Blog EN

login-cidaas
Blog, Blog EN

Why your website needs a login!

Why your website needs a login?

Why your website needs a login?

Whether a website needs a login or not is a question that can be answered quickly – Yes! In this blog, we will take a closer look at the question of why a website needs a login.

The significance of websites for businesses

The fundamental idea of a website remained the same: a company wants to present its services on the web as well as get noticed by users. However, the structure of a website changed over time, as technological developments created more opportunities to reach users. In addition, as competition for the user’s attention increased, dynamic, interactive elements became a key feature to generate leads and interact with customers. Companies broke away from static pages and creativity was needed to spark the user’s curiosity. In the simplest case, websites feature news and blogs sections equipped with comment functions, social sharing buttons, and more. It is also popular to provide whitepapers, reports, or stories on the website, thus offering the interested party further added value and in return receiving his contact details. Overall, the informed user, who has evolved with digitalization, is very interested in information, so that online events such as webinars also have their appeal.

To sum up, the website is the entry point into the digital world of the company and a part of the digital services.

Why does the website need a login or an Identity & Access Management?

To put it in a nutshell, studies show that personalized call-to-actions perform 202% better (Hubspot, 2020). A great, often untapped potential to engage visitors. The relevance of personalization came about because of Big Tech. Users nowadays experience an information overload and the big players managed to alleviate this almost overload by providing a result tailored to the user.

Furthermore, behind every interaction with a company, a user promises to encounter exactly that company, be it the comment function, the download of the white paper, or the participation in the event. Separate registrations and data pots for the different functions cause resentment. In addition to the fact that companies have to merge the data in the background at great expense in order to obtain a uniform view of the user, his activities, and interactions, it becomes very complex to offer a continuous customer journey. In the end, users, stressed by the repeated demand for the same data over and over again, react dejectedly in times where customer experience is capitalized.

If you offer the user login on the website, they can access your complete offer smoothly with no barrier of authentication – commenting, downloading whitepapers, or registering for events. The special added value comes with functions such as “Stay logged in” or Single Sign-On, as soon as further digital services are available, e.g., a webinar tool. User convenience creates enthusiasm, leads to more interactions and gives you the opportunity to get to know your users better. The website is the entry point into the digital world of your company so that further services such as webshops, configurators, or digital consulting services can now be perceived by the user. Create a continuous customer journey by identifying users and convert users from prospects to customers. This also makes it possible to retain customers in the long term, to inspire them with new content, and offer them offers that match their activities.

Through a clear, cross-channel identification of the user, the user’s journey can be designed and his activities, whether a webinar visit or a purchase in the webshop, can be viewed uniformly. Against this background, the user benefits from an inspiring user experience and from the control of his or her data, which he or she can manage, expand, or, if desired, delete in his or her personal profile in compliance with the German Data Protection Act (GDPR).

The customer journey from prospect to customer is industry-dependent

The journey from the first point of impact of a prospect to the customer varies depending on the company. For example, the retailer offers users a digital shopping list as an entry point, which users can use without personal data, only with their email. As soon as a purchase is made, the user receives his customer card, with which he can use discounts, vouchers or loyalty points, for which he can then enter further data such as name and address.

On the contrary, the customer journey for a medical technology company looks quite different, often due to legal framework conditions. A dental technician manufacturer offers users a simple entry point to its website, but for booking events, further information such as name and address is required. Conversion to the customer, on the other hand, is more demanding. The reason for this is that legally relevant information such as a certificate of competence is required for the purchase of medical products.

The customer journey changes depending on the company and the context, this is not only true for the necessary data or the verification of users, but also, for example, for the requirement of strong authentication for a bank transaction or access to patients’ medical data.

Thinking a step forward, the focus is no longer on the user alone, but on an entire user group.

  • A medical technician is a group of diverse users, often in different roles.
  • The visit to the amusement park takes place as a family or group of friends.

The unique customer experience includes recognizing the user unambiguously and across all channels, but the next added values are created in the context of the user’s group:

  • The manager of the medical technology company can manage his own user group or
  • The buyer manages the tickets to the amusement park and simply invites his friends to this event.

The reasons for a modern Cloud Identity & Access Management for website login

A modern Cloud Identity & Access Management is the right choice for the implementation of a website login for several reasons.

  1. It enables a fast and cost-efficient realisation of a website login.
  2. It provides many functions out-of-the-box that ensure a great customer experience, such as single sign-on, “stay logged in” or social logins.
  3. It provides functions for a good customer journey, including progressive profiling for the collection of context-specific data, such as the address when a prospective customer logs in to the web shop.
  4. It provides functions to secure applications, functions and data, such as multi-factor authentication or API security with OAuth2.
  5. It provides a user profile through which users can maintain their own data.
  6. It offers modern group management for the administration of different user groups for B2B and B2C use cases.
TOP 5 IT trends in Healthcare & MedTech – Rising Innovations and how Identity Management enforces them.
Blog, Blog EN

TOP 5 IT trends in Healthcare & MedTech – Rising Innovations and how Identity Management enforces them.

