How two-factor authentication protects cloud and SaaS services Many companies
User accounts and passwords have had their day when it comes to protecting sensitive data. In payment transactions and for many online services, double security via two-factor authentication has long been standard. However, stricter data protection regulations and increased home office remote access mean that proof of identity using 2FA is also becoming more and more important for corporate networks.
Electronic payment transactions not only involve highly sensitive data, but also a lot of money. The highest security standards should be a matter of course here. That’s why the Payment Services Directive2 (PSD2) has forced many companies to implement two-factor authentication (2FA for short) since 2021. This affects all companies that make online payments. This includes not only banks, but also fintechs, payment service providers, Internet stores or online providers of accounting software. Here, a second security feature is now mandatory for electronic payments. In the future, two of these three factors will therefore be required for a payment:
For banking transactions, these requirements are implemented with chipTAN and Sm@rt-TAN using special TAN generators. These devices generate a TAN for transactions supported by the bank card and meet high security requirements. The photoTAN and SecureGo processes, on the other hand, allow smartphone apps to be used for TAN generation. Although an additional device is not absolutely necessary here, the smartphone is also easier to compromise – for example, via the Android banking malware “Cerberus”.
In a completely analogous manner, web services rely on two-factor authentication to secure log-in with a one-time password that is only valid for a single use and is usually time-limited based on the current time (time-based one-time password, or TOTP for short). The one-time passwords used here can also be generated on the smartphone or – and much more securely here – via additional hardware such as an authenticator for secure two-factor authentication with TOTP. This technology makes phishing attacks and attacks with keyloggers more difficult and in many companies already secures access to office packages such as Microsoft 365 or remote maintenance tools such as TeamViewer. However, 2FA and TOTP are also techniques that can be used in a company’s own network.
The data protection regulations, which have become much stricter in recent years, are the main reason for securing the company network with two-factor authentication using time-limited one-time passwords (TOTP). The EU General Data Protection Regulation (EU-DSGVO), for example, obliges companies to also take into account the state of the art when processing sensitive data. The EU GDPR formulates this requirement in Article 32 on “security of processing”:
In its “Handout on the state of the art,” the Federal IT Security Association e. V. recommends two-factor authentication for hardening server systems. Otherwise, companies would have to ensure the use of strong uniform password guidelines for user passwords (such as password length, complexity, lock counter, change cycle, etc.). The German Federal Office for Information Security (BSI) goes one step further with its recommendations for protecting user accounts: The authority, which is based at the Ministry of the Interior, summarizes all the details on authentication procedures in the ORP.4 Identity and Authorization Management module of the IT-Grundschutz Compendium and in its implementation notes. According to this, companies should fundamentally consider whether passwords should still be used as the sole authentication method at all. Especially for user accounts with far-reaching authorizations, the BSI recommends strong authentication with at least two authentication features, for example, a password and an additional time-limited one-time password (TOTP).
If data theft of personal data occurs, companies not only face reputational losses, but also fines of up to 20 million euros or four percent of annual turnover. In the event of a case, affected organizations would have to prove that they have complied with the provisions of the EU GDPR and secured the data with an appropriate level of protection. Whether simple user accounts and passwords still provide an adequate level of protection is already questionable in many cases in light of the BSI recommendations.
Strong authentication in a company’s own network is particularly necessary when employees have access to internal, security-critical data or applications and the confidentiality or integrity of sensitive data would be jeopardized by identity theft. This applies in principle to insurance companies and many government agencies, but also to financial service providers, educational institutions, and medical facilities, hospitals, and other companies in the healthcare industry. Companies in industry and commerce are also affected, as are medical practices, lawyers and auditors, who must ensure that their patient and client data is adequately protected.
If colleagues in the home office or field staff access business-critical company data and applications via a virtual private network (VPN), these accesses should also receive the best protection. In fact, the risks of identity theft are particularly high here. In the home office, just 42 percent of organizations use company IT exclusively, but employees’ private PCs are generally much easier to compromise. Companies should therefore rely on double security here as well and ensure VPN connections and two-factor authentication. According to the BSI, however, only around half of all German companies have made use of this so far.
If companies move their data and applications from their own network or data center to the cloud, the issue of secure access becomes even more important. Larger companies usually have an eye on securing their hybrid cloud environments. However, with Software as a Service (SaaS) such as Microsoft 365, which provides employees with office and productivity tools or other business applications for their daily work, the situation is often still different. These cloud applications are also used in many smaller companies, where security awareness is not yet quite as pronounced. Often, the applications are then used via standard log-in, although a large proportion of SaaS services also support secure two-factor authentication with TOTP.