About us
The product has been added to the shopping cart Show shopping cart
zeiterfassung für agenturen
Your current path:

2FA in the company

Reading time: 6 minutes

Table of contents

Why two-factor authentication also makes sense for companies

User accounts and passwords have had their day when it comes to protecting sensitive data. In payment transactions and for many online services, double security using two-factor authentication has long been standard. However, stricter data protection regulations and increased remote access from home mean that proof of identity using 2FA is also becoming increasingly important for corporate networks. There is often only one password between hackers and sensitive company data. The user name can usually be easily guessed from personal data and the lax handling of passwords as well as social engineering or brute force attacks quickly open the door to attackers. Two-factor authentication promises double security. This procedure uses another recognition method in addition to the user name and password.

Two-factor authentication has been common practice at ATMs for years. The EC card serves as the first level of authentication. However, cash can only be withdrawn after entering the PIN, the second factor of authentication. For a long time, online banking worked in a very similar way with the PIN and the transaction numbers of an iTAN list as a one-time password. In the meantime, however, PINs and iTANs no longer offer sufficient security. This is why government regulations now require payment service providers to use “strong customer authentication”.

Two-factor authentication in payment transactions

Electronic payment transactions not only involve highly sensitive data, but also a lot of money. The highest security standards should be a matter of course here. This is why the Payment Services Directive2 (PSD2) has forced many companies to implement two-factor authentication (2FA for short) since 2021. This affects all companies that make online payments. This includes not only banks, but also fintechs, payment service providers, online stores and online providers of accounting software. A second security feature is now mandatory for electronic payments. In future, two of these three factors will be required for a payment:

  • Knowledge: for example, a password or PIN
  • Possessions: such as a bank card or smartphone
  • Biometrics: fingerprint or facial recognition

For banking transactions, these requirements are implemented with chipTAN and Sm@rt-TAN using special TAN generators. These devices generate a TAN for transactions with the support of the bank card and meet high security requirements. The photoTAN and SecureGo procedures, on the other hand, enable the use of smartphone apps for TAN generation. Although an additional device is not absolutely necessary here, the smartphone can also be compromised more easily – for example via the Android banking malware “Cerberus”. In a completely analogous way, web services rely on two-factor authentication with a one-time password that is only valid for a single use and is usually time-limited based on the current time (time-based one-time password, TOTP for short) to secure the log-in. The one-time passwords used here can also be generated on the smartphone or – and here much more securely – via additional hardware such as an authenticator for secure two-factor authentication with TOTP. This technology makes phishing attacks and attacks with keyloggers more difficult and already secures access to Office packages such as Microsoft 365 or remote maintenance tools such as TeamViewer in many companies. However, 2FA and TOTP are also technologies that can be used in your own company network.

Data protection regulations and recommendations
One of the main reasons for securing the company network using two-factor authentication with time-limited one-time passwords (TOTP) is the fact that data protection regulations have become much stricter in recent years. The EU General Data Protection Regulation (GDPR), for example, obliges companies to take the state of the art into account when processing sensitive data. The EU GDPR formulates this requirement in Article 32 on “security of processing”:

“Taking into account the state of the art, (…) the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

In its “Handreichung zum Stand der Technik”, the Bundesverband IT-Sicherheit e. V. recommends two-factor authentication to harden server systems. Otherwise, companies would have to ensure the use of strong, standardized password guidelines for user passwords (such as password length, complexity, lockout counter, change cycle, etc.). The German Federal Office for Information Security (BSI) goes one step further with its recommendations for protecting user accounts: The authority, which is part of the Ministry of the Interior, summarizes all details on authentication procedures in the module
ORP.4 Identity and authorization management of the IT baseline protection compendium and in its implementation notes. According to this, companies should generally consider whether passwords should still be used as the sole authentication method. For user accounts with far-reaching authorizations in particular, the BSI recommends strong authentication with at least two authentication features, for example using a password and an additional, time-limited one-time password (TOTP). If personal data is stolen, companies face not only a loss of reputation, but also fines of up to 20 million euros or four percent of their annual turnover. In the event of a case, affected organizations would have to prove that they have complied with the provisions of the EU GDPR and have secured the data with an appropriate level of protection. Whether simple user accounts and passwords still offer an adequate level of protection is already questionable in many cases given the BSI recommendations.

Two-factor authentication in the company

Strong authentication in your own company network is particularly necessary if employees have access to internal, security-critical data or applications and the confidentiality or integrity of sensitive data would be jeopardized by identity theft. In principle, this applies to insurance companies and many public authorities, but also to financial service providers, educational institutions, medical facilities, hospitals and other companies in the healthcare sector. Companies in industry and commerce are also affected, as are medical practices, lawyers and auditors who need to ensure that their patient and client data is adequately protected.

If colleagues in the home office or field staff access business-critical company data and applications via a virtual private network (VPN), these accesses should also have the best protection. The risk of identity theft is particularly high here. In the home office, only 42 percent of organizations use exclusively company-owned IT, but employees’ private PCs are generally much easier to compromise. Companies should therefore also focus on double security here and ensure VPN connections and two-factor authentication. According to the BSI, however, only around half of all German companies have made use of this so far.

When companies move their data and applications from their own network or data center to the cloud, the issue of secure access becomes even more pressing. Larger companies usually focus on securing their hybrid cloud environments. However, the situation is often different for software as a service (SaaS) such as Microsoft 365, which provides employees with office and productivity tools or other business applications for their daily work. These cloud applications are also used in many smaller companies where security awareness is not yet quite as pronounced. The applications are then often used via standard log-in, although the majority of SaaS services also support secure two-factor authentication with TOTP.

More convenience thanks to two-factor authentication

It is important for companies to raise employees’ awareness of IT and information security and to involve them in the implementation of new security measures. This also applies to the company-wide introduction of two-factor authentication. Of course, logging in with an additional factor initially requires a little more effort. However, standardized, hardware-based end devices for generating time-limited one-time passwords not only increase security compared to software-based 2FA solutions, but also make it easier for IT to support employees.

The introduction of identity and access management (IAM), which consolidates all access and resources, offers additional convenience for IT and all employees, particularly in hybrid cloud environments. Such IAM solutions, which are now also available in the cloud, make it much easier for IT admins to manage user identities and access rights. However, they also allow employees, service providers and partners easy access via single sign-on (SSO). Users then only have to enter their access data once to access all company data and applications in the cloud or behind the firewall of the company network. This added convenience not only increases productivity, but also the acceptance of double security via two-factor authentication.