Blog

dem Passwort
Blog, Blog EN

The Psychology of Password Allocation

The Psychology of Password Allocation

The Psychology of Password Allocation

Bruteforce attacks are often experienced attacks that can cause major reputation damage in addition to financial damage. Those who used to swim under the radar may have to expect attacks of various kinds today. For quite some time now, Criminals are no longer just after the big companies but use the attack areas of every company. It is essential to be equipped.

Bruteforce attacks attempt to get access to an account via different username-password combinations. As if someone turns on the wheel of a combination lock and tries out the most different number combinations until the combination lock is cracked.

Whereas the combination lock is turned manually on the wheels, the computer does a great job in a brute force attack. With more than 10,000 password combinations per second, the attacker can shoot at the login mask and try a so-called account takeover.

The logic behind the password strength

A password consisting of 6 lower case letters of the German alphabet gives 308,915,776 possible combinations.

This is calculated by determining the letters of the alphabet that can be used without äöü and ß, which in this case are 26 letters to the power of 6. The length of the password is 6.

If one assumes 1000 attempts per second, the password can be guessed in 3.5 days at the earliest.

This should be improved by password guidelines or password policies, which then say that 12 characters are required, upper and lower case letters must be included and a special character should be used.

This increases the number of possible characters from 26 to 72 and the exponent from 6 to 12, so that 19,408,409,961,765,342,806,016 passwords are possible. Thus, an attempted attack would already have reached 615,436,642,623 years.

This is the result is quite impressive.

Why are Bruteforce attacks impossible to defeat despite password policies

In IT one would say a layer 8 problem – this means the person in front of the screen.

The evolution of mankind is impressive so that today we speak of modern man. Unfortunately, we still have a big problem with remembering passwords.

The assumption behind the many different password combinations and the solution space is that a random combination of characters is chosen.

The human factor: The psychology of password assignment and password remembering

To make life a little easier, we tend to use patterns and apply logic to our passwords. These logics can be depicted. The solution space shrinks considerably as different probabilities are applied to the combinations. For example, the Duden is taken and an E is converted to a 3, with combinations of special characters and numbers appended at the end.

It becomes even more simple when password guidelines are not interpreted so strongly and particularly when users use the same passwords or choose one of the most popular passwords. For the latter, there are many lists and statistics which show that passwords such as 123456 are still used by up to 10% of users on some platforms.

It makes it very easy for a hacker to get access to accounts. A few more patterns in password assignment and password remembering behavior have been identified. Various psychological studies have dealt with these issues which among other things identified a connection to natural language. In concrete terms, the connection is which letters usually or very often follow each other. This frequency with which a letter follows another letter is known as a bigram. The TU Freiberg has published a statistic on this subject, which shows the ten most frequent double letters, the eighteen most frequent bigrams, among which ER, EN, and CH are among the top three candidates in German, and also further analyses of English language use.

Please follow and like us:
Zum Single Sign On in 30 Minuten
Blog, Blog EN

To the single sign on in 30 minutes

Reading time approx. 5 minutes

To the single sign on in 30 minutes

Due to the increased number of various digital services in the enterprise as well as in the customer environment, Single Sign-On became increasingly critical. On the one hand, it is an essential element to provide more user comfort and a smooth journey and on the other hand, it serves to improve security. Identity and access management play a central role in the realization of Single Sign-On.

Where do cloud identity and access management help?

A cloud identity and access management support the management of the various stakeholders. This begins with employees, customers and partners. This is not just about individuals, rather about customers and partners, it is obvious that stakeholders can also represent organisations, which in turn can be structured in hierarchies. An Identity and Access Management System must be capable of representing all this.

Internal/Enterprise IAM: The management of employees is becoming increasingly complex due to the numerous digital channels. For a long time, companies have therefore used a so-called IAM or IDM. In particular, the mapping of the authorization plays an essential role in implementing access restrictions, segregation of duty and thus the authorization concept. Both onboarding and further needs-based allocation of rights must be implemented efficiently, transparently and quickly. The requirements and processes vary greatly depending on the industry, organization and department. An IAM must therefore be able to cover the individual needs of a company to enable a clear, secure and efficient implementation of the authorization concept.

