HACKER PROTECTION: THIS IS HOW IT LOGINS MUST BE DONE IN COMPANIES IN 2025

“123456” is the most commonly used password worldwide. We repeatedly see this or similar passwords during our IT security operations. You don"t even need special software to crack passwords like this in a matter of seconds. With an account hacked in this way, we can regularly take over our customers" entire networks during our pentests. This shows how important the topic of authentication is. In this article, we provide an overview of the login procedures and explain which variant we consider to be secure.

The aim and problem of passwords

The primary goal of a password is to prevent unauthorized persons from accessing a system and to allow only authorized users to enter. Ideally, a password should work like a digital key: it protects sensitive information and helps to securely confirm the user"s identity. Unfortunately, passwords have been the standard means of securing digital systems for decades because they have serious weaknesses. One of the main problems is that many users still choose simple and easy-to-guess passwords, such as “123456” or “password”. But even more complex combinations can quickly be cracked using brute force attacks. In this method, a hacker systematically tries out all possible password combinations until they find the right one. Using software, hundreds of variants can be tested per second. Even complex passwords don"t offer complete protection, because many users tend to use the same password for several accounts. If one of these accounts is hacked, the others are often at risk as well. In addition, there is the problem of phishing attacks: attackers try to deceive users and trick them into revealing their passwords. This is a major risk, especially for companies where the loss of access data can have serious consequences. The IT security world is therefore increasingly working on alternatives, such as biometric authentication or multi-factor authentication (MFA), to further increase protection and reduce dependence on passwords alone.

Overview: frequently used login procedures

To better protect corporate data and systems, numerous authentication methods are now available, each with its own advantages and disadvantages.

In the following table, we have created an overview of the login procedures and highlighted the advantages and disadvantages that are relevant in practice.

Authentication method: Explanation: Advantages: Disadvantages:

—–: ——: ——: ——: | Password | The user enters a predefined password to log in. | 1. Simple and familiar to users 2. No additional tools are required. | 1. Insecure with weak passwords 2. Prone to phishing and brute force attacks. 3. If used multiple times, it can be revealed by hacked websites. | 2-factor authentication | An extension of the password procedure by a further (often time-based) code, which must be read and entered by a further device (such as a smartphone) | 1. High security through additional factors; protects against password theft. 2. Relatively convenient, as smartphones, for example, are widely used. 1. Increases the login effort; can be inconvenient. 2. Does not protect against a phishing attack. | Multi-factor authentication | Combination of at least three authentication factors, e.g. password and SMS code. | 1. High security through additional factors 2. Protects against password theft | Significantly increases the login effort; can be inconvenient. | | Client certificates | An authentication procedure using files added to the browser (example: Elster tax administration) 1. No password needs to be memorized 2. Due to the size (length) of a certificate, it is usually not possible to calculate it back through attacks 2. The certificate must match the same server for authentication 3. Can be stolen by an attacker. | Passkey (token-based authentication) | A technical procedure that only works if the target server knows the passkey and the passkey knows the target server. If either of these two sides is not correct (due to a phishing attack), authentication is technically impossible. There are many passkeys, but you should make sure that these passkeys have been tested and certified by the FIDO Alliance. The currently recommended method. A login can be carried out by means of a confirmation on another device (cell phone, YubiKey, etc.) if the passkey knows the target page and the target page knows the passkey. 1. Loss of the token can lead to exclusion 2. Additional costs and effort | Biometric authentication | Verification by biometric features such as fingerprint, face recognition or iris scan. | 1. Highly secure 2. Difficult to forge 3. Convenient for the user. | 1. Expensive hardware required 2. Privacy concerns | | One-time passwords (OTP) | Short-lived codes that are valid only once, often generated by an app or text message. | 1. Very secure 2. No need for permanent password storage 3. Protects against brute force attacks | 1. Dependent on additional hardware or app 2. Can be impractical | | Single sign-on (SSO) | A single login enables access to multiple services without having to re-enter credentials. | 1. Convenient and efficient 2. Reduces password fatigue and simplifies administration | 1. If misused, multiple services can be compromised 2. High setup and maintenance costs | | Behavior-based authentication | Analysis of typical behavior patterns, e.g. typing speed or location. | 1. Innovative and secure against atypical login attempts 2. Convenient for the user | 1. Requires a lot of data analysis 2. Privacy concerns 3. Still not very widespread |

Our recommendation: Passkeys instead of the classic password

Our experience in incident response (supporting customers immediately after a successful attack on their IT infrastructure) over the last few years clearly shows that passwords, even when combined with all types of two-factor authentication, cannot withstand an automated attack and are therefore obsolete. While multi-factor authentication still helps against so-called “password breaches” (this describes the disclosure of passwords when they are used multiple times and these become known through a hack on another system), it cannot withstand a phishing attack. The only thing that offers long-term protection in practice is the phishing-resistant “Passkeys” procedure. The following diagram explains the way in which a complete authentication should be implemented within an organization, as proposed by Trufflepig. However, you should make sure that they have been certified using the “FIDO2” standard (a standard that was launched in 2015. It technically prevents the entry of access data on third-party websites). You can use the public database to see whether your preferred Passkey follows this standard.

The problem of insecure log-in to Windows workstations

Many systems (including log-in to Windows workstations) do not fully support the use of passkeys in today"s world. In practice, this cannot always be avoided, which is why a compromise often has to be made – a classic password. When onboarding new employees, you should generate a password with at least 32 characters and not let the end user choose it freely.
Important: The employee only needs this password when setting up a new work device; after that, the password can be forgotten and destroyed. As a next step, we recommend enforcing “Windows Hello” at the workstations. It is an alternative to the classic password login on Windows devices to unlock the workstation. A variety of authentication options can be selected here: Fingerprint Face recognition (please only with infrared cameras that have 3D recognition, otherwise a good picture of an employee is enough to unlock the system)

• PIN (a PIN is not necessarily worse, but you should make sure that the PIN is blocked after a maximum of 3 incorrect entries and that the employee has to report to IT) Advantage of “Windows Hello”: Authentication is performed only locally on the system. This prevents remote attacks.

How to log in securely to other systems

There are many different systems in a company that require authentication for a secure network. The diagram illustrates various options, ranging from secure (centrally manageable, not vulnerable to attack) to insecure methods. Unfortunately, even today not all systems support the FIDO2 standard, which was developed in 2015 and is currently considered to be phishing-resistant.

Globally secure: company-wide login using single sign-on (SSO)

In principle, we recommend implementing an SSO (Single Sign-On) solution across the company. Single Sign-On (SSO) is an authentication procedure in which users log in once and then gain access to several connected applications or services without having to log in again. This simplifies the login process and saves time, since users only need a single password to access all authorized systems. This offers two fundamental advantages:

• Authentication policies can be set and managed in a central location, with no exceptions to the rule.
• Onboarding and offboarding are made easier because employees receive access based on their group affiliation, rather than through individually created accounts. Figuratively speaking, in the purchasing department, each employee has an Amazon account that is set up by the department head. If an employee changes departments or leaves the company, it is often forgotten to disable this account, which poses a significant security risk. With an SSO, the user group is removed or the user is disabled, automatically revoking the authorization to log into the system (in this case Amazon). A login via SSO looks like this: In this example, the login is done via Google / Entra ID (Microsoft). This offers users the advantage of being able to log in to the system (e.g. Microsoft) once and then access the necessary tools without having to re-authenticate.

Alternative logins

Authentication via Remote Desktop Protocol

The Remote Desktop Protocol (RDP) was developed by Microsoft and enables a connection from one computer to another computer in the network. Clients from Windows 10 and servers from Windows Server 2022, which are in the “Azure Active Directory” (meaning the Active Directory in the cloud of Microsoft itself), can store a security key for RDP users in the group policy (the administration of settings on the Windows devices) for the login. There are some useful instructions on how to do this from Token2.

Authentication via a RADIUS server

RADIUS stands for “Remote Authentication Dial-In User Service (RADIUS)”. It is a central authentication server. Clients can dial into a network via VPN. Some corporate networks operate according to the zero-trust principle. This means that a component in the network can be trusted until it has authenticated itself. We often see RADIUS servers in practice. This Radius server must then be stored in the VPN, but also for 802.1x authentication, to enforce authentication using FIDO2. Unfortunately, the integrated Windows Radius server also does not currently support passkeys, which is why we recommend a Radius server such as FreeRADIUS for this type of authentication.

Websites/tools without SSO

Some sites do not support SSO but do allow the use of passkeys. Sometimes (e.g. for software developers with Github) private accounts are used. In this case, the use of FIDO2 should also be enforced, or rather required. The problem: Since these accounts cannot be managed centrally, it is often forgotten to revoke access rights after a change of department or after the employee has left the company. This can lead to compliance violations or subsequent attacks on your company if access is not reliably blocked.

Special case: software that only allows passwords

Unfortunately, there are still some programs that do not allow Passkeys. If there is no alternative that is more secure, we recommend introducing an enterprise-wide password store such as Vaultwarden or Bitwarden including the corresponding browser extension. This makes it easier for employees to use. However, access to this password store itself should always be via SSO or at least passkeys. In this password vault, a separate entropy-based password with at least 32 characters should then be generated for each access that requires a password. These passwords never have to be entered by hand, but can always be entered using this solution by copy and paste or using the browser plug-in itself. It is also recommended to store a TOTP (Time-Based One-Time Password) for each login. This is probably the best-known type of two-factor authentication. Typically, it is a six-digit numerical code that is entered from an app, e.g. from a smartphone. This can also be stored in the corresponding password store and is only intended to protect against attacks on the target system"s database. Important: As with the previous solution, it is easy to forget to disable accounts – for example, after an employee changes departments or leaves the company. Furthermore, the last step, entering the password, is not safe from phishing attacks. The attacker could attack the authentication, steal it and thus log into the employee"s user session. This method should be the last resort if SSO, Passkey or RADIUS are not supported.

Further questions on the topic (FAQ)

• What happens if an employee has forgotten their Passkey? You can use the SSO solution to store a new Passkey yourself or assign a one-time valid emergency password.
• What happens if an employee has lost or forgotten their Passkey?
  The same as today: If an employee forgets their password, you can use the SSO solution in place to assign a new Passkey from a central location or, if necessary, to provide a one-time password. In addition, the lost Passkey should also be removed from the account.
• How do I set up a Passkey?
  First of all, we recommend enforcing the use of passkeys and disabling passwords in the SSO solution. In the corresponding solution, you then click on “Add Passkey” and can choose between hardware tokens (Token2, YubiKey), an integrated solution (Windows Hello, iOS passkeys) or even cell phones. The browser will now guide you through setting up this solution. What type of passkey is the right one? There is no general answer to this question. Fundamentally, the solution should be FIDO2 certified. However, if the on-site access concept requires all doors to be locked and a door code to be entered to access the toilet, for example, it may be practical to use a hardware token that also supports NFC. This proves to be advantageous because it always remains with the employee. In this case, this token could even be used as a “companion device” for Windows Hello to unlock the workstation.