How two-factor authentication protects cloud and SaaS services
Many companies use cloud and SaaS services to process personal data or sensitive information such as payment data. However, the company – and not the provider – is still responsible for the security of this data. Despite this, two-factor authentication, an additional layer of security for proving the identity of all employees, often remains unused.
With applications such as Microsoft 365, the Adobe Creative Cloud or the remote maintenance solution TeamViewer, even the smallest companies have now arrived in the cloud. However, the majority of companies have still not recognized the value of secure two-factor authentication. This is the conclusion of a recent study by the SANS Institute. Even after the pandemic-related obligation to work from home, 27% of respondents in the “SANS 2021 Password Management and Two-Factor Authentication Methods Survey” still stated that they had not yet implemented multi- or two-factor authentication. The reasons: For 38 percent of respondents, 2FA and MFA make life too difficult for users, while 25 percent believe that strong user authentication is too difficult to implement. A dangerous fallacy! The study also shows that inadequate care when handling passwords continues to be a problem: 54 percent of all employees still use the same passwords for several work accounts, and 41 percent of company owners even remember passwords on good old notepads. In view of data protection regulations and recommendations as well as the lax handling of passwords, there is no way around strong identity and access controls for companies. The concept of two-factor authentication has become established and almost all leading online platforms now offer the option of logging in with an additional authentication factor in addition to the password
Use Microsoft 365 securely with two-factor authentication
Microsoft demonstrated the important role that multi-factor or two-factor authentication plays for companies with explosive figures at the RSA Conference 2020. The cloud giant processes over 30 billion log-ins from more than one billion users every day. Every month, around 0.5 percent of user accounts are compromised (over 1.2 million in January 2020). However, the likelihood of unauthorized persons gaining access to an account decreases drastically when strong user authentication is used. According to Microsoft technicians, more than 99.9 percent of compromised user accounts were not secured by MFA. “Not using multi-factor authentication today is almost grossly negligent,” warns Alexander Siegelin, Head of IT at the Kraftanlagen Group. Around 1,600 employees at his company regularly work with Microsoft products – more and more of them with Microsoft 365 and Microsoft Teams. However, when introducing two-factor authentication with time-based one-time passwords (TOTP), the Kraftanlagen Group did not rely on the Microsoft Authenticator smartphone app, but on a hardware solution, the REINER SCT Authenticator.
The advantages:
- No use of private cell phones over which the company has no control
- Far more secure than an authenticator app, as it cannot be attacked from the Internet
- Can be used in high-security areas where smartphones are not permitted
- Authentication independent of the technical equipment of the end devices used
- Parallel use for professional and private user accounts possible without any problems
And how much has double security via two-factor authentication made life more difficult for users? Not at all: “We hardly had any queries about its use,” reports Siegelin. Even employees who don’t work on a PC every day only needed a one-minute video to use the authenticator. The Kraftanlagen Group now also uses two-factor authentication to log in to the social intranet – and a single sign-on (SSO) via Azure Active Directory is already in preparation.
Set up two-factor authentication in Microsoft 365
Both Microsoft 365 and Office 365 support multi-factor authentication for user accounts by default. Try it out for yourself: The setup via QR code is done quickly! Sign in to office.com as usual and confirm the “More information” prompt with “Next”. In the first step of the setup, select the “mobile app” as the “authentication phone” and the option “Use verification code” as the login method before confirming by clicking on “Set up”. A QR code will now appear, which you can scan either on your smartphone using Microsoft’s Authenticator app or using a hardware solution such as the REINER SCT Authenticator. Then select “Got It” on the PC and confirm twice with “Next”. In the second step, enter the time-limited one-time password generated by the Authenticator to check your 2FA configuration. Finally, in the third step, enter a backup telephone number such as your office number and confirm with “Next” and “Done”. The next log-in will then take place using secure two-factor authentication. The provision and configuration of multi-level authentication for employees and home workers is carried out by the company’s global administrator if necessary. In the Microsoft 365 Admin Center, they have the option of deactivating an outdated MFA on a user basis and converting all company-wide accounts to modern authentication. Depending on the license, (risk-based) conditional access can also be configured via guidelines for initiating the MFA, for example to take into account the user’s group memberships or IP location information of the end device.
2FA protection for the cloud and company hardware
As with Microsoft 365 and Office 365, organizations and employees can use double security via two-factor authentication for a variety of other Internet services. Even securing company hardware – such as access to routers or NAS systems – is possible in this way. The following list provides a brief overview of the most important areas in which secure two-factor authentication with time-limited one-time passwords can be used:
- Applications: In addition to the cloud-based solutions from Microsoft, two-factor authentication is also possible in the Adobe Creative Cloud, the WISO tax applications from Buhl Data Service and other SaaS solutions.
- Remote Work: Company-owned routers from AVM’s Fritzbox series, VPN services such as ProtonVPN or VPN Unlimited, but also the Citrix Cloud for hosted desktops and apps support double security via 2FA and TOTP.
- Online storage: Dropbox and Strato HiDrive as well as self-hosted Nextcloud systems offer secure two-factor authentication as a log-in option. If additional data encryption is required, Boxcryptor also makes this possible.
- Teamwork: 2FA secures user accounts for Microsoft Teams, Skype and Zoom, as well as access to the Kanban-based task management system Trello or developer platforms such as GitHub or DevZone.
- Web presence: Content management systems such as WordPress or Cloudrexx, forum platforms such as the WoltLab Suite and social media accounts can be secured with 2FA, as can logins to web hosts such as Hetzner, Ionos or Cloudflare.
- Remote access: For remote control and maintenance of employee PCs via applications such as Anydesk or TeamViewer, two-factor authentication is also an additional security feature for incoming connections.
- Back-up: Even back-up data is attacked by hackers, spied on and, in the worst case, deleted. For example, 2FA secures access to company-owned NAS systems from Qnap or Synology as well as data backup solutions from Veeam.
- Email & Payments: For business customers, two-factor authentication is possible with almost all well-known providers in this highly sensitive area.
The REINER SCT Authenticator offers companies the highest level of protection for all these services. Unlike an authenticator app on a smartphone, the hardware-based TOTP generator does not require an internet connection and therefore cannot be attacked online. The pocket-sized device stores the electronic keys for up to 60 user accounts and generates the one-time passwords required for logging in precisely every 30 seconds.