Customer IAM: Digital services are almost springing up out of the ground, particularly in the end customer environment. In every industry, in the B2B as well as the B2C environment, they will become an essential component, a decision criterion, in order to get to know customers better, to work together more easily, to inspire customers and partners and thus also to retain them in the long term.

Customers’ systems can usually be easily separated from their internal systems. The customer channels represent the communication channels that are provided to customers to offer new services. Then there are the systems that are mainly used internally, within the company, such as the CRM, the ERP system, time recording etc. Only employees have access to these systems. While in the case of customer channels employees often need access, partners are the extreme cases. Depending on the task, the partner is on the road both on customer channels and on the internal systems. Group management is therefore necessary.

To the single sign on in 30 minutes

With Identity and Access Management, such as cidaas, you create an identity of the user across all channels via the applications in a company, such as CRM, ERP, office systems, etc. and thus introduce Single Sign-On.

And for the customer area, the registration and authentication of the customer are carried out via Identity and Access Management. This enables you to recognize your customers via the various digital services such as cloud services, web services, shop systems, etc., know where they move, which channels they use and can offer them not only convenience but also exceptional, individual customer experiences.

Procedure of a Single Sign-On:

The de facto standards in the identity environment are OpenID Connect and OAuth2. These are the newer standards. SAML, especially in the SAML2.0 version, is the older standard, which is nevertheless still followed by many systems, especially in the internal environment. These standards are used to integrate an identity management system and to implement Single Sign-On.

  1. Calling domain 1: This could be a shop system, for example.
  2. Domain 1 says that a login is required here, which initiates the forwarding to cidaas.
  3. In the third step the user logs in.
  4. Cidaas stores the information in the cookie, in the browser storage. Other information is also stored to prevent bot attacks and fraud attempts.
  5. Afterwards the information is forwarded to the shop system.
  6. The shop system can work with the token sent with the order. With it the user can be authenticated and the use of the shop system can take place.
  7. The shop system can then store information in the domain 1 cookie
Single Sign On is characterised by the fact that the same authentication mechanism can be used on the various domains, but also that the user remains logged in across all channels.
  1. User switches to the website in domain 2.
  2. A login is also required here, so that the forwarding to cidaas takes place
  3. Whereupon the redirection to the website with the issued token takes place.
  4. The Web page can now use the token and perform authentication. Information such as first name, surname, etc. can then be available in this token.
  5. Further information can be stored in the domain 2 cookie.

Single Sign On - Process

To demonstrate these possibilities and Single Sign On in a practical way, you can easily carry out the integration based on OpenID Connect following these steps.

Here you can see and test how the integration is based on the SAML Standard.

Please follow and like us:
FIDO2 läutet die Benutzer in ein neues Zeitalter der ubiquitären Authentifizierung ein.
Blog, Blog EN

8 years in FIDO – What has happened so far

8 Jahre FIDO – Was bisher geschah

8 years in FIDO – What has happened so far

FIDO2 heralds a new age of Universal Authentication.

For several reasons, logging in to a website with your username and password may not be the ideal method of authentication. On one hand, the number of applications a person uses is constantly increasing. On the other hand, the security of credentials is increasingly at risk as cybercrime becomes more sophisticated and technologically advanced. Targeted brute-force attacks or seemingly harmless phishing attacks via email have become so common that users often do not even notice that their own credentials have been hacked.

  • 2009

    Validity Sensors and PayPal deal with the use of biometrics to register online users instead of passwords. The session stimulated the idea of working on an industry standard based on public key cryptography that would allow password-less login with only local authentication.

  • 2012

    The FIDO alliance was founded by PayPal, Lenovo, Nok Nok Nok Labs, Validity Sensors, Infineon and Agnitio. The development of a password-less authentication protocol was started.

  • 2013

    Major Internet companies, system integrators and security providers have joined to form the FIDO (Fast IDentity Online) Alliance to revolutionise online authentication with an industry-supported standard-based open protocol. Finally, the Alliance was launched in California.

  • 2014

    The comprehensive password less protocol FIDO v1.0 (called FIDO Universal Authentication Framework – FIDO UAF) and the second factor protocol (called FIDO Universal 2nd Factor – FIDO U2F) were completed and released at the same time. The production launch of fully compliant FIDO v1.0 devices and servers began.