The role of Cloud Computing and Identity & Access Management in Medical Engineering

The role of Cloud Computing and Identity & Access Management in Medical Engineering

The healthcare sector is one of the most promising industries and will be even more interesting in the future. The demands and needs of patients or customers are becoming increasingly important. The healthcare sector, like many other industries, is evolving into personalized instead of standardized services. Thereby, keywords such as patient-centered care or personalized medicine are mentioned frequently. In this context, digitalization is seen as a major milestone from the fix-it-with-a-pill mentality, towards personalization. Digitalization is driven primarily by information technology and therefore demands sophisticated IT services.

Let us have a closer look at the technology and IT Trends in the healthcare and MedTech sector in 2021.

Trend # 1: Artificial Intelligence (AI)

Artificial intelligence is triggering a major shift in many industries and is also having a massive impact on healthcare. On the one hand, the use of artificial intelligence leads to an increase in productivity and thus also to a reduction in the workload of medical staff and a reduction in costs. This takes place through (partial) automation and optimization of various processes, as well as intelligent support in daily processes and daily work. Artificial intelligence can take over more and more, and more complex everyday tasks. In the context of the growing demand and the increasing challenges in treating a larger number of patients, this is elementary for high-quality healthcare.

Even more important than the expected increase in productivity is the improvement in care itself. Artificial intelligence (AI) is opening new and efficient ways to track, diagnose and treat patients and their condition. For example, AI can help in the detection of diseases, but also in the research and development of new diagnostic procedures. Artificial intelligence is also able to help with a proper medication of diseases, also in view of the patient’s personal history, thus enabling targeted and personalized treatment and healthcare for the patient. Here, both the processing of huge amounts of data, as well as the at least partially autonomous use of this data, especially in real-time, is a decisive factor.

Trend # 2: 5G Capability

5G technology is a game-changer in overcoming borders, be it environmental, geographic or societal. A stable, high-quality and, above all, fast network makes it possible to operate in Asia from Germany or vice versa. Considering that the global impact of 5G in healthcare is critical to provide fast, reliable healthcare in rural areas, or hard-to-reach areas.

Furthermore, 5G is also the entry point for connecting the various devices and components in medical technology, be it mobile devices or sensors and actors in medical devices. Thereby, 5G makes it possible to create a high-quality network and establish an ecosystem for medical technology.

Thus, the 5G technology is the foundation for telemedicine and further evolutional changes in healthcare.

Trend # 3: Robotics

Robotics technology will impact healthcare in several ways, for example by assisting medical staff in the treatment or follow-up care of patients. In this way, medical staff will be relieved, costs will be reduced, and the quality of healthcare will be improved.

Microrobotics can lead to a significant boost in healthcare; for example, it can make previously impossible or risky surgeries possible or perform existing medical procedures in a more targeted manner.

In addition, the field of prosthetics and the long-term treatment of e.g., chronic patients are also promising. More sophisticated prostheses can lead to significantly enhanced living conditions of patients. Previously incurable damages can be partially replaced by novel prostheses. And chronic treatment can be refined through targeted monitoring with robotics technology.

Trend # 4: 3D Printing

3D Printing will change the way of manufacturing, customizing, and prototyping in healthcare and medical engineering. As in many industries, 3D Printing allows to rapid development and manufacture of prototypes, and thus speed up the development of new products and components as well as support the early testing. Moreover, 3D Printing enables batch size one manufacturing, thereby allowing the manufacturing of individual and personalized prosthesis, which is not only focusing on the custom fitting of prosthesis but also enabling the manufacturing of unique parts for a special and precise purpose.

Going further, 3D printing can also have a massive impact on the manufacturing structure in MedTech. A move away from centralized manufacturing of medical devices to decentralized production is possible. Especially considering remote or difficult to access areas, where local manufacturing with 3D printing.

Trend # 5: CIAM – The power of Identity & Access Management

Now that we have highlighted 4 current IT trends and innovations in the healthcare industry, let us divert our attention to the 5th trend, Identity & Access Management. Identity & Access Management takes a key function in the healthcare industry and medical technology. In a connected industry, the exchange and collaboration between the various players are fundamental. In the context of identity & access management, the administration of users and user groups, as well as the associated roles and rights, are the corresponding basis. Even more, functionalities such as single sign-on and authentication, e.g., via password-less authentication, ensure convenience for users. The area of security and access management, e.g., through multi-factor authentication and API security, is essential for sensitive data and applications such as those in the healthcare industry.

However, many innovations are also being developed in the area of identity and access management, which in turn pave the way for innovation in medical technology. For example, the developments in the area of Internet of Things with Device Authority and Real-World Identification, which has a great influence in robotics, but is also exciting in the interaction with 5G.

Considering the feature set a modern Identity & Access Management can deliver out of the box for digitalization in the healthcare sector as well as the feature set and “feature set to come” paving the way for new innovations, Identity & Access Management is a game changer IT trends in healthcare and MedTech.

Summary – Rising Innovations and how Identity Management enforces them.

Technological advances are creating promising solutions to the challenges that we are facing in the healthcare and MedTech sector today. Artificial Intelligence, 5G capabilities, robotics, or 3D printing are some of the technological advancements that we can anticipate in the coming years.

