As the company scaled its internal infrastructure, three interconnected vulnerabilities emerged:
ASEE Solutions addressed all three by deploying its own enterprise security products internally: Authentication Server, Secure Sign, and Spoofing Protector.
The result: zero successful spoofing incidents, a completely digitized and legally valid document signing workflow, and phishing-resistant authentication across all critical systems — all running on internally owned and controlled technology.
ASEE Solutions is a regional technology leader specializing in cybersecurity, digital identity, and strong authentication solutions, a member of ASEE Group. Our client base includes major financial institutions, telecom operators, and public sector organizations that operate under strict regulatory frameworks, including PSD2, eIDAS, and NIS2. With hundreds of employees distributed across multiple business units, ASEE's own internal infrastructure carries the same security requirements it imposes on its enterprise clients, making it an ideal proving ground for its own product portfolio.
As a company that builds and sells security products, ASEE's internal practices must reflect the same standards it demands of its clients. An internal audit identified three distinct but structurally related vulnerabilities.
Weak authentication and phishing exposure
Employees were accessing critical internal systems, including VPN, file transfer services, a password manager, and a self-service portal using single-factor authentication. In an environment where phishing attacks, credential theft, and identity spoofing are daily operational risks, static passwords alone represented an unacceptable exposure. Beyond the immediate risk, the company also needed to ensure that internal authentication practices reflected the same standards it applies when deploying solutions for its enterprise clients, without degrading productivity for hundreds of daily users.
Slow, non-compliant document signing.
Internal contracts, compliance agreements, board reports, and partner documents were being processed through physical signing or third-party platforms that lacked full eIDAS compliance. Every document requiring a formal signature introduced days of friction: printing, scanning, physical archiving, and courier coordination. Each delay was a direct cost to operational velocity. Each third-party dependency was a compliance liability and a point of potential data exposure.
OTP channel vulnerable to spoofing.
ASEE employees rely on the ASEE OTP mobile application for daily authentication. This introduced a real operational risk: spoofing attacks capable of intercepting OTP codes, impersonating legitimate authentication server requests, and bypassing access controls entirely. Standard OTP protects the code in transit but not the integrity of the communication channel through which it travels. For a company whose enterprise clients include regulated financial institutions, this was not a theoretical gap. It was a live vulnerability requiring immediate remediation.
Rather than sourcing third-party tools, ASEE deployed its own enterprise security stack maintaining full ownership of the source code and the ability to adapt rapidly to evolving regulatory requirements without dependency on external vendor roadmaps.
Authentication Server was implemented as the central identity and access management layer across all employees and internal applications. The platform supports phishing-resistant multi-factor authentication via OTP through a single integration point, with native connectivity to Active Directory.
Unlike generic MFA solutions, ASEE retains full control over the source code, enabling deep customization to internal security policies and rapid response to evolving security requirements, including NIS2 and other emerging standards. This is the same platform ASEE deploys for banks and government institutions operating under PSD2, eIDAS, and NIS2 frameworks.
Secure Sign replaced all physical and third-party signing workflows with a fully eIDAS-compliant digital document signing platform. Every internal document requiring a formal signature (contracts, NDAs, compliance reports, consent forms) now passes through Secure Sign. The platform integrates natively with ASEE's internal ERP and document management systems. Qualified electronic signatures generated through Secure Sign carry full legal validity across EU member states, providing non-repudiation and document integrity guarantees that physical signatures cannot match at scale.
Spoofing Protector was embedded directly into the ASEE OTP mobile application as a native architectural component, not as an external add-on layer, but as an integral part of the authentication flow, active from the first to the last step of every session. The solution continuously verifies OTP channel integrity, detects anomalies characteristic of real-world spoofing and man-in-the-middle attacks, and blocks suspicious requests in real time without friction for legitimate users. To understand how these solutions work together in enterprise environments, explore our full digital identity and authentication security portfolio.
All three solutions were deployed using ASEE's standard five-phase methodology, rolled out in parallel across business units with minimal disruption to ongoing operations.
All internal systems and critical access points were mapped for Authentication Server. Document flows requiring formal signatures were catalogued, and transaction volumes assessed for Secure Sign. For Spoofing Protector, attack vectors specific to OTP mobile authentication were analyzed and vulnerability points identified within the existing application architecture.
Authentication Server integration was architected around ASEE's Active Directory infrastructure, with user scenarios defined and a phased migration plan developed. Secure Sign was integrated with internal ERP and document management systems, with role-based permissions and approval flows established. Spoofing Protector's architectural integration was designed from scratch as a native component built into the OTP application's core, not bolted onto it.
All three solutions were rolled out progressively across business units to maintain operational continuity. Secure Sign ran in parallel with legacy signing processes during the transition period. Spoofing Protector was embedded into the production OTP application and gradually activated across the full employee base.
Authentication Server underwent penetration testing and full attack scenario simulations to validate system resilience against credential theft and phishing vectors. Secure Sign signatures were verified for legal validity under eIDAS, and document integrity was stress-tested. Spoofing Protector was subjected to red team exercises and live spoofing simulations, including man-in-the-middle and OTP interception scenarios to validate real-world detection and blocking effectiveness.
Structured training sessions were conducted across all three deployments. Employees were trained to recognize phishing and social engineering attempts, to correctly initiate and verify digitally signed documents, and to identify and report spoofing attempts within the OTP application workflow.
| Area | Before | After |
| Authentication method | Single-factor, static passwords | Phishing-resistant MFA via Authentication Server |
| Spoofing incidents | Active operational vulnerability | Zero successful attacks post-deployment |
| Document signing process | Physical or non-compliant third-party tools | 100% digitized, eIDAS-compliant via Secure Sign |
| Qualified electronic signature validity | Not guaranteed | Full legal validity across EU member states |
| Third-party vendor dependencies | Multiple external vendors | Zero — full source code ownership across all three solutions |
| Spoofing incidents | Active operational vulnerability | Zero successful attacks post-deployment |
| OTP channel integrity | Unprotected communication channel | Real-time anomaly detection and channel verification |
| Employee security awareness | Ad hoc | Structured training across authentication, signing, and spoofing domains |
| Qualified electronic signature validity | Not guaranteed | Full legal validity across EU member states |
Testimonial
Authentication Server, Secure Sign, and Spoofing Protector are not just products we offer to clients. They are the foundation on which we protect our own digital identity. Every employee who logs into our systems, signs a document, or authenticates via mobile goes through the same security layer we recommend to banks and government institutions. When we embedded Spoofing Protector into ASEE OTP, we confirmed something important: what we sell actually works under the harshest conditions, in our own backyard." Boro Marelja, ICT Support Manager, ASEE Solutions
Book a consultation with ASEE's enterprise security team and see how Authentication Server, Secure Sign, and Spoofing Protector work together as a unified identity and access security platform that is built, tested, and battle-hardened in-house.
