IT security needs more than one factor
Multifactor authentication is coming
A single compromised account can give attackers access to an entire organization's files. It is therefore more important than ever to put online security first. In the private sphere, it's a nightmare: criminals have hacked your passwords and are sending offensive messages from your account, deleting vacation pictures from Dropbox or shopping at their expense!
Multi-factor authentication, also known as MFA, increases account protection because it requires one or more additional proofs of identity after logging in with a user name and password.
Multi-factor authentication verifies a user's identity based on a specific set of characteristics. The most comprehensive way to explain them is as follows:
- Knowledge: security measures that are known only to the user. This includes, for example, classic passwords or PIN codes.
- Possession: Security based on something the user possesses, such as a bank card, electronic ID card or an app for authentication.
- Inherence: Security in connection with characteristics that the person has. Such characteristics are biometric features such as fingerprints or patterns of the retina in the eye. Facial recognition methods also fall into this group.
- Location: Authentication based on geographical areas derived from internet protocol addresses.
This may sound cumbersome, but it is not, as multi-factor authentication has been in use for years: At ATMs, for example, you not only have to insert your card, but also enter your personal PIN. In online banking, it is common practice to additionally authorize transfers using an app. The same applies if you pay with a cash card at the supermarket checkout. Even when paying with a cell phone, it must first be unlocked. Some procedures also combine several factors. For example, with the online ID function of the ID card, the "possession of chip card" factor can only be used together with the "knowledge of PIN" factor.
Multifactor authentication already protects us privately in many areas against various types of cyber attacks (e.g. phishing, brute force attacks or man-in-the-middle attacks). By using MFA, users have to provide additional information or characteristics to gain access to an account. Even if attackers manage to steal passwords, it is unlikely that they will also be able to steal or compromise the additional authentication factors required for MFA.
A real-life example: You frequently order from Amazon. You use an e-mail address and a password for authorization. MFA is not used. By chance, you receive an e-mail asking you to enter your access data and comply. The attacker can now log in with your access data and store at your expense. However, the attacker may also have stolen your access data for your e-mail account. This allows the attacker to use the forgotten password function on Amazon and gain access to all services where you are logged in with your e-mail address. You can use one or more factors to protect your accounts against identity theft.
Common authentication methods are
- Codes sent by e-mail or SMS
The user receives an e-mail or SMS message that either contains a link to a verification page or displays a one-time code. This code must be entered before the user can log in to their account. Email and SMS are considered insecure, so these options are not available. - Biometric authentication
This type of authentication uses biometric data to recognize and identify a user based on physical characteristics. This includes methods such as fingerprint scans, facial recognition, iris scans and voice recognition. An example of biometric authentication is Face ID on Apple devices or Windows Hello. - Authentication apps (recommended) generate single-use codes that are used to verify a user's identity. These are time-limited 6-digit codes or push notifications to be confirmed. Common authentication applications include Google Authenticator and Microsoft Authenticator. Keeper also functions as an authentication app. Microsoft Authenticator is able to receive push notifications.
- Location
Within the MHH location, the use of a PC that is not connected to the WLAN is also considered a confidential factor. This includes stationary computers or wired systems.
Which services at the MHH are covered by the additional method?
In future, external access to your emails via https://webmail.mh-hannover.de will be secured by an additional numerical code (OTP). If you have already done this for external access via https://citrix.mh-hannover.de, you do not need to do anything else and can also use the same code for webmail.
Facilities or Institutions for multi-factor authentication for webmail can be set up via the website otp.mh-hannover.de otp.mh-hannover.de
Nursing the second factor is similar to the "SAP Password Reset" via the "Matrix Self Service Portal" and "Reset OTP for Citrix/Webmail".
You can already test webmail access with the second factor at https://cag.mh-hannover.de.
Which services are secured?
- Citrix
- Webmail.mh-hannover.de
Secure resource access through multi-factor authentication
- Facilities or Institutions of an additional factor with MS Authenticator (recommended)
- Facilities or Institutions of another factor with alternative authenticator
Which services are secured?
- All Microsoft 365 services e.g. MS Teams
Which additional services can I use?
- Resetting the domain password in Self Service
Access to the mail quarantine