Companies are also leveraging digital platforms to communicate with patients and doctors. Consumers, be it patients, doctors, or other parties, have become ever more tech-savvy and are constantly on the lookout for convenience. Investments in remote diagnostics, online prescriptions, and treatment support solutions are expected to increase, with digital health solutions at the forefront to deliver excellent medical services in the new normal.

A modern Cloud Identity & Access Management like cidaas can be a driver on both dimensions. On the one hand, it can drive innovation and digitization, and on the other, it can enable secure access and consent management for data management and processing.

The role of Cloud Computing and Identity & Access Management in Medical Engineering
Blog, Blog EN

The Role of Cloud Computing and Identity & Access Management in the Medical Engineering

The role of Cloud Computing and Identity & Access Management in Medical Engineering

The role of Cloud Computing and Identity & Access Management in Medical Engineering

Prior to understanding the role played by Identity & Access Management in Medical Engineering as well as the synergies between both, we need to have a closer look at today’s medical engineering sector in the context of digitalization.

Modern-day Medical Technology has evolved to eradicate boundaries set by physical worlds. A doctor is now more accessible to a patient living thousands of miles away by way of cloud-based connected applications. Similarly, a patient is not restricted to go to a hospital for initial tests, but instead, they can walk into kiosks equipped with newly invented micro-devices specialized for a certain scope of tests. Even more, many such types of equipment are available for off-the-shelf purchase so that customers have a micro clinic at home to perform small daily tests. Such innovations are not only solving todays’ issues in healthcare, like lack of medical infrastructure and staff but are also key drivers for personalized healthcare.

All these require a robust cloud-based framework to securely and swiftly transmit information. With several modern scalable cloud technologies, this has become seamless. Data security and privacy protection become key, secure storage and transmission of data is a crucial bit in such large solution architectures, be it patient data or data of medical equipment.

In the same context Identity & Access Management comes into play. The collaboration between different players, be it patients, doctors, and MedTech partners, is becoming a key component in modern and personalized healthcare. To enable the users for such close cooperation, an Identity & Access Management is crucial, not only do users expect a single sign-on experience across various tasks and systems that they have access to. Furthermore, in the context of processing sensible user and patient data, it is important to leverage security features like multi-factor-authentication, be it mandatory or adaptive, as a response to fraudulent activities. In that aspect, a user may also have multiple roles in the whole workflow and hence once the circumstances changes and the user switches to an application or role with access to sensible data, a step-up authentication might be required, to achieve a strong user authentication and grant access.

The management of data often goes hand in hand with the management of consent, which can be anything from consent to terms of use or data protection, to consent to the transfer of data, e.g., in the course of a transfer to laboratories or other partners. Managing the consents of users along with the identity is useful and enables a unified view of users, as well as the best control of authorization to data and applications.

Identity & Access Management becomes even more important, since it no longer only focuses on people, but also extends to a wide variety of devices, from mobile devices to micro-devices and IoT sensors & actuators. In addition, the management of healthcare data associated with an identity or user, be it gathered at home in a “micro-clinic” or at the regular visit to a doctor or laboratory, is the foundation and source for personalized healthcare. Thus, making Identity & Access Management a key component and game-changer in modern medical engineering.

cidaas, the European cloud identity and access management system from Widas ID GmbH, delivers an out-of-the-box solution for federated identities, single sign-on, and multi-factor authentication. With cidaas, companies create a unique user identification and maximum security across all channels. Based on the standards OAuth2.0, OpenID and its “Everything is an API” architecture, cidaas can be seamlessly integrated into any software landscape and scales effortlessly up to many millions of users.

To know more about cidaas in medical engineering have a look at:

Factsheet
download

cidaas for healthcare

cidaas for healthcare

The most important reasons for using a CIAM solution to comply with regulatory and legal requirements in the Healthcare industry have been summarized in this fact sheet.

White paper
download

CIDAAS ID VALIDATOR FOR MOBILITY

CIDAAS ID VALIDATOR FOR MOBILITY

A leading global supplier of complete systems and products for implant dentistry and implant-borne restorations wanted to redefine its customer approach in order to adapt itself to the digital age.

Innovationskraft durch Digitalisierung der gesamten Wertschöpfungskette
Blog, Blog EN

LDAP-IDP service with cidaas integration

LDAP-IDP service with cidaas integration

In 2021, companies will continue to use LDAP services to authenticate users. Even when it is obvious that OpenId Connect and OAuth2 are the new de facto standard for user authentication, the change has to be well planned. Therefore, in some environments it makes sense to use migration procedures to accelerate the widespread introduction of cidaas with the help of this LDAP service. This article describes what the cidaas LDAP service does, how it can be used in companies and which security aspects have to be considered.

01

Motivation

DAP services, for example Microsoft’s Active Directory Service, Oracle Internet Directory and OpenLDAP are based on storing information in a directory tree structure. Thus, organisational structures are mapped and the employees in these organisational units are organised. The administration of a password for the employee (user) is then only a small step to enable user authentication with an LDAP service. For this reason, LDAP services are often used in companies for user authentication. Some manufacturers have expanded the directory structures to such an extent that system elements such as computers or printers are also managed in these directory services.

