Single Sign-On

shutterstock_562837306.jpg

So everyone at your organization has a strong password and multi-factor authentication enabled on their email account. Great! Now to enforce strong passwords and MFA on their computer login as well. And their file server login. And their Microsoft Office login. And Adobe Creative Cloud. And WiFi. And VPN, HRIS, Slack… Are we having fun yet? Don’t forget when someone leaves your organization, you have to go through and disable all those. Sometimes very quickly.

I don’t know about you, but to me, none of that sounds fun. Thankfully, it didn’t sound fun to other people either, and they worked out something called “single sign-on” (SSO): how to let each person use a single username, password and MFA across all the situations above. With a little more work up front, you can save days of onboarding, name changes, password resets, and offboarding.

But wait! You previously said to never reuse the same password. You’re right! The beauty of SSO is you always authenticate with the same system (JumpCloud, for example), and then that system tells the other systems you are authorized to access it. So you’re not reusing a password, you’re reusing an authentication system.

At the end of the day, SSO is a fundamental security feature for enterprise, small to medium businesses, and even individuals. It will not only save you time, but will let the technology do the work of making sure all necessary accounts are enabled, audited, changed, or disabled when needed. If you use Microsoft Active Directory or GSuite, you already have an authentication system that can be tied into many others. Third-party services like JumpCloud or Okta can extend that functionality even further.

Tech Applied - March Newsletter is available for download

March 2019 Tech Applied Newsletter

March 2019 Tech Applied Newsletter

The March newsletter has everything from a book recommendation for Powerful by Patty McCord (Netflix Chief Talent Officer), to business lessons from Petra’s lead business coach Andy Bailey, to a quick lesson about three insidious ways cybercriminals will exploit human error of employees to hack your network.

Click on the image to download your free copy. You can also contact us via our website and let us know if you would like to have a printed copy sent to you each month.

If you have questions about any of the IT issues discussed in the newsletter, or ANY IT issues for your business, please don’t hesitate to call or email us.

Envision Design is the only certified member of the Apple Consultants Network that has been helping Houston businesses manage, monitor, and secure their technology systems for over 25 years. Whether you

…need to comply with industry mandated security requirements like HIPAA

… you want to implement a backup and disaster recovery plan

… or you simply want to improve the productivity and profitability of your team,

Envision will manage all your IT needs so you can get on with the great work YOU want to do. With no long term contracts, we retain clients by providing outstanding customer service. Fluent in both Apple and Microsoft solutions, we ensure your critical data has been backed up and is protected with a disaster recovery plan in hurricane prone Houston.

Call us today today at 832.422.8588 or toll free at 1.866.966.9406 to schedule a free consultation meeting.

Apple announces updated iPads...

the new iPad Air

the new iPad Air

Apple announced two new/updated iPads today. A new 10.5” iPad Air and an updated iPad mini. Both of which will support the 1st generation Apple Pencil and the A12 Bionic chipset.

The existing 10.5” iPad Pro has been discontinued leaving the 11” and 12.9” iPad Pros in the lineup both of which support the 2nd generation Apple Pencil.

The existing 9.7” iPad remains unchanged.

You can check out the full lineup and compare models on Apple’s web site.

the new iPad mini

the new iPad mini


Meet & Geek meetup revived for March 2019!

We just wanted to let everyone know here that we have revived our Monthly Meet & Geek social event. We will meet monthly on a Tuesday (typically) to socialize, speculate, pontificate, eat, drink, smile, laugh, generally just chill a bit at the Spring Street Beer & Wine Garden. We can talk tech or just geek out about the current Marvel movies, our favorite cold beverage, sports-ball, or just the weather.

We hope to see you Tuesday, March 12th from 5pm-7pm.

Please go to meetup.com to get signed up for notices and to RSVP.

Multi-Factor Authentication

shutterstock_1303457950.jpg

Multi-factor authentication (MFA) or more narrowly two-factor authentication (2FA) is available on most information systems now, but not all authentication factors provide the same security. Let’s look at what an authentication factor is, why they’re used, and how they can best be implemented.

The Factors

In information security, authentication refers to the process of confirming a user or service is who or what they say they are. There are many methods of doing so, often grouped into “factors.” The common factors are:

  • something you know

  • something you have

  • something you are

  • somewhere you are

We already looked at the “something you know” factor in the form of passwords and pass phrases. PINs are another form of this knowledge factor, or those “security questions” like the name of your favorite teacher. (“Ask me something only I would know!”)

The “something you have” factor refers to a physical object in your possession. The key to your home is a possession factor that authenticates your access to your domicile. A debit card is an object that gives you authenticity to access money in an account. Probably the most common form of 2FA on websites indirectly uses your mobile phone as a possession factor by sending a text message to it which you then have to relay back to the website.

“Something you are” is the most natural form of authentication: when you see someone you know or hear their voice, unless you’re Ethan Hunt you know who they are. For information systems, these inherent factors are almost always some form of biometrics. Fingerprint scanning (Touch ID), voice recognition, facial recognition (Face ID), retinal or iris scanning, DNA testing, gait analysis… anything that is inherently you and statistically unique.

Time vortices aside, “somewhere you are” is also a pretty naturally understood factor. If you come home to a broken flower pot, figuring out whether the doggo or Miley Cyrus is to blame usually does not take a lot of investigating. If you saw your boss enter her office this morning and didn’t see anyone else go in, you are probably not questioning who you hear typing at her desk. For our purposes, the location factor could be physical access to a machine (UAMDM) or connecting via LAN vs VPN or WAN.

Theory and Practice

The idea of using two or more factors for security revolves around the idea that if something in one factor has been compromised, likely that entire factor has been or can easily be compromised. E.g., if someone stole the key to your deadbolt, having a second key for your doorknob isn't much more secure since they whole keychain was likely stolen.

In this vein, having to enter a password and answer a security question to log into a system doesn't increase the security factor of the system. Not that those questions are completely useless, but they should 1: be treated like a password (don't use "real" answers that can be found online) and 2: not mislead anyone about the security they provide.

Implicit factors can also lead to a false sense of security. A mobile device is a possession factor, but a phone number is not. The NIST recommended against SMS 2FA back in 2016, and the EFF reiterated the vulnerabilities of the cell network a couple months ago. Apple confusingly but with the right intention does not even categorize SMS codes as 2FA, but instead calls them "two step verification." They reserve the moniker "two-factor authentication" for their proprietary iCloud codes, which do not share the same vulnerabilities. Google Authenticator type apps are also a more secure alternative to SMS.

A common retort is that SMS 2FA is better than no 2FA. But if better options exist, why choose the worst one? The gold standard in possession factor authentication used to be RSA SecurID key fobs, but the FIDO Alliance has championed several industry standards, which can be implemented using inexpensive devices like a YubiKey.

If you have any questions or concerns about the authentication being used to protect your business, reach out to us to set up a quick meeting or consultation. We offer a full array of cyber security services and products.