GERMAN FEDERAL AGENCY
How one German Federal Agency has killed the password and improved security and user experience by moving to strong passwordless authentication.
A German Federal Institute, which forms part of a collection of federal agencies consulting the German national government, recognised the need to evolve its workforce authentication. The organisation had identified its password-based approach as a low security solution that was delivering a poor user experience for its employees. A strong multi-factor authentication solution was required as the organisation looked to ensure its employees could access government systems simply and securely.
THE CHALLENGE
With login and passwords still in use, the agency recognised that there was a need to step up the organisation’s security and provide a better system for its IT teams and employees.
Strong two-factor authentication (2FA) using the cryptographic security of public key infrastructure (PKI) was identified as the most secure solution. As proven technology that is simple to use and familiar to employees, smart cards was the chosen form factor that the agency wanted their 2FA to be based on. This meant employees would log in to an IT system using a combination of their credentialed smart card plus a PIN.
The federal agency was looking for an on-premise solution that would sit within their existing Windows Server network and enable their IT teams to issue digital identities to their employees’ smart cards, set user policies, manage the x.509 certificates and integrate into the agency’s Microsoft Active Directory. A software solution that would integrate with the internal Microsoft PKI certificate authority (CA) was essential, as was the scope for employees to self-serve when reactivating a blocked smart card or setting a new smart card up for use.
In addition, the agency required installation on-site by a German-speaker.
THE SOLUTION
CRYPTAS Deutschland GmbH was the chosen organisation to deliver the 2FA strong authentication solution. The CRYPTAS solution offered a combination of TicTok smart cards for employees to use crypto-backed authentication into IT resources, and feature rich credential management software solution in Intercede’s MyID for issuing and managing digital identities across the agency’s employees. MyID also presented a user-friendly solution for the organisation’s IT teams to manage their 2FA deployment and self-service options for employees to manage their smart cards themselves.
In line with the agency’s requirements, MyID was installed on-premise by CRYPTAS to the existing Windows Server 2019. Providing a fully functional credential management system for the agency without connection to any cloud services or requirements for permanent internet connectivity.
IT-Grundschutz was complied to within the agency’s IT network, using the Microsoft AppLocker service. The administration of all agency computers and user accounts takes place in a Windows domain, using Active Directory (AD). The configuration of MyID ensures that AD information is usable within the credential management system, with AD accessed via LDAPS.
The self-service elements of MyID ensure that agency employees have the ability to reactivate their smart card should it become blocked. Employees are also able to update existing smart cards and can only see features within MyID that they are able to use.
CRYPTAS delivered the integration and TicTok card setup on time at the agency’s base, all managed on-site by CRYPTAS’ native German-speaking team from its Düsseldorf office.