New and powerful standards have evolved with the advent of the Internet and the mobile era, enabling secure user authentication and more powerful authorisation management. The chart below shows the evolution of authentication and authorisation standards.

Authentication and Autorisation protocols and standards timeline and history

Ever since “digitalization” has become the dominant theme, secure and future proof IAM solutions, such as cidaas, have been in demand. The cidaas LDAP-IDP service is designed to enable a compatible connection of LDAP clients in order to significantly accelerate migration projects. Cidaas supports the OpenId Connect, OAuth2 and Device Authorisation protocols. In addition, cidaas offers many verification methods for users that are passwordless and in combination enable multifactor authentication.

With the cidaas LDAP service, the user authentication of an existing LDAP service in the company can be replaced, so that the user management and the user authentication are carried out centrally in cidaas. With this

  • an SSO with the same user credentials is achieved
  • cidaas can be used securely as a Cloud SaaS with LDAP
  • users can be managed centrally (user information, locks, permissions)
  • Existing applications can still be used if an OIDC/OAuth2 or SAML2 based authentication method does not or not yet work.

02

Flashback LDAP

tree structure in LDAP - LDAP cidaas Integration

A directory tree offers the possibility to store different information and to search for this information. The idea of structuring information in a directory tree is basically good if the information follows a hierarchy. This has been a practical approach in companies for many years, especially if the organizational units are structured functionally and hierarchically. For example, to assign different permissions to applications, user groups were formed where a user group can also correspond to a user role. user groups were formed, whereby a user group can also correspond to a user role – in most systems these groups are then also mapped to roles.

For users, a password can also be managed in the LDAP element and, depending on the implementation, a history of passwords used. These passwords are usually stored as hash values (e.g., SHA-1 or SHA-256). This makes it possible to authenticate users with the combination “user ID and password” in the LDAP server.

03

Distinctions between LDAP and cidaas

It is unfair to talk about the advantages and disadvantages of both technologies or products, because the advantages clearly lie with cidaas.

03.1

Security-relevant points of critique with LDAP

  • The Ldap(s) protocol does not provide for any pre-authentication of the client application, which means that basically any application can call the LDAP service.
  • User authentication with LDAP can be implemented in different ways, but it is usually assumed that a search of the user has carried out first
  • The administrative authentication can be considered as token authentication because the LDAP protocol is not a stateful protocol or requires a sequence of calls, e.g..
    1. bind with administrative user,
    2. search for objects or bind of a conventional user
  • LDAP services must accept anonymous requests from any clients in order to provide the capabilities or structural information about the structure of the directory structure. This access must additionally be restricted, for example, by means of a firewall.
  • It is basically impossible to prevent an LDAP service from returning the hashed password to the client, which makes local brute-force attacks easier.
  • Fundamentally, the LDAP service is only, among other things, a “user authentication service” whose functionality is based on knowledge, namely “user ID and password”. Otherwise, the LDAP service does not offer any further verification procedures.
  • As a consequence of the described weak points, an LDAP service cannot be used as a public interface on the Internet for authentication, e.g., in web applications or mobile applications.

The use of an LDAP service in a secure, closed environment is generally less problematic as long as there is appropriate monitoring and regular auditing.

03.2

Missing functions in LDAP

  • LDAP services are basically structured in such a way that central administration takes place; shared administration causes a high organizational effort. The management of sub-trees is a theoretical construct that rarely works in practice because, for example, users in several organizational units have to be managed from a central location.
  • User self-services are difficult to achieve via the LDAP protocol and are usually implemented via additional products.
  • The link between user authorisations and an application cannot be verified by the LDAP service because only the data is available but not the necessary logic.
  • Multi-factor authentication or fraud detection is not available in LDAP services.

03.3

Other paradigms

LDAP implements a directory tree, cidaas does not. This means that navigation within hierarchies is not possible in a meaningful way in cidaas. Instead of a tree structure, cidaas uses a group concept and user roles that can be used flatly and simply from an authorization perspective. This results in more powerful ways to filter users.
Cidaas implements only “group” and “user” objects.

03.4

Reasons for using the cidaas LDAP Service

The use of the cidaas LDAP Service is possible with the implementation of cidaas. It is useful if existing applications need LDAP for a defined period of time and will only use new authentication standards in the context of their lifecycle management.

04

Integration of cidaas LDAP Services

04.1

Integration architecture

The cidaas LDAP service is provided as a Docker image and operated on a server system in the company. The LDAP service should not be operated in the cloud, nor should it be publicly accessible.
cidaas can be used as SaaS, as intended, as the LDAP service is connected via secure, internet-enabled protocols.

LDAP-IDP-Service with cidaas Integration

Each LDAP client is configured in cidaas as a standalone app and assigned individual group and role permissions. This ensures that a client system does not gain access to user information that is not in their scope. The cidaas LDAP service can therefore be considered more secure than traditional LDAP services.

04.2

Restrictions

The cidaas LDAP service has a defined functionality that is limited to user authentication and authorisation only.