  • 2015

    cidaas, the modern Cloud Identity and Access Management solution, was created. Widas ID started the development of cidaas. With the best user experience in mind, cidaas added versatile, convenient and secure authentication methods.

    In a pluggable approach, cidaas offers e.g. biometric methods like TouchID or WebAuthn, One-Time Passwords and many more. Customers can easily add and offer new methods.

    With the seal Software hosted in Germany and ISO27001 certification, cidaas complies with the highest data protection and security standards.

  • 2016

    The World Wide Web Consortium (W3C) has launched a new standard project for web authentication based on the FIDO2 2.0 web APIs proposed by the Alliance. The aim of the FIDO Alliance in this work called FIDO2 was to work with the W3C to standardise strong FIDO authentication across all web browsers and the associated web platform infrastructure.

  • 2017

    The FEWG-FIDO Europe Working Group was established.

    Based on Google Chrome, Microsoft Edge and Mozilla Firefox, the FIDO2 project heralds a new era of ubiquitous, phishing-resistant, strong authentication to protect Internet users worldwide.

  • 2018

    cidaas announced to support FIDO2. Since then it is possible to experience FIDO2 and WebAuthn live on https://cidaas-in-action.cidaas.de/demo-site/demo and to test the new user experience.

  • 2020

    Apple extends FIDO authentication support in Safari to iOS 14, MacOS Big Sur and iPadOS 14 and enables users to log in with FIDO on websites using Apple’s Face ID and Touch ID biometric authentication.

    To learn more about cidaas, key features and various password-free authentication methods, please visit https://www.tschuesspasswort.de vorbei.

Please follow and like us:
The Digital Pioneers Conference - Digitisation on the rise - 5 wonderful years of cidaas
Blog, Blog EN

The Digital Pioneers Conference – Digitisation on the rise – 5 wonderful years of cidaas

The Digital Pioneers Conference - Digitisation on the rise - 5 wonderful years of cidaas

The Digital Pioneers Conference – Digitisation on the rise – 5 wonderful years of cidaas

On Friday (13.11.2020) the first Digital Pioneers Conference, organised by esentri AG, was held and we were present there. In this blog, we look back at the event and the various impulses.

What does the Digital Pioneers Conference stand for: “With the Digital Pioneers we look behind the scenes of successful digitization projects and learn from courageous personalities who have shaped their own future. The audience could [look forward] to inspiring keynote speakers, interesting project stories, tech talk, and the extraordinary atmosphere of a hybrid conference!

The topics and contents of the conference were very diverse. Leander Govinda Greitemann started the conference with a keynote speech about the pioneering spirit and supported his presentation with exciting stories. Robert Szilinski then took up the pioneering spirit in his slot and declared a battle against pessimism. Throughout the day, there were many exciting presentations on successful digitization projects, new and changing business models, and the culture necessary for a sustainable digital transformation, but there was also no shortage of prospects for technological advances such as the quantum computer. In summary, the diversity of the conference was a key success factor, because as diverse as the presentations are, so are the ideas and challenges in digitization. Digitization is not driven by technology, but by the combination of many impulses, with technology also being an enabler, but business culture, ideas, and concepts are the drivers of development.

We were pleased to take the opportunity to play our part in the conference. Based on the quotation from Raumschiff Enterprise: “Identity – infinite vastness. It is the year 2020” we started to think the world differently five years ago – we started with cidaas, our Cloud Identity & Access Management. And a lot has happened in the past 5 years. We have become aware of this once again, particularly in the preparation for the conference. Only recently we have summarised the history of the FIDO Alliance and the FIDO2 standard in a blog (8 years of FIDO – What has happened so far). We have already integrated FIDO2 into cidaas since 2018, the distribution, but especially due to the availability on Apple, it has been a long time coming. In our presentation, we took a closer look at these and other highlights from 5 years of cidaas, because: “On our journey through the galaxies of our customers we have mastered different requirements. However, we have also avoided the odd meteorite or two in our continuous efforts to push cidaas forward”.

