IS Decisions logo

Aircraft manufacturer boosts on-premises network security with Windows MFA using Token2

  • Deutsche Aircraft GmbH
  • Aerospace
  • Germany
Aircraft Manufacturer Boosts On-Premise Network ecurity with Windows MFA using Token2

Deutsche Aircraft GmbH is a German aircraft manufacturer built on the heritage of aviation pioneers that continues to propel the aviation industry forward with innovative solutions. Supported by a highly skilled and passionate team of international engineers and aviation experts, Deutsche Aircraft is developing the most advanced regional aircraft on the market: the D328eco. As type certificate holder and service partner for existing D328 (both prop and jet) operators worldwide, the company is uniquely positioned to complement the existing fleet with this next-generation aircraft.

"...onboarding is simple for end-users which minimizes the disruption that usually happens when migrating to a new security system."

Mathias Reitinger - Team Leader, IT Infrastructure & Support

The Challenge

Implement MFA across all Windows users to protect sensitive data in an on-premises network

Historically, Deutsche Aircraft had deployed multi-factor authentication (MFA) to secure access to Microsoft 365 accounts using the Microsoft Authenticator app. Now, the company was seeking to extend MFA across all user access to its extensive on-premises Windows network.

Although operating in the aerospace sector, the aircraft manufacturer is not currently subject to regulations that mandate MFA. However, their U.S. parent company must align with NIST Cybersecurity Framework recommendations on best practices. This reinforced the decision to deploy MFA across Deutsche Aircraft’s on-premises network.

To do so, Mathias Reitinger, Team Leader, IT infrastructure & Support, was looking to overcome a common challenge: implementing MFA for an on-premises network without adding additional infrastructure or creating extra complexity. The risk was adding expense and disrupting productivity.

Reitinger knew that rolling out MFA for all users would be a big change in security culture, and wanted a solution that would be as easy to implement as possible.

Another priority was to adopt an MFA solution that would give admins plenty of flexibility to manage how MFA would interact with users. The last thing Reitinger wanted was for MFA security to become a drag on productivity or drive end-users to try to bypass security.

Finally, the solution had to support end-users across a range of connection scenarios, including MFA for VPN remote access as well as fully offline MFA. That was important because even when users are not connected to the internet, the data on user laptops remains sensitive and must be protected in case of physical loss with more than a vulnerable Windows credential.

The Solution

Using hardware tokens for privileged users backed by the simplicity of UserLock across an expanding network

With the likelihood that the workforce would expand in the near future, the company’s choice of MFA platform would have long-term implications and would need to support this growth.

Reitinger’s solution was to implement different MFA methods for different types of users. Recognizing that UserLock is designed specifically to solve this problem, the IT team chose to implement UserLock MFA for general Windows users with Token2 keys, backed by Authlite and YubiKey tokens to secure privileged server access for the IT admin team.

Reitinger chose UserLock for all users because he judged that Authlite didn’t manage the offline scenario very well, leaving users blocked with no domain or VPN access. And while YubiKey was very secure, it was too expensive to implement beyond the handful of admin users.

"We chose UserLock because it fulfilled our needs at the time, and we still like the tool. We currently have 750 UserLock licenses and have renewed for another three years."

Mathias Reitinger - Team Leader, IT Infrastructure & Support

The Result

MFA is enforced across all users and all scenarios, including fully offline access

The company sees the implementation of MFA as only the beginning and is still looking for ways to consolidate and simplify this type of access security.

IT is already looking over the next few years at further streamlining authentication, always with the goal of implementing security without impacting usability.

According to Reitinger, this is often a drawback of applying MFA across a workforce. In time, he sees the company moving to a simpler environment that mixes UserLock MFA with FIDO tokens.

Reitinger appreciates that UserLock offers improved usability and easy onboarding for end-users, a priority when booting up a new, and managing an existing, MFA implementation.

"UserLock’s ability to integrate with our existing on-premises Active Directory made admin setup seamless. And the onboarding is simple for end-users. This minimizes the disruption that usually happens when migrating to a new security system."

Mathias Reitinger - Team Leader, IT Infrastructure & Support