Become Part of our Team and Push Digital Sovereignty
- Teamleader IT / Project Manager (m/f/x)
- IT Consultant (m/f/x)
- Outbound Sales Represantative (m/f/x)
As part of our “Brief introduction” series, you will learn today what is meant by two-factor authentication.
If you are planning to use security software, you will surely stumble upon this term, as this method provides additional protection for your business when it comes to login processes, especially for data-sensitive areas. Often enough, it has happened in the past that the identities and associated passwords of users from, for example, large mail providers like Yahoo were stolen. As users often use the same password for different services, there is a risk that the criminals use the stolen data to gain access to other services, thus causing great damage. Securing user authentication against sensitive areas or business-used services not only by requesting a password but also through a second authentication, data breaches become much more difficult for attackers.
In addition to the brief explanation of the concept of the two-factor authentication, I would like to briefly describe the “challenges” that you could have in implementing such a solution in your organization.
Let’s start with …
Authentication means the verification of an entity that it is really the one that it seems to be. For example, the login to a Windows client is already an act of authentication. The system’s authentication service verifies the entity, here the user, and then grants access to a defined context and time (in this case, Windows).
There are different types of authentication, which are described shortly here.
With regard to the two-factor authentication, there are various processes that relate to the second factor:
Authentication via the input of a generated passcode as the second factor is considered as an indirect authentication process. The passcode can be sent, for example, by SMS or be generated within an app.
A (semi-) automatic authentication is characterized by a deeper integration into the login workflow, for example with technologies such as NFC or Bluetooth. Using personalized mobile devices, these technologies allow a semi-automatic, i.e. without data input, or a fully automatic authentication of users.
Two-factor authentication or 2FA is the authentication of a user against one system using two different, independent components (factors).
The components for withdrawing money at a cash machine are, for example, the bank card itself and the pin code. Only if both components are provided and correct, the system allows access. This requirement makes it much more difficult for attackers to being a legitimate user.
Factors are classified into three types:
Challenges arise for IT managers with regard to acceptance and applicability.
Acceptance of a Two-Factor Authentication Solution
Acceptance among users is a classic dilemma IT managers are facing and from my experience, they handle it very differently. It often depends on the individual manager who is responsible whether 2FA will be introduced into the corporate systems or not.
Users, of course, tend to react rather negatively towards the introduction of a second factor for authentication. They usually see the benefit, but the additional effort is, of course, a much stronger argument. Here it is important, from my point of view, to approach users at an early stage in order to increase their acceptance of this measure.
The early information of all users is the most important measure. Another helpful measure is the identification of key users, where 2FA is first introduced. These key users can already gain first experience. And later during the corporate-wide introduction of 2FA, these first users can support the rest of the team with advice and action if necessary.
Looking at usability, there are two crucial questions to ask:
The first question seems to be trivial, but from my experience it is very important: Only if you are really aware, when, where, how and how often the individual employees log in to the company, optimizations can be made in this area.
For example, I already have experienced it in customer projects that the introduction of 2FA was implemented in parallel to the introduction of SSO via SAML. In this case, the users had to log in much less frequently and therefore the acceptability was notably much higher.
The question regarding the integration into the login workflows is, in principle, easier to answer. There are two crucial workflows that should be considered here:
As to 1)
If the instructions described in the section “Acceptance” are implemented, it is my experience that all kinds of 2FA (indirect and (semi-) automatic) are well accepted by the users.
As to 2)
The rollout of authentication tokens is a subordinate criterion, but should not be underestimated. It should be noted here that this rollout should be possible for users independently and also for administrators by means of a multiple rollout.
Generic security considerations are very difficult in the organizational or corporate context. The fields of application are very diverse and the degree of protection that each service requires can be very different.
If you would like to get advice for this, we would be pleased to get you in touch with a contact person.
Univention positions itself as a platform manufacturer and provides all the necessary interfaces to integrate 2FA. We have been supporting various projects and with privacyIDEA4UCS we provide a third-party application via the Univention App Center, which implements 2FA with UCS.
We are pleased if we were able to give you a good idea about what is the concept of the two-factor authentication and the problems that can arise during the implementation of such a security solution.
As said, if you feel, you need more consulting, please contact us via our contact form.
Further information on 2FA and data security can be found on the following pages:
 Wikipedia: Multi-factor authentication
 Two factor authentication everywhere with privacyIDEA LDAP-proxy
 Data Security Thanks to Multiple-Factor Authentication in UCS with privacyIDEA + SAML
 Single Sign-On for UCS 4.1
Michel joined Univention in January 2014, initially working in the Professional Services team as an education project manager. Here he was involved in various projects in the school administration environment. Currently, as Product Manager Education, he is responsible for the entire education sector at Univention and is working on sustainably advancing digital education in Germany. When he finds time next to family and work, his personal interests are running, football and cooking.