At this point we would like to thank esentri for the great organisational work. The conference was planned wonderfully, there were two stages, as well as the opportunity to network, and though a personal visit to the conference during Corona is not possible, it had a personal touch.

We are looking forward to 2021!

Please follow and like us:
Now, FIDO2 is set as standard in Apple Browse
Blog, Blog EN

Now, FIDO2 is set as standard in Apple Browser

Now, FIDO2 is set as standard in Apple Browser

Now, FIDO2 is set as standard in Apple Browser

Using TouchID or FaceID to unlock the smartphone is the current standard. In addition to security, it is above all a question of convenience for users to unlock their smartphone quickly and easily using a biometric procedure. This was not possible in the browser of the iPhone so far. With the new major version of the Apple browser Safari 14, Apple supports biometric authentication using TouchID and FaceID (Device Biometrics) via the FIDO2 and WebAuthn standards, respectively.

Authentication with a wide variety of platforms, online shops or other digital services via device biometrics is no longer a futuristic dream. Technically, the FIDO2 standard consists of two components, the WebAuthn standard of the World Wide Web Consortium (W3C) and the Client-to-Authenticator Protocol (CTAP) of the FIDO Alliance.

For quite some time now, we have been offering authentication via the FIDO2 standard with our Cloud Identity & Access Management, cidaas, both as two-factor authentication and as password less authentication. Even though FIDO2 has become more and more popular in recent years, the introduction of any procedure is subject to the limitations that come with it. Although providers such as Google or Microsoft have supported FIDO 2 for some time

and integrated it into their own platforms, Apple has been a long time in coming – it was not until iOS 13 that FIDO2 support for external authenticators, such as via NFC, BLE, or USB, came to the iPhone. On the contrary, Android has already received FIDO2 accreditation in February 2019.

With the introduction of FIDO2, especially through device biometrics, on the Apple ecosystem, the FIDO Alliance as well as many platform and service providers are now hoping for wider and mainly faster dissemination of FIDO2.

We at cidaas are also strong supporters of FIDO2 and other passwordless authentication methods, as these methods allow us to offer secure as well as convenient authentication on a wide range of channels. More than ever before, the password is the killer of user comfort and security. If you want to know more about passwordless authentication or FIDO2, have a look at www.tschuesspasswort.de, under this slogan we have started an initiative for passwordless authentication.

Please follow and like us:
cyber security
Blog, Blog EN

Experience with the Alliance for Cyber Security

Experience with the Alliance for Cyber Security

Experience with the Alliance for Cyber Security

We joined the Alliance for Cyber Security as a member in mid-July and then completed our onboarding as a partner at the end of August. We would like to use this short blog to describe our first experiences with the Alliance for Cyber Security and our partner contributions.

As a short digression, what does the Alliance for Cyber Security do (extract from the ACS website):

“With the Alliance for Cyber Security, founded in 2012, the Federal Office for Information Security (BSI) is pursuing the goal of strengthening Germany’s resistance to cyber-attacks.

Currently, 4548 companies and institutions are members of the initiative – and more participants are joining every day.

IT service and consulting companies, as well as IT manufacturers, are equally represented within the network as user companies of all sizes and industries. This diversity is an important guarantee for a rich exchange of IT expertise and application experience, from which all participants benefit.

148 partners and 99 facilitators are involved in the initiative and thus make a valuable contribution to more cybersecurity in Germany as a business location”.

As Cloud Identity & Access Management (cidaas) we are predestined for the partner program, we offer an IT security solution & in this context, we have to deal with the most diverse requirements in this environment daily. Furthermore, we see cidaas as Identity & Access Management as a central component in the digitalization of companies. Combining security with digitization, innovation and ultimately user comfort is one of our goals. To mark this occasion, we have designed our first partner contributions for the Alliance for Cyber Security and launched a webinar series that shows how modern authentication can and should be secure and convenient.

Which topics did we cover in the webinars?

