Two-factor authentication with TOTP in companies
Two-factor authentication is far more secure than simply logging in with a user name and
password. For companies, it should be part of the mandatory program for securing user accounts
, because the German economy has never been attacked as much as it is today. However, 2FA and TOTP
not only secure sensitive company data, they also reduce license costs and make
employees’ daily work easier at the same time.
At the end of 2021, Google made two-factor authentication (2FA for short) the standard for around 150 million users
. A long overdue step, because a password alone is no longer enough –
all security experts agree on this. All major cloud and online services now offer
secure two-factor authentication to reduce the risk of phishing attacks and prevent
account takeovers. Nevertheless,
acceptance of the security standard is still lacking, and not just among private users.
In a study on “Basic Account Hygiene” [1], Google proved back in 2019 that even the
most insecure 2FA variant (sending randomly generated SMS tokens to the smartphone of the
user) completely blocks automated bot attacks. It also mitigates 96 percent of
large-scale phishing campaigns and 76 percent of targeted attacks (spear phishing).
Cloud giant Microsoft, which processes over 30 billion log-ins from
more than one billion users every day, has come to similar conclusions. Microsoft technicians announced at the “RSA
Conference 2020″ that more than 99.9 percent of compromised user accounts are not
secured via MFA. However, outside of online banking, only every second
user uses secure multi-factor authentication.
Which cyber threats are currently threatening companies
According to the “Allianz Risk Barometer 2022”, cyber threats are the biggest concern for companies worldwide [3].
Ransomware attacks, data breaches due to data breaches or IT failures
worry companies even more than business and supply chain disruptions,
natural disasters or the Covid-19 pandemic. The concern is absolutely justified: “Never before
has the German economy been attacked as much as it is today,” warns Matthias Wachter,
Head of the International Cooperation, Security, Raw Materials and Space Department at
Bundesverband der Deutschen Industrie e. V. [4]. “The number of attacks has risen further during the corona
pandemic because companies working from home are even more vulnerable.”
The current “CRIF Cyber
Reports” examine the vulnerability of individuals and companies on the open and dark web [5]. The study shows specifically which data is most frequently affected
, which information can be found on the web and where data traffic is concentrated. According to
, email and password theft is currently hitting the USA, Russia, France and Germany
the hardest. For this reason, the authors of the study urgently recommend “activating two-factor
authentication to prevent hackers from accessing accounts, even
after they have found out the username and password”.
How companies minimize risks with 2FA and TOTP
Two-factor authentication offers double security for user accounts and uses another recognition method in addition to
the user name and password. Cloud services such as
Microsoft 365 and company-owned virtual private networks (VPN) for connecting
employees working from home or in the field often use one-time passwords as a second factor.
This type of time-based one-time password (TOTP for short) is only valid for a single use
and is limited in time. A series of blog posts explains how this technology works and
its possible applications in the world of work in more detail:
- Why two-factor authentication also makes sense for companies
In payment transactions and for many cloud and online services, double security
via two-factor authentication has long been standard. However, due to stricter rules for
data protection and increased remote access from home, proof of identity using 2FA
is also becoming increasingly important for corporate networks.
- How two-factor authentication protects cloud and SaaS services
Many companies use cloud and SaaS services to process personal data
and sensitive information. However, the security of this data is still the responsibility of the
company – and not the provider. Despite this, two-factor authentication
often remains unused for services such as Microsoft 365.
- How TOTP one-time passwords secure sensitive company data
Time-based one-time passwords add another component to the log-in process and
secure sensitive company data using two-factor authentication. But how do the
time-based one-time passwords actually work and what advantages does a
hardware authenticator offer?
- How KeePass works as a backup for a TOTP authenticator
A TOTP authenticator scans QR codes and makes it easier to switch to secure 2FA logins.
But what happens if the authenticator is lost? Then a backup of all
keys and passwords helps. A password manager such as KeePass manages this sensitive
data for two-factor authentication.
Basically, logging in with 2FA and TOTP works just as easily as the familiar TAN procedure
in online banking, where two-factor authentication has been used successfully for years at
. However, the required one-time passwords in the form of a six- or eight-digit numerical code
are generated by a so-called authenticator. This authenticator can either be located on the smartphone as an
app or – more securely and completely without an internet connection – be installed in
its own hardware such as the REINER SCT Authenticator.
How two-factor authentication secures company networks
Double security via 2FA is effective, but makes life too difficult for employees –
such reservations can still be heard in companies and corresponding studies. However, a practical example from
shows very clearly that 2FA and TOTP can even
increase convenience and drastically reduce complexity for administrators and users.
In mid-2020, for example, Treuhand Saar Steuerberatungsgesellschaft
mbH in Saarbrücken was planning to reorganize its IT and improve its VPN infrastructure at
. During the implementation of the project, com4data GmbH from St. Wendel used the Citrix
NetScaler as a VPN gateway and the REINER SCT Authenticator to generate the
one-time passwords.
This combination offers a whole range of advantages: Cumbersome VPN installations and
annoying license costs for VPN clients are a thing of the past. As the NetScaler can also be used as an
RDP proxy, there is no need to install VPN clients at all. Instead,
home office and field service employees log in to the NetScaler user portal via a web browser. Thanks to the
Active Directory connection, this works with the same login data as at the
office workstation. After the initial logon, the one-time password is also requested as
second factor. Here, the REINER SCT Authenticator virtually replaces the previously used VPN client.
Access is ultimately via standard protocols such as HTTPS and TLS and also enables
login via public hotspots or guest WLANs. Employees can now even use private PCs or computer systems on site
without administratively complex software
installations. As the NetScaler also acts as a reverse proxy, the remote client does
not establish a direct connection to the company’s own server farm. Instead, the
employees only connect to the Netscaler, which then establishes the connection to the server farm. Once the
employee has finished their work, they simply close the open browser window to permanently disconnect the
connection. Connecting external workers could hardly be more convenient
!