Senior Software Developer and Linux Fanatic
A Secure User Authentication Method – Planning is More Important than Ever
When considering authentication providers, many organizations consider the ease of configuration, ubiquity of usage, and technical stability. Organizations cannot always be judged on those metrics alone. There is an increasing need to evaluate company ownership, policies and the stability, or instability, that it brings.
How Leadership Change Affects Stability
In recent months, a salient example is that of Twitter. The Twitter platform has been around since 2006 and is used by millions worldwide. With many users and a seemingly robust authentication system, organizations used Twitter as a primary or secondary authentication service.
Inconsistent leadership and policies mean the stability of a platform is subject to change, which is especially true with Twitter as of late. The ownership change to Elon Musk precipitated widespread changes to staffing and policies. Due to those changes, a large portion of staff was let go, but this included many individuals responsible for the technical stability of the platform.
This culminated in an outage of Twitter’s SMS two-factor authentication. With delayed or non-existent texts, many users could not log in to Twitter. This affected systems that relied on Twitter as their primary and secondary authentication provider.
Not limited to authentication issues, with the changes come a renewed concern over the safety and privacy of user data. Twitter has been under an FTC consent decree from past problems surrounding user data, and a good portion of the staff responsible for compliance has been let go. Even if the authentication provider stays up, it may leave an organization in an uncomfortable position regarding the state of their stored on Twitter’s servers.
Strategies for Authentication Service Stability
Using a platform’s well-established and robust authentication service can save organizations time and money over implementing their own. Cutting out third-party platforms is typically not feasible or even recommended. Instead, proactive planning is essential if an organization needs to maintain stability and security with its authentication platforms.
It’s crucial to ask and answer the following questions when considering how your organization’s authentication service would handle potential disruptions in authentication providers.
- Does the organization’s authentication service support multiple identity providers?
- If a provider is unavailable, is there a backup provider, and how quickly can providers be switched?
- What is the disruption to users? Will they be logged out of current sessions, or will it be seamless and take effect on the next login?
- If MFA is configured, what are the available options? Are there multiple methods to verify the user, and if one is removed, does that degrade authentication services?
If an organization chose Twitter as a source of two-factor authentication, it might find that recent events indicate a necessary change. If so, the switch could be made easier if multiple MFA platforms were already available and configured.
If an organization can choose the active authentication system based on current needs, then even the problems shown with a major platform such as Twitter would be mitigated, and the organization’s users would see little change.
Offering Multiple MFA Options
To understand how this works in practice, one can look to Microsoft. With Azure, once MFA is configured, you can offer several options or limit the available verification methods. Instead of an SMS, you could receive a phone call or use a hardware token. If you offer all 3, you won’t be locked out of your account if a specific service is unavailable.
Nearly identical is Google Workspace, where you can offer one or more authentication options. If you enable more than one, you will not lose the ability to authenticate your users in the event of a service failure. Both Microsoft and Google could be more flexible. Neither offers the full range of options to integrate with services like Twitter.
An example of a system that offers a myriad of options is Okta. By enabling Social Logins, you can allow users to log in via popular services such as Facebook or Twitter. But it’s recommended that you back that social login with an MFA configuration that could include such options as SMS, authenticator applications, or a hardware device such as a Yubikey.
Mitigating Authentication Instability with Specops uReset
An organization may find itself uncomfortable with changes to its authentication provider. If so, implementing a product, such as Specops uReset, takes the reliance on a problematic authentication platform off the table, at least for password resets.
The flexibility to choose from multiple weighted authentication providers makes a problematic provider easy to remove while leaving the ability for users and service desk workers to reset a password. Change the weighting to offset the loss of the previously used provider, and your users can quickly get back to work!
Since multiple providers are in use, you can have end-users utilize a combination of trusted identification services to perform self-service password resets without worrying about losing access to a previously critical authentication service.
Manage Platform Instability with Planning
Platform changes are hard to predict and react to, but your organization can be ready for any change with foresight and planning. Even the most mercurial leaders can be planned around by architecting flexible authentication services.
With products such as Specops uReset, users will not be locked out when an authentication service goes down. Using various password reset options, they can quickly get back to work.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.