  • Editing the entities in the LDAP directory through the service is not possible and not desired. Such configurations are to be made in cidaas, via the admin dashboard or the cidaas APIs.
  • The cidaas LDAP service does not provide MFA functionality. If MFA is required, it is recommended to replace LDAP in the client and use SAML2 or OpenId Connect.
  • The cidaas LDAP service offers entity search for the object’s “user” and “group”.
  • No cidaas LDAP schemes can be retrieved, a generic scheme is supported.

05

Suggestions: Replacing LDAP Services

In the enterprise, the replacement of LDAP services should be considered for several reasons:

    • As such, due to the weak authentication solution,
    • Due to the lack of integration possibilities with cloud software solutions,
    • Aufgrund der suboptimalen Verwendung in Umgebungen, in denen Work-From-Home oder mobiles Arbeiten realisiert wird – da in diesen Fällen stets VPN Netzwerke notwendig sind und
    • Because of the suboptimal use in environments where work-from-home or mobile working is realised – as VPN networks are always necessary in these cases, and

because other possible uses of LDAP, e.g., device management or domain administration, have long since been taken over by more powerful device management solutions.
The use of cidaas replaces LDAP-based authentication. However, the cidaas LDAP service is suitable as a quick win so that systems can continue to be used in compatibility mode.

Retrospect: What Happened in Identity Management in 2020
Blog, Blog EN

BLOG Retrospect 2020: what happened in identity management

Retrospect: What Happened in Identity Management in 2020

Retrospect: What Happened in Identity Management in 2020

We have reviewed the year 2020 for you and had a look at the most significant developments of the last year.

Identity management has been changing drastically for several years due to digitalization and a rapid increase in the number of digital services. There are constant innovations, ideas and new developments in this area to delight users with more convenience, to protect them and the systems more effectively, and even occasionally a development driven by the market powers as well.

However, especially in the last year, with the beginning of the pandemic, digital services gained enormous relevance in order to continue to reach the customer. But topics such as data protection were also very much on the agenda.

A short pickup: Identity and Access Management is used in the enterprise environment as well as in the customer environment. This realizes convenience with features like single sign-on and passwordless authentication, as well as federated identity and security through multi-factor authentication or fine-grained rights, role, and group management.

Let’s start our journey with 2020 and what impact it had on Identity Access Management.

  • February 2020
    Farewell to password change constraints
    The BSI is revising the IT Baseline Protection Compendium and saying goodbye to the recommendation to change passwords regularly. Simultaneously, it removes the requirement for fixed rules for password length and complexity as well.
  • March 2020
    Apple’s ID and iOS 13 SDK become mandatory.
    Apple has warned that from the end of April it will only accept iPhone apps and updates created with the latest SDK. “Sign in with Apple” is also mandatory.
    “Sign in with Apple” has simplified the process of creating new accounts; on Apple devices, biometric authentication is sufficient. No new passwords or confirmation emails need to be assigned, and there’s no need to share your email address. Apple emphasizes that no data is collected for tracking or profiling by using the service.
  • June 2020
    Safari supports WebAuthn
    Login without password: Apple brings Face ID and Touch ID to the web. iPhone, iPad and Mac users will be able to log in to web services via biometrics in the future. The FIDO Alliance hopes for a quick rollout.
  • July 2020

    GitHub has announced that it will rely entirely on token-based authentication in the future. From November onwards at the latest, it will no longer be possible to log in to the REST API with a name and password. Probably starting in summer 2021, developers will need tokens for all GitHub actions that require authentication.


    Joining the Alliance for Cybersecurity
    cidaas has joined the Alliance for Cybersecurity as a member! Since mid of July cidaas is part of the Alliance for Cybersecurity.

    cidaas in the OpenID Foundation!
    cidaas joins the OpenID Foundation as a Corporate Member, giving it the opportunity to influence the future of identity management and help shape specifications as a member of one of the leading organizations.
  • September 2020

    The European Cyber Security Month (ECSM) of the European Union Agency for Cyber Security ECSM (European Cyber Security Month) took place again.
    ECSM offered great activities to inform citizens and organizations about current risks and measures in the fight against cybercrime. cidaas participated with a free webinar on Smart MFA: Multi-factor authentication with convenience and security.

  • November 2020

    cidaas launches “Bye bye password initiative!”
    As part of the initiative “Bye bye password! The Future of Login,” cidaas is launching a passwordless authentication initiative. The campaign page is now available at www.tschuesspasswort.de zu finden.

The future of the energy sector - Single Sign On & Identity Management for private households
Blog EN

The future of the energy sector – Single Sign On & Identity Management for private households

The future of the energy sector – Single Sign On & Identity Management for private households

Smart grid, e-mobility, smart home, intelligent and connected devices. The disruptive developments are changing the energy sector and demand the transformation from a pure energy supplier to an energy service provider. Increasing digitalization has led to the addition of new, hybrid services that complement the classic offerings of the energy service provider, whether e-scooters, smart metering or e-filling stations.

In particular, the service offering in combination with the customer experience is crucial and the management of customer and user identities becomes an important factor. In this blog, we want to experience the customer journey from the perspective of private households.

2020 with my partner and service provider – the municipal utility “FaWi”.