  1. Bruteforce attacks and what can one do against them?
  2. FIDO2 and password less authentication explained simply

Brute force attacks and what can be done about them

Attacks – where the attacker tries to gain access by trying/ guessing passwords – is one of the most common attack patterns in the digital world and has become a major threat in recent years. This type of attack is not new, but it is now more of a headache than ever. Because almost all common approaches to defence bring other problems with them, which can sometimes be more serious for companies than the brute force attack itself. The classic brute force defence mechanisms often not only protect against attacks but also exclude real users or massively restrict user comfort. In this webinar, we have shown different forms of the brute force attack and common defence mechanisms. Among them are classical defence mechanisms, the Brute force Protection via Device Cookies of OWASP, and the multi-factor authentication. As a transition to the next webinar, we gave a short outlook on the world after the password.

FIDO2 and password-free authentication explained simply

A World without passwords will be the future! In this webinar, we will discuss the FIDO2 standard with its protocols WebAuthn (W3C) and Client to Authenticator Protocol (FIDO). We first looked at the current situation regarding passwords and the associated disadvantages and then focused on the technical specification of the FIDO2 standard. Finally, we reported on first experiences and use cases with the FIDO2 standard and other passwords-less authentication methods. We also showed the transition path with which users can be introduced to password-less authentication or cross-device scenarios and how these can be handled.

Let us now look back at our experience:

The participants:

We regularly host webinars, both self-organized and in cooperation with other networks, e.g. now in October during the European Cyber Security Month. As a small side note, we were very sceptical at the beginning, whether webinars of our own would be useful and could even achieve the necessary coverage. But we are very satisfied with our previous webinars and the number of participants and feedback. Since our webinars were closed to the Alliance for Cyber Security and only accessible to a limited number of participants, we also expected lower numbers of participants. After we had planned the webinars and announced them via the Alliance for Cyber Security, we were surprised how quickly the number of registrations increased. So that these two webinars are among our most visited events.

More importantly, the number of participants is one of the most active we have seen in our webinars so far. We were particularly pleased about this because it is precisely this exchange that makes the Alliance for Cyber Security so valuable!

The cooperation with the colleague at the Alliance for Cyber Security:
The cooperation was very great. Our enquiry was processed very quickly and together we designed our first partner contributions.

We are already looking forward to our next partner contributions and are pleased that there is such a network organized by the BSI in Germany. Good job!

Please follow and like us:
cidaas-support
Blog, Blog EN

Why Happiness Team? – The cidaas support

Why Happiness Team? - The cidaas support

Why Happiness Team? – The cidaas support

Ever since we launched cidaas a few years ago, we have been developing technology, in terms of organization and processes. And we are constantly working to incorporate the vast experience we gain every day and to implement new ideas.

We would like to highlight a special organizational development in this blog – the Happiness Team.

As a product provider, especially for a Software-as-a-Service cloud service like cidaas, which as Identity & Access Management plays a central role in the digitalization of almost all companies and the IT infrastructure, customer support is very important to us. This has been a matter of course for us from the very beginning, so we have always attached great importance to good and especially fast support. Every developer knows it, when a question comes up, the Internet is consulted, the documentation is checked and it feels as if you were the only one with this question. Since an answer is essential to get ahead, contact the support is sought.

Waiting for a response for days at a time would be annoying as well as potentially shifting the timeline. It is even worse when there are difficulties in live operation and the cause cannot be found. Undoubtedly a self-explanatory API and detailed yet simple documentation are helpful and necessary. However, reliable, strong and individual setup support is also necessary to enjoy a product. That’s the way it should be!

Happy – that is the most important word! When we sat down for a small workshop a few weeks ago, one of the main topics was how we can further expand the support for our customers. We already rely on many different processes and tools: Besides documentation and API descriptions about Postman and Swagger UIs, we offer a support portal, a community platform and a chat. Our support team consists of colleagues from the development and product team as well as from our management. They support specific customers, so our team is always informative, has a deep knowledge of cidaas and knows the customer’s setup. Through continuous, intensive training, the team is familiar with a wide range of use cases and possible applications and is available to advise our customers. This constellation distinguishes our support from that of many other product manufacturers.

So, what has changed? – We have renamed our Support Team to Happiness Team!

Although this may sound somewhat platitudinous, it expresses the fact that we are not just a pure support team, but it is our mindset and objective to make our customers happy with cidaas.

Learn more about us or meet us personally and contact us here in the chat.

Please follow and like us: