Archive for the ‘Password Management’ Category

Solve the Four Biggest Remote Work Login Problems

  May 15th, 2020

Remote work has achieved a new peak so far in 2020. Some 62% of employed Americans said they have worked from home during the COVID-19 crisis. This large-scale experiment will have a lasting impact, as 74% of CFOs surveyed by Gartner expect at least some of the workers pushed remote by the virus will continue to work from home even after offices reopen. 

Not surprisingly the sudden transition to remote work hasn’t been all smooth. Companies are still dealing with a number of issues, from security to maintaining productivity. Others (us included!), are facing new challenges such as setting up employees on operating systems outside the company norm. Access to applications and data employees need to do their work can be particularly fraught. Here’s how to get a handle on four of the most common login issues companies are experiencing right now. 

1. Secure logins from attackers

Many companies have adopted or expanded use of SaaS applications, or are using virtual desktop infrastructure (VDI) to get everyone working from home but these options often have public-facing login pages that could put your organization at risk. Increased access increases risk and opportunity for external attackers who may try to guess passwords or attain them through social engineering. 

There’s a few ways to ensure your credentials remain secure despite public login pages: 

  • Externalize login screens. Rather than having a public-facing login page for every SaaS application, you can consolidate them on a single platform so users have one login page for a single sign on that’s more secure.  
  • Add multi-factor authentication (MFA). This should be standard practice, but many organizations and users still haven’t adopted it. Only 57% of organizations were using MFA at the end of 2019, and while that’s up 12% over 2018, it’s still low. Implement an MFA technology, preferably via a smartphone app, to add an extra layer of protection. 
  • Don’t ask for passwords first. The same goes for PINs and answers to security questions. These factors can be easy to guess. Require employees to use a hardware token, enter a PIN sent to their phone, or use a smartphone app to confirm they’re authorized before you ask for a password.
  • Consider using CAPTCHAs. By making this the first step in authentication, you can ensure it’s a human attempting to sign in, not a bot programmed to attack the page.  

2. Enable remote password assistance

There’s several issues that companies can run into specifically around passwords. If you haven’t experienced them already, look for: 

  • Expiring or expired passwords. Off-site users may not receive notification that their passwords are expiring if they’re not using a VPN. The passwords will still expire even if the user doesn’t know it’s happening. Consider other ways to notify users of expiring passwords and give them the opportunity to update their credentials remotely. Another option is to temporarily delay the expiration until the office reopens. 
  • Forgotten passwords. This is usually an easy problem to solve when a user can visit a help desk and their computer is connected to the corporate network. But with employees remote, forgotten passwords can become a bigger issue and even leave users with inoperable devices. Make sure you have some kind of remote mechanism to reset forgotten passwords. 

3. Tighten access after layoffs and furloughs

If you’re one of the many organizations that has had to furlough or lay off workers in the uncertain economic climate, you’ll have to close off their access either temporarily or permanently. There are a couple ways to do this. You can create a request and approval workflow that has you deactivate login IDs and set a status for each user. For permanent layoffs, you’ll need to take additional steps to move and archive that user’s content. 

The other option is to automate the process based on certain data and criteria, which can be set up in an identity and access management tool. When furloughed workers return, it’s just a matter of reversing the process to get them back up and running.  

4. Follow best practices for vendors access

Just like you, your vendors are probably working from home. When you need IT work done, you’ll need to grant them remote access.  

Make sure you’re following best practices for granting elevated access to third-party users: 

  • Designate a point person. One trusted user from every vendor should be in charge. Appoint that person to manage the short list of users from their company who need access to your systems. 
  • Keep vendors off your VPN. Don’t allow your vendors to connect their devices to your VPN. Use another method so you can keep the vendor’s device outside the network perimeter and reduce your attack surface. For example, use a proxy server for vendor devices to safely communicate with your servers without directly connecting to your network.
  • Double check they’re still employed. Any time a vendor logs in, double check they still work for that company. One way to do this is sending a PIN to their work email that they must enter to log in. If they no longer work for that vendor, they won’t have access. 

Secure access while working from home

Many organizations have quickly adapted to working from home, but there are a number of challenges you’re likely facing right now. With your users scattered, it’s even more important to consider security, who has access to what, and how to quickly resolve problems like forgotten passwords to keep employees productive no matter where they’re working. With increased distance and risk, now is the time to get serious about bolstering security as your workforce transitions to a new normal.

Three password issues that could complicate your post-covid-19 return to the workplace

  May 8th, 2020

The return to the office is coming. Some companies will bring workers back sooner, others later. Some will stagger the returns, others will open their doors to everyone at once. Some will have a smooth transition, others will find it just as disruptive as the sudden switch to remote working. 

There are plenty of variables to plan for, from checking up on devices that haven’t been used in months to maintaining security during the transition. As you put together a return strategy, don’t forget to plan for password snafus that could leave employees sitting around on their first day while the support desk scrambles. 

Three password issues in particular are likely to arise and formulating a plan now will ensure everyone has access to the systems and applications they need once they’re back at their desk. Make sure you’re planning for all of the following. 

1. Changing forgotten or expired passwords. 

After months of working from home, getting back into the swing of things will be tough, especially for employees that haven’t used certain systems or applications remotely. Furloughed employees face an even steeper climb. 

No matter the circumstances, you’ll likely have users who have either forgotten their passwords or had their passwords expire during the crisis. 

To avoid overwhelming your IT support team on the first day back, it pays to plan ahead. Do the following: 

  • Estimate how many users will need help. Based on who hasn’t signed in for an extended period and who had been furloughed, you can get a sense of how many people will need help logging in on their first day back. 
  • Scale your password reset strategy. For example, you could provide users a one-time-only link with an embedded random PIN. When they click, they sign into the password reset system and select a new password. That way they can reset their password without having to guess at security questions they may have forgotten the answers to. 
  • Communicate the plan. Connect with the users you expect will need help, explain the situation and process, and advise on how they should change forgotten or expired passwords. 

2. Reactivating access for furloughed employees.

Millions of Americans have been laid off or furloughed since mid-March. If your company has a high number of furloughed employees, you’ll need a strategy for how to reactivate their access. Plan for one of these scenarios: 

  • Everyone returns on the same day. Like handling forgotten passwords, this can easily become overwhelming. Look to automation. By automating the reactivation process using a list of identities, you can get everyone up and running a lot faster and more smoothly. 
  • Employees return gradually. If only a handful of users need to get back online on any given day or week, it’s better to handle the cases one by one. Create a request and approval workflow that everyone can follow as they return. 

In either case, look to an IAM solution to more easily toggle users back into action when they return to work. 

3. Review who has access to what. 

A lot has changed since March, and everyone will be returning to work in a new world. Some people might have new or different roles and responsibilities. It’s time to review everyone’s access rights. 

I know, that’s a huge undertaking. Which is why this is one project where you should bring in managers to divide and conquer. 

Invite managers to review the data for each of their employees to approve their access levels based on their current job responsibilities. By turning