“My alarm clock rings, it’s 7 a.m. … – ‘Alexa, snooze 10 minutes’ – I repeat the whole thing 3 times and end up getting up at 7:30. My wife stays in bed for a while – it’s nice to have a day off! Now it’s off to the kitchen for some muesli and coffee for the perfect start to the day. The coffee machine starts automatically – and I set the table. – Alexa, start my day’ – ‘Good morning – you’re ready to go – your Tesla, iPhone, and Apple Watch are charged – I’ll wake the kids at 8 a.m. – today will be a sunny day good for you and your solar system – PS: great CO2 balance’.

I still have to do my tax return today – I must not forget – ‘Alexa, remind me to do my tax return at noon today’ – ‘I’ll remind you to do your tax return at 2 pm’.

Oh! 8 o’clock already – the children’s doorbell rings – let us go to breakfast at 9 o’clock, they have to be at the nursery and I should have had a shower long ago!

Children in the daycare center – Check!

Daily stand up with the team – check!

Now, quickly log in to the customer portal of the municipal utility FaWi and save the annual statement and tax documents – login via TouchID on my MacBook – cool – check!

Reminder – Tomorrow – the birthday of my sweetheart! – Oh no! I urgently need a gift.

Off to town – quickly search for an e-Scooter via the e-Power app of the FaWi public utility company. – Found it and off we go!

What am I going to get for her? *Despair*

New shoes? – no, she just bought them yesterday with her friend.

Jewelry? – I give it to her every year.

Holiday? – maybe after Corona.

Headphones – great – she loves audiobooks!

Do I need anything else?! – A quick visit to the office of the Stadtwerke FaWi – some information for an energy consultation – with the electricity consumption is still something *smile*

Registration at the office via NFC – much better than pulling numbers.

Push message on the smartphone – Mr. Müller is looking forward to seeing you in meeting room 2 – with directions – they probably still remember my last tour through the office *smile*.

I also know Mr. Müller from the last consultation on our solar system – he seemed very competent to me.

Nice welcome – he already had all the documents ready for me – the registration via NFC is a really good thing – the recognition of me at all touchpoints – whether digital or analog – really makes things easier.

After the conversation, back to work with a few good ideas for the new year!

Mr. Müller provides me more information in my personal group area of the FaWi municipal utility. This way, my wife also has immediate access to the information via the app or the customer portal.

6 pm – I stop by the supermarket and pick up some drinks and snacks for the drive to my parents-in-law’s house tonight. Rather I recharge the car for the long drive.

e-Filling station from Stadtwerke FaWi – automatic debit via my customer account – great!

Then at the checkout, the push message from the e-Power app – Your car is fully charged. Have a good trip! – I open the notification and see €7.30.

Rush home invites the family and then we are off for the trip! – I will do the tax return tomorrow.

Public utilities and energy providers play a pivotal role in our daily lives! If you manage to further develop this central position and pick up the customers and users – to recognize and authenticate them at the digital and analog touchpoints – you can create a great customer experience!

dem Passwort
Blog, Blog EN

The Psychology of Password Allocation

The Psychology of Password Allocation

The Psychology of Password Allocation

Bruteforce attacks are often experienced attacks that can cause major reputation damage in addition to financial damage. Those who used to swim under the radar may have to expect attacks of various kinds today. For quite some time now, Criminals are no longer just after the big companies but use the attack areas of every company. It is essential to be equipped.

Bruteforce attacks attempt to get access to an account via different username-password combinations. As if someone turns on the wheel of a combination lock and tries out the most different number combinations until the combination lock is cracked.

Whereas the combination lock is turned manually on the wheels, the computer does a great job in a brute force attack. With more than 10,000 password combinations per second, the attacker can shoot at the login mask and try a so-called account takeover.

The logic behind the password strength

A password consisting of 6 lower case letters of the German alphabet gives 308,915,776 possible combinations.

This is calculated by determining the letters of the alphabet that can be used without äöü and ß, which in this case are 26 letters to the power of 6. The length of the password is 6.

If one assumes 1000 attempts per second, the password can be guessed in 3.5 days at the earliest.

This should be improved by password guidelines or password policies, which then say that 12 characters are required, upper and lower case letters must be included and a special character should be used.

This increases the number of possible characters from 26 to 72 and the exponent from 6 to 12, so that 19,408,409,961,765,342,806,016 passwords are possible. Thus, an attempted attack would already have reached 615,436,642,623 years.

This is the result is quite impressive.

Why are Bruteforce attacks impossible to defeat despite password policies

In IT one would say a layer 8 problem – this means the person in front of the screen.

The evolution of mankind is impressive so that today we speak of modern man. Unfortunately, we still have a big problem with remembering passwords.

The assumption behind the many different password combinations and the solution space is that a random combination of characters is chosen.

The human factor: The psychology of password assignment and password remembering

To make life a little easier, we tend to use patterns and apply logic to our passwords. These logics can be depicted. The solution space shrinks considerably as different probabilities are applied to the combinations. For example, the Duden is taken and an E is converted to a 3, with combinations of special characters and numbers appended at the end.

It becomes even more simple when password guidelines are not interpreted so strongly and particularly when users use the same passwords or choose one of the most popular passwords. For the latter, there are many lists and statistics which show that passwords such as 123456 are still used by up to 10% of users on some platforms.

