The theft of login data and passwords opens the gates to industrial espionage and criminal activity. Multi-factor authentication bolsters companies' defenses against attacks.
Attacks against corporate networks and companies' IT systems are becoming more frequent. Information that can be exploited, such as customer data and development documents are at particular risk. Multi-factor authentication (MFA) makes it more difficult for unauthorized persons to gain access to virtual targets such as a computer, a network, a database or even access to a company site. CONTACT has now developed an MFA solution for its customers.
MFA represents a multi-level defense strategy against attacks via the Internet. If one factor has been compromised or is faulty, the attacker must overcome at least one additional barrier to be able to penetrate the defenses successfully. To achieve this, MFA solutions combine two or more independent proofs of identity:
- Something the user knows (password)
- Something the user possesses (security token)
- Something the user is (biometric verification)
With these methods, the user needs not only a password but also another proof of identity. This can be an object such as a smartphone, a smartcard or a "token" which ensures personal identification and authentication using a hardware or software component. In the case of biometric verification, a particular human feature such as a fingerprint or the pattern of the iris is checked.
Potential security loopholes
CONTACT analyzed various risk scenarios that facilitate access to internal data. Many large companies use multi-factor authentication to provide secure login to the operating system itself (for instance with a smartcard/PIN and user name/password). In contrast, MFA methods are not widespread among smaller SMEs.
All that visitors, suppliers or, at worst, even colleagues need to do is to look over an employee's shoulder or through an office window to be able to obtain valid login data by watching the screen or keyboard. It becomes even easier to spy out information if people are careless about passwords, i.e. making classic mistakes like sticking a Post-it note with personal access data or the WLAN key onto a PC.
In many customer environments, CIM DATABASE PLM and Project Office application modules and/or the underlying technology platform CONTACT Elements communicate and interact with external systems. One example is the Collaboration Portal, which allows companies to integrate engineering offices, suppliers and clients in their own development processes via the Web. This is another place where MFA methods make eminent sense in order to protect internal know-how.
Time-based one-time passwords
CONTACT has designed its MFA solution on the basis of the same quality criteria as apply to all product development: It is based on internationally proven, open standards, is also suitable for SMEs, is easy to use and can be extended as required.
Three different aspects are distinguished when validating access attempts:
- Who is doing something? (authentication)
- Is the authenticated user permitted to do this? (authorization)
- Does the authenticated user still have sufficient "credit"? (accounting)
CONTACT's multi-factor authentication is aimed at the top level. It provides an authentication plug-in based on the TOTP (Time-based One Time Password) algorithm. This standard was developed by the cross-industry OATH Initiative For Open Authentication  and was published by the IETF Internet Engineering Task Force as RFC 6238 .
In addition to the user name and password, this method also asks for a one-time password that is only valid for 30 seconds. To enter the password, the user makes use of a TOTP-compliant password generator. This soft token is a smartphone app  or a computer application that first exchanges a shared secret with the MFA module of the CONTACT Elements technology platform, e.g. by scanning a QR code, and then using this to derive the one-time passwords on the basis of the current time.
If the TOTP method is used, it is no longer sufficient to spy out and re-use personal login data: Attackers may be able to find out not only the user name and the password but also the currently valid one-time password, but this is of no use to them. One-time passwords immediately become invalid once they have been used or after 30 seconds have elapsed.
At level 2, the authorization level, CONTACT's role and permissions system comes into play. This allows companies to define what data and documents the authenticated user is permitted to access and whether they only have read access or can also edit the information.
CONTACT regards the protection of its customers' sensitive data against unauthorized access, malware and manipulation as a key requirement. An internal security team is responsible for this task and works closely together with product management. The team's job is to observe the market, identify new attack vectors, define security concepts and implement these using state-of-the art technologies. Digital signatures, the security architecture for the Collaboration Portal based on the defense-in-depth principle and the new MFA solution are some recent examples of their work.
Furthermore, we are also launching further security modules to support and secure customers as they implement new business models in the Internet of Things (IoT). In these endeavors, CONTACT relies on cutting-edge technologies: OAuth2 as per RFC 6749 , a protocol that has become established as a standard for authentication and authorization on the Web, and OpenID Connect , which is based on this standard. On the one hand, these methodologies make it possible to integrate CONTACT's IoT applications and CIM DATABASE PLM even more tightly in corporate and cloud security solutions  and, on the other hand, to subdivide access to these systems even more finely.
Your contact person at CONTACT: Michael Schlenker, Senior Software Developer
3 Google Authenticator: https://support.google.com/accounts/answer
6 Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-openid-connect-code