Hackers, phishing emails, ransomware – IT security and information security now play a crucial role for all companies. For us as software developers, it is even more important because we not only secure our internal systems but also continuously adapt the software we develop to the latest security standards.
Our Chief Information Security Officer (CISO) works collaboratively with all teams. He is in particularly close contact with the IT operations and development teams to work together on the security of software and the mytracekey cloud. In our daily work, we follow a risk-based approach. This means that we constantly monitor new security risks, assess how our software and the applications we use are positioned, and derive measures from this. Additionally, we always seek to exchange information with management to evaluate risks and prioritize measures, as their support and commitment are crucial for implementing IT security.
“Even though the fundamental security principles are universal, cloud infrastructures need to be secured differently than on-premise systems. The rapid developments in IT require a daily reassessment of our security situation to ensure the protection of both internal and external systems.” – Lennart Lorenz, Chief Information Security Officer at tracekey solutions
Secure Passwords – Internally and Externally
Among the technical and organizational measures derived from the risks, the basics are essential. This includes raising awareness of currently used attack strategies, such as phishing emails, and creating secure passwords.
Analyses of data leaks repeatedly show that passwords like “123456”, “password”, or “hello” are still among the most commonly used passwords. However, it is not difficult to create secure alternatives. Here are some tips from our CISO:
Tip 1: Use a password manager. This way, you only need to remember one very secure password. With the many applications we use today, it is no longer possible to remember all passwords. It is important to use a unique password each time. In the event of a data leak, only one application is affected, not multiple. A password manager also makes it easy to create randomized and secure passwords, so you don’t have to come up with them yourself.
Tip 2: If you need to create passwords yourself, follow the recommendations of the BSI. There are two options. The first is short, 8-12 character sequences consisting of four different randomly arranged character types: uppercase and lowercase letters, numbers, and special characters. The second is long, less complex passwords. These are at least 25 characters long and consist of two character types. For example, several words, each separated by a character.
Tip 3: Always use two-factor authentication (2FA) when available. It is best to avoid SMS as the second factor, as SMS is more susceptible to attacks like SIM swapping or message interception. Instead, more secure methods such as authenticator apps (e.g., Google Authenticator, Microsoft Authenticator) are recommended.
Pro Tip: Use passwordless login methods like Passkey when available.
Passkey in the mytracekey Software
Our customers have two different options for logging into the mytracekey software. The traditional way, by using a username and password, or using passkeys. Passkeys are passwordless, digital login credentials that are tied to a user account and a website or application. They cannot be guessed, reused, or stolen through phishing attacks, making them a more secure alternative to passwords. Additionally, they are a form of two-factor authentication, as the passkey (digital login credential) is always linked to a second factor, such as a fingerprint, facial recognition, or a device PIN. Passkeys are an extension of the FIDO2 standard, which has been used at tracekey since 2019 as an alternative to password-based authentication on the internet.
“We were one of the first companies to offer the predecessor of passkeys, the security keys based on FIDO2, as a login option for our mytracekey software back in 2019.” – Lennart Lorenz, Chief Information Security Officer at tracekey solutions
Security Keys: Research Study by and with tracekey Employees
In 2019, the very secure, passwordless login option for mytracekey was implemented with FIDO2 security keys. These are configurable security keys that, for example, connect to the laptop via USB and serve as a secure password replacement. Only those who possess this security key, linked to their login credentials, can log in. Our Chief Information Security Officer, Lennart Lorenz, conducted research at Ruhr University on the user-friendliness of these security keys. The implementation in mytracekey and the use by a group of tracekey employees were part of the research project. Through login diaries, interviews, and server logs, user-friendliness, perceived security, and usability were examined. Barriers to the use of security keys included the fear of losing the token and thus losing access to the system, more cumbersome handling compared to using password managers, and habit.
More security through passwordless authentication
Important usability factors of passwordless authentication have now improved with passkeys. For example, the possibility of losing the security key caused users headaches, and logging in was perceived as slower (see box). With passkeys, no physical security key is necessary. The login credential is digitally stored in a secure area on the user’s device. Passkeys also offer the possibility to synchronize the information with the cloud, so you are not tied to one device. The key can no longer be lost, and the login speed has matched the use of passwords. Due to the high security of the login option, it is also promoted by providers such as Google or Microsoft.
“To summarize: The safest way to navigate the internet is passwordless, which works through technologies like Passkey. Therefore, we strongly recommend our customers use them. Next comes the use of a password manager. It becomes even more secure when two-factor authentication is included. Otherwise, you should follow the recommendations of the BSI.” – Lennart Lorenz, Chief Information Security Officer at tracekey solutions