It makes it very easy for a hacker to get access to accounts. A few more patterns in password assignment and password remembering behavior have been identified. Various psychological studies have dealt with these issues which among other things identified a connection to natural language. In concrete terms, the connection is which letters usually or very often follow each other. This frequency with which a letter follows another letter is known as a bigram. The TU Freiberg has published a statistic on this subject, which shows the ten most frequent double letters, the eighteen most frequent bigrams, among which ER, EN, and CH are among the top three candidates in German, and also further analyses of English language use.

Zum Single Sign On in 30 Minuten
Blog, Blog EN

To the single sign on in 30 minutes

Reading time approx. 5 minutes

To the single sign on in 30 minutes

Due to the increased number of various digital services in the enterprise as well as in the customer environment, Single Sign-On became increasingly critical. On the one hand, it is an essential element to provide more user comfort and a smooth journey and on the other hand, it serves to improve security. Identity and access management play a central role in the realization of Single Sign-On.

Where do cloud identity and access management help?

A cloud identity and access management support the management of the various stakeholders. This begins with employees, customers and partners. This is not just about individuals, rather about customers and partners, it is obvious that stakeholders can also represent organisations, which in turn can be structured in hierarchies. An Identity and Access Management System must be capable of representing all this.

Internal/Enterprise IAM: The management of employees is becoming increasingly complex due to the numerous digital channels. For a long time, companies have therefore used a so-called IAM or IDM. In particular, the mapping of the authorization plays an essential role in implementing access restrictions, segregation of duty and thus the authorization concept. Both onboarding and further needs-based allocation of rights must be implemented efficiently, transparently and quickly. The requirements and processes vary greatly depending on the industry, organization and department. An IAM must therefore be able to cover the individual needs of a company to enable a clear, secure and efficient implementation of the authorization concept.

Customer IAM: Digital services are almost springing up out of the ground, particularly in the end customer environment. In every industry, in the B2B as well as the B2C environment, they will become an essential component, a decision criterion, in order to get to know customers better, to work together more easily, to inspire customers and partners and thus also to retain them in the long term.

Customers’ systems can usually be easily separated from their internal systems. The customer channels represent the communication channels that are provided to customers to offer new services. Then there are the systems that are mainly used internally, within the company, such as the CRM, the ERP system, time recording etc. Only employees have access to these systems. While in the case of customer channels employees often need access, partners are the extreme cases. Depending on the task, the partner is on the road both on customer channels and on the internal systems. Group management is therefore necessary.

To the single sign on in 30 minutes

With Identity and Access Management, such as cidaas, you create an identity of the user across all channels via the applications in a company, such as CRM, ERP, office systems, etc. and thus introduce Single Sign-On.

And for the customer area, the registration and authentication of the customer are carried out via Identity and Access Management. This enables you to recognize your customers via the various digital services such as cloud services, web services, shop systems, etc., know where they move, which channels they use and can offer them not only convenience but also exceptional, individual customer experiences.

Procedure of a Single Sign-On:

The de facto standards in the identity environment are OpenID Connect and OAuth2. These are the newer standards. SAML, especially in the SAML2.0 version, is the older standard, which is nevertheless still followed by many systems, especially in the internal environment. These standards are used to integrate an identity management system and to implement Single Sign-On.

  1. Calling domain 1: This could be a shop system, for example.
  2. Domain 1 says that a login is required here, which initiates the forwarding to cidaas.
  3. In the third step the user logs in.
  4. Cidaas stores the information in the cookie, in the browser storage. Other information is also stored to prevent bot attacks and fraud attempts.
  5. Afterwards the information is forwarded to the shop system.
  6. The shop system can work with the token sent with the order. With it the user can be authenticated and the use of the shop system can take place.
  7. The shop system can then store information in the domain 1 cookie
Single Sign On is characterised by the fact that the same authentication mechanism can be used on the various domains, but also that the user remains logged in across all channels.
  1. User switches to the website in domain 2.
  2. A login is also required here, so that the forwarding to cidaas takes place
  3. Whereupon the redirection to the website with the issued token takes place.
  4. The Web page can now use the token and perform authentication. Information such as first name, surname, etc. can then be available in this token.
  5. Further information can be stored in the domain 2 cookie.

Single Sign On - Process

To demonstrate these possibilities and Single Sign On in a practical way, you can easily carry out the integration based on OpenID Connect following these steps.

Here you can see and test how the integration is based on the SAML Standard.

FIDO2 läutet die Benutzer in ein neues Zeitalter der ubiquitären Authentifizierung ein.
Blog, Blog EN

8 years in FIDO – What has happened so far

8 Jahre FIDO – Was bisher geschah

8 years in FIDO – What has happened so far

FIDO2 heralds a new age of Universal Authentication.

For several reasons, logging in to a website with your username and password may not be the ideal method of authentication. On one hand, the number of applications a person uses is constantly increasing. On the other hand, the security of credentials is increasingly at risk as cybercrime becomes more sophisticated and technologically advanced. Targeted brute-force attacks or seemingly harmless phishing attacks via email have become so common that users often do not even notice that their own credentials have been hacked.

  • 2009

    Validity Sensors and PayPal deal with the use of biometrics to register online users instead of passwords. The session stimulated the idea of working on an industry standard based on public key cryptography that would allow password-less login with only local authentication.

  • 2012

    The FIDO alliance was founded by PayPal, Lenovo, Nok Nok Nok Labs, Validity Sensors, Infineon and Agnitio. The development of a password-less authentication protocol was started.

  • 2013

    Major Internet companies, system integrators and security providers have joined to form the FIDO (Fast IDentity Online) Alliance to revolutionise online authentication with an industry-supported standard-based open protocol. Finally, the Alliance was launched in California.

  • 2014

    The comprehensive password less protocol FIDO v1.0 (called FIDO Universal Authentication Framework – FIDO UAF) and the second factor protocol (called FIDO Universal 2nd Factor – FIDO U2F) were completed and released at the same time. The production launch of fully compliant FIDO v1.0 devices and servers began.

  • 2015

    cidaas, the modern Cloud Identity and Access Management solution, was created. Widas ID started the development of cidaas. With the best user experience in mind, cidaas added versatile, convenient and secure authentication methods.

    In a pluggable approach, cidaas offers e.g. biometric methods like TouchID or WebAuthn, One-Time Passwords and many more. Customers can easily add and offer new methods.

    With the seal Software hosted in Germany and ISO27001 certification, cidaas complies with the highest data protection and security standards.

  • 2016

    The World Wide Web Consortium (W3C) has launched a new standard project for web authentication based on the FIDO2 2.0 web APIs proposed by the Alliance. The aim of the FIDO Alliance in this work called FIDO2 was to work with the W3C to standardise strong FIDO authentication across all web browsers and the associated web platform infrastructure.

  • 2017

    The FEWG-FIDO Europe Working Group was established.

    Based on Google Chrome, Microsoft Edge and Mozilla Firefox, the FIDO2 project heralds a new era of ubiquitous, phishing-resistant, strong authentication to protect Internet users worldwide.

  • 2018

    cidaas announced to support FIDO2. Since then it is possible to experience FIDO2 and WebAuthn live on https://cidaas-in-action.cidaas.de/demo-site/demo and to test the new user experience.

  • 2020

    Apple extends FIDO authentication support in Safari to iOS 14, MacOS Big Sur and iPadOS 14 and enables users to log in with FIDO on websites using Apple’s Face ID and Touch ID biometric authentication.

    To learn more about cidaas, key features and various password-free authentication methods, please visit https://www.tschuesspasswort.de vorbei.

The Digital Pioneers Conference - Digitisation on the rise - 5 wonderful years of cidaas
Blog, Blog EN

The Digital Pioneers Conference – Digitisation on the rise – 5 wonderful years of cidaas

The Digital Pioneers Conference - Digitisation on the rise - 5 wonderful years of cidaas

The Digital Pioneers Conference – Digitisation on the rise – 5 wonderful years of cidaas

On Friday (13.11.2020) the first Digital Pioneers Conference, organised by esentri AG, was held and we were present there. In this blog, we look back at the event and the various impulses.

What does the Digital Pioneers Conference stand for: “With the Digital Pioneers we look behind the scenes of successful digitization projects and learn from courageous personalities who have shaped their own future. The audience could [look forward] to inspiring keynote speakers, interesting project stories, tech talk, and the extraordinary atmosphere of a hybrid conference!

The topics and contents of the conference were very diverse. Leander Govinda Greitemann started the conference with a keynote speech about the pioneering spirit and supported his presentation with exciting stories. Robert Szilinski then took up the pioneering spirit in his slot and declared a battle against pessimism. Throughout the day, there were many exciting presentations on successful digitization projects, new and changing business models, and the culture necessary for a sustainable digital transformation, but there was also no shortage of prospects for technological advances such as the quantum computer. In summary, the diversity of the conference was a key success factor, because as diverse as the presentations are, so are the ideas and challenges in digitization. Digitization is not driven by technology, but by the combination of many impulses, with technology also being an enabler, but business culture, ideas, and concepts are the drivers of development.

We were pleased to take the opportunity to play our part in the conference. Based on the quotation from Raumschiff Enterprise: “Identity – infinite vastness. It is the year 2020” we started to think the world differently five years ago – we started with cidaas, our Cloud Identity & Access Management. And a lot has happened in the past 5 years. We have become aware of this once again, particularly in the preparation for the conference. Only recently we have summarised the history of the FIDO Alliance and the FIDO2 standard in a blog (8 years of FIDO – What has happened so far). We have already integrated FIDO2 into cidaas since 2018, the distribution, but especially due to the availability on Apple, it has been a long time coming. In our presentation, we took a closer look at these and other highlights from 5 years of cidaas, because: “On our journey through the galaxies of our customers we have mastered different requirements. However, we have also avoided the odd meteorite or two in our continuous efforts to push cidaas forward”.

At this point we would like to thank esentri for the great organisational work. The conference was planned wonderfully, there were two stages, as well as the opportunity to network, and though a personal visit to the conference during Corona is not possible, it had a personal touch.

We are looking forward to 2021!