact that user profiles and data are part of their business model. What is actually new, however, is that it is no longer the user who proves who he is, but a third party who confirms this to him. This gives the user control over his → digital identity and creates a strong dependency. It should also be borne in mind that almost every company with such valuable data has already been successfully attacked by hackers, and there is always a desire on the part of intelligence services.


Identity and Access Management refers to a combined system for managing → digital identities (as a stand-alone system also "IdM") and authorizations in companies. The following typical processes are covered:

  • Identification: Who or what is it about?
  • Registration: Process to obtain a user account.
  • → Authentication: Proof of → authenticity
  • → Authentication: verification of proof
  • → Authorization: granting of rights

Examples of further functions of such systems are identity provision and use across company boundaries (federated identity management) and the possibility for users themselves to change their profile data, manage access data and registered devices, and request unblocking of access if necessary (user self services).


In the context of the protection goals of confidentiality, integrity and availability of information and information technology, IT security refers to a state in which the risks present in the use of information technology due to → threats and vulnerabilities are reduced to an acceptable level by appropriate measures.

In practice, the standards of the ISO/IEC 27000 series play an important role. In German-speaking countries, an approach based on IT-Grundschutz (IT baseline protection) is widespread. The evaluation and certification of IT products and systems is often based on the ISO/IEC 15408 standard (Common Criteria). IEC 62443 deals specifically with the topic of cybersecurity in Industry 4.0.



A personal identification number is a sequence of digits known only to one or a few people, with which they can authenticate themselves to a machine. In the narrower sense, PINs are (mostly numeric) → passwords.

To prevent a PIN from being guessed by repeated attempts (enumeration attack), a system must not accept any number of incorrect entries. With web services in particular, an attacker could otherwise simply try out all possible PINs automatically. Most systems therefore block access after a certain number of incorrect PIN entries, which must then be unlocked by other means (usually by entering another PIN or by contacting the provider's customer service). In the case of ATMs, online banking and cell phones, the blocking usually occurs after three incorrect entries.


Secure element refers to a hardware security module that is installed in modern smartphones and tablets. It is usually a chip that offers cryptographic security features. The secure element protects → private keys and thus ensures a high level of security for sensitive processes, such as payment transactions or the use of a → digital identity derived from the → electronic ID card and stored on the smartphone.

However, there are also weak points when using mobile devices as part of → multi-factor authentication for web services: First, a mobile device is usually replaced by a newer model after a few years. Users should therefore be able to add and manage new devices to their profile themselves. Secondly, devices can be lost, defective or even stolen. There must then always be a way to authenticate to the web service even without this factor. And this way must be so secure that it is only open to the actual user and cannot be used by a cybercriminal.


A security token (abbreviated to "token", also translated as "security key") is a cryptographic hardware or software component for → user authentication. Often additionally secured by → password, → PIN or a → biometric feature. Examples of tokens are smartcards, USB crypto tokens or contactless tokens with Bluetooth, NFC or RFID technology. Trusted Platform Modules (TPM) in computers or the → Secure Element in smartphones can also be used as security tokens.

Without a second, independent authentication feature, a security token does not provide reliable protection against tampering, loss, or attack. It can be destroyed or lost. Unlike computers and smartphones, the use of additional, external hardware tokens incurs costs for production, registration and/or personalization, distribution, and the provision of infrastructure in the form of readers or software. A possible target of attack is the communication between token and reader. In the case of radio transmissions in particular, it should be borne in mind that these may still be recorded at a great distance.


After an initial login at a workstation, an SSO system takes over the automatic login of this user to further services and devices for which he has → authorization.


Encryption is used to protect data from unauthorized access or to be able to transmit messages confidentially. During encryption, data is converted in such a way that the original data can only be recovered, i.e. decrypted, by using a secret key. For encryption and decryption, the same key is used for symmetric methods, and different keys (a private and a public key) are used for asymmetric methods.

In the web browser, data connections are secured by HTTPS, which stands for the use of the HTTP Internet protocol with SSL/TLS encryption and integrity protection.


Version 2.11

at Google Play

at Apple App Store

Projects and references
Contact request
Do you still have questions about protect4use?
Do you still have questions about protect4use?

Send us an inquiry via the contact form. We are happy to help.

Contact form protect4use

Page 1