Two-factor authentication is the right way to better protect accounts and data from unauthorised access and therefore theft and misuse. But which method is best suited if a company wants to introduce an office-wide standard? Cybersecurity expert Ulli Holtgrave has conducted a pilot project on this topic together with a painting company.
Introducing two-factor authentication - but how?
SR-Malereiunternehmen GmbH, based in Strullendorf near Bamberg, is a craft business with around 30 to 40 employees, including seven office staff who work digitally every day. As part of a planned cyber insurance policy, the requirement was formulated to introduce two-factor authentication (2FA). Although there was already a basic understanding of security in the company, there was uncertainty about which procedures were best suited and how these could be integrated into everyday working life - especially as the entire infrastructure in the office area was to be secured.
The people in charge became aware of DAISEC at an event organised by the Chamber of Skilled Crafts and subsequently approached us with a request for independent, practical advice.
Consultancy and pilot phase: support from DAISEC
During the initial consultation, we worked with the company to take stock of the options for two-factor authentication. We presented various methods - including TOTP (time-based one-time passwords) one-time passwords), biometric methods and, above all, FIDO2, a current industry standard that is being co-developed by Google, Microsoft and Mozilla, among others, and is actively supported by the BSI. The aim of this standard is to replace passwords in the long term and thus significantly increase security and user-friendliness.
Originally, the company had considered using e-mail codes as a second factor. However, during discussions it quickly became clear that this would not be practicable in their specific infrastructure - especially as it is not possible to access emails on the login screen. We therefore recommended FIDO2-based hardware tokens, which we evaluated together in a pilot project. In the end, we chose the YubiKeys from Yubico.
In a one-month test phase, three employees - including the management and an office worker - and an additional backup token were initially equipped with FIDO2 keys. During this phase, all other login methods were deactivated in order to gain realistic experience in everyday working life. The setup and training took place on site in Strullendorf, where we were always available as a contact and sparring partner. The company was also supported by Holger Bär, innovation consultant at the Chamber of Crafts for Upper Franconia.
More security through modern authentication
After around a month, we and the company drew a thoroughly positive conclusion: the introduction of FIDO2 authentication went smoothly, the employees were satisfied with the handling and there were no serious obstacles to use in everyday life. Based on this experience, SR-Malereiunternehmen GmbH decided to extend the rollout to the entire company and secure all office workstations with YubiKeys and FIDO2 authentication in future.
The project is an example of how great the need for guidance is, especially in smaller companies, when it comes to modern authentication procedures. At the same time, it shows how targeted advice and practical tests can help to successfully master the leap to future-proof security standards such as FIDO2. The phishing resistance of the procedure is particularly noteworthy: thanks to the underlying public key cryptography, FIDO2 methods are the only current state-of-the-art procedures that effectively protect against phishing - a decisive advantage in times of growing cyber threats.
Managing Directors Christina and Andreas Böhm present the hardware tokens. The siblings are the third generation to run the painting company.
Your DAISEC contact
Contact us if you would like to find out more about how you can use 2-factor authentication and FIDO2 methods to better protect your data and accounts.
Cybersecurity Expert
THE COMPANY
SR Malereiunternehmen GmbH is a family-run painting company founded in 1994. With a multinational team of 30 creative minds, the company realises customer wishes using state-of-the-art methods and technologies - in Bavaria and beyond.
More about the company:
