Authentication: the start of almost every digital process

The first operation is authentication

Almost every day, in the home office or at the office, we start our PC. The first thing we do is authenticating ourselves, i.e. logging on to the system. To that end, we usually enter a User ID and a password. If these match those stored in the system, access to the system is granted.

But who actually manages this access data?

The operating system manages this data in a more or less transparent manner. As users, we can use the tools provided by the operating system to manage user accounts. Users can also manage their passwords via operating system tools. And thus, no one within an organisation can decrypt the password.

But who has control over it?

The User ID and Password are entered in plain text when the user logs in. Thus, the operating system – and thus indirectly also the operating system manufacturer – receives this data.

Of course, we assume that the manufacturer handles the login data correctly. And yet, from a technical point of view, it would be possible to transfer this data to another server outside of your own network if the computer were connected to the Internet, for example.

The same applies, of course, not only to desktop operating systems, but also to all types of web services.

3 Options

Various options are available to strengthen our control over authentication.

Optionen zur Verfügung, um mehr Kontrolle über die Authentifizierung zu erlangen.

2-factor authentication

2-factor authentication is often used for access control purposes. This requires a further "factor", such as a PIN, for authentication. In the case referred to, however, this procedure would not make any difference, since the second factor would indeed be stored in the system.

Authentication without password

The only solution that could prevent misuse of the credentials would be authentication without a password. If no password is used, it cannot be misused. There are now various options for authentication without a password.

• Authentication via smart cards
  Authentication via smart cards is possible both on the Windows Desktop and on the Remote Desktop. However, there is currently no standard or implementation for web applications or mobile devices. This approach requires a smart card which must be provided with appropriate keys.
• Authentication via modern protocols
  For some time now, standard operating systems have also supported authentication via the FIDO2 protocol. This applies both to the local login and via directory services. There are also implementations for almost all browsers, so this option is also suitable for web applications. Mobile devices are also supported.

However, this usually requires a hardware token, e.g. with a USB interface, as well as a one-time registration. Users can determine their PIN using appropriate tools of the token manufacturer.

Authentication via the digital identity card

The digital ID card has been available for a number of years, but up until now has mainly been used for identification. It is estimated that by 2021 there will be over 40 million ID cards with an activated online ID function.

Why the digital ID card?

• ePerso can be used for authentication AND identification.
• The authority of the State stands behind ePerso.
• ePerso requires little administrative effort for an organisation
• If ePerso is lost, there is a 24/7 blocking hotline.
• ePerso guarantees the highest possible security through appropriate certificates, which can only be issued by one authority at present.

The authority of a state and the associated independence and security have been decisive in implementing authentication via the electronic identity card into our solution.

In doing so, we want to make our contribution to more digital sovereignty.