Our CTO, Mike Paul, offers our path to two-factor authentication, and why you should follow your own path to enhanced security with 2FA.
Over the next few weeks, Mike will tell our story and offer advice on moving to 2FA.
Innovative Computing Systems is a managed service provider with over 300 clients. Frequently, we become our client’s trusted resource for all things IT. One of the challenges that we have, as most organizations do, relates to password management.
We manage thousands of passwords for multiple clients. Auditing access to these passwords, tracking who has access to them and maintaining security are critical for our client’s IT operations. When we have employee turnover, it is important that we know what passwords that engineer has seen and be able to change those passwords in a timely fashion.
Since we deploy a centralized password manager, knowing access is locked down in a secure method is imperative. To have this level of reporting and security, we implemented two-factor authentication (2FA) to verify identify and access. One of the best tools we have is 2FA. It took two vendors and a lot of integration work but the solution we now have is extremely robust and secure. With 2FA, I know who has access and who doesn’t.
When I first started working at Innovative Computing Systems, we were a much smaller organization. A tightly held, password-protected spreadsheet in our document management system (DMS) was our method to track passwords. We would control access with Windows credentials, auditing was conducted within the DMS and the number of passwords was far fewer. Over time, the list became more difficult to manage, with additional clients, more passwords per client and more employees to track. While the spreadsheet was a good first tool, we could not reliably know which password was accessed. Because of this, we changed passwords for all clients on the list on any employee turnover. Most critically, we had no way to know if a former engineer had access to another employee’s password. We had a lot of forced password changes in those days. This workflow was extremely disruptive to our clients and our operations. A better tool was necessary.
As our operation evolved, we conducted research to find a “perfect” solution. After some time, we found a solution that appeared to solve our most pressing issues. The password manager had vaults for individual client security, which meant we didn’t have to change all client passwords on any employee turnover. A report was easily generated on the exact passwords accessed and we could target those for a change. We had a mechanism to rotate passwords using an agent. We had the ability to have engineers enter passwords instead of a master user entering all passwords. And, almost as an afterthought, it came with 2FA.
The 2FA included with the solution helped solve numerous account identity issues. The new login mechanism required running a soft token on a smart phone. This feature allowed us to reliably know the person logging in was in fact one of our engineers. The login could not be easily faked. Because it was Active Directory-integrated, we knew all we had to do was disable the 2FA logins and they could no longer access passwords. This feature is a key piece of 2FA for identification reasons. While a password itself could be compromised, the account would still be secure using 2FA. Nonetheless, good password hygiene is still critical to keeping accounts secure. Passwords should be changed frequently and, wherever possible, 2FA should be setup.
Want more information on two-factor authentication? Contact us.
Learn about the most common two-factor authentication solutions.