By: Eric M. Feliciano, “The Stranger”
Over the holidays I went shopping and while in line to pay, I saw a state of the art Password Vault. This Password Vault was intended to relieve the frustration you might have when trying to log in. Some of the key features are being able to keep your Usernames, Passwords and Websites confidential. I couldn’t believe my luck; with so many of them sold that I managed to find one for myself. I knew that if I didn’t snatch this one up, someone else would. I could see so many people purchasing this tool and who wouldn’t, with so many passwords that we need to remember for work and personal sites. I’m the first to admit that I often forget my passwords or mix them up, six characters for one, eight characters for another, and twelve alpha-numeric characters for another. I’m only human, how dare you have me remember so many passwords.
With seeing how popular this tool was and knowing that less tech savvy individuals (including my parents) would purchase one of these to ease their pain, I felt I had an obligation to share this with all my friends, co-workers and the rest of the world. I present to you the “Forgot Your Password?” notebook. I provided an image below in case those clever competitors attempt to make a variant.
With seeing how popular these actually are, I did feel obligated to write about it. We all know someone who would purchase one of these or see this next to one of our family member’s computer. Something like this would most likely be taken with them while they went out. I’m sure we all see the risks that this presents. Not only will they store their personal login information, but I’m sure we could find work related login information in these. Why would you find work related login information you ask? Companies are making their organizations secure; password changes every 30 to 90 days, 8 character minimum, special characters, or unable to use the last 24 passwords. The more difficult we make it for an external attacker, the easier we also make it in one way or another. Frustration will tend to have someone look for an easier way to accomplish a task.
How do we remove the frustration and avoid having someone stumbling across one of these password vaults. Once they have your password, they also have the keys to the kingdom.
SecureAuth offers a solution that not only makes it simple for your employees, but also makes it secure. Two-Factor Authentication – Adaptive Authentication – Single Sign-On – User Self-Service. Even if a user has their password exposed, when an attacker attempts to connect, they’re taken to a SecureAuth page. You’re unable to go any further unless you’re able to receive the time sensitive registration code via email, SMS, voice phone call or knowledge base questions. If the attacker has access to all of these, you might have an issue. But wait, with Adaptive Authentication you can specify where the user can connect from. If the organization is located in Pennsylvania and the attacker resides in California, SecureAuth has the ability to inspect the IP address, geo-location and geo-velocity and therefore prevent them from logging in or offer additional methods to determine who you are.
What about simplicity? If an employee connects within the organization, they can have a SecureAuth Portal that contains only what they are able to connect to. Once you have authenticated, this portal will allow single sign-on to the other resources the employee is allowed to access via this portal, thus eliminating multiple authentications to different resources. At the end of the day when the laptop is taken to Starbucks, it can be determined you are no longer using the corporate network and the employee will have different methods to securely access resources or prevented to them.
Here’s a quick example:
I’m attempting to connect to my corporate Office 365 from home. I connect using the Office 365 login URL https://login.microsoftonline.com/login.srf.
Once I enter my work email, I will be redirected to the organization’s SecureAuth page.
Next I’m prompted to enter my username.
I will need to specify how I would like to receive my registration code. SecureAuth offers different methods such as email, voice phone call, SMS text message, knowledge base questions, etc.
Once I receive this time sensitive one time registration code, I will be able to enter it on the pin pad. If the registration code hasn’t expired, you will be able to login.
Having roadblocks to prevent unauthorized access doesn’t mean the end users have to suffer. This makes it easier on your employees. With features such as being able to quickly and effectively implement a Password Reset/Forgot My Password portal, you eliminate a big chunk of help desk calls. I’ve been there on the other line speaking to the end user, gathering important information to reset their password. SecureAuth eases the pain; you configure how the user accesses the page based on which Organizational Unit the service account has permissions to. Those are the users who can perform a self-reset of their passwords.
You either receive a link, email or any method you choose from helpdesk after submitting a ticket. Once you access the page, you are prompted for the Username.
The next step will offer how to receive the registration code. Methods include email, voice call, SMS text message, knowledge base questions, and not listed is the option to have someone from your helpdesk contact the user with the code.
Everything is based on what the organization already has in place; no need to add or modify the password requirements. If everything is entered correctly, the employee will now be able to reset their password.
Feel free to contact your Comm Solutions Account Executive if you have any questions on this or any other security concerns. One of our Security Practice engineers can assess and help you mitigate this and other potential vulnerabilities.
References:
https://www.secureauth.com/
https://www.secureauth.com/Company/News/April-2014/SecureAuth-IdP-Receives-Microsoft-Office-365-Certi.aspx
https://www.secureauth.com/Resources/Blog/November-2013/Easy-to-Deploy-Two-Factor-SSO-Solution-for-Office.aspx
https://www.secureauth.com/Resources/Blog/February-2014/Easy-and-Secure-Self-service-Password-Reset-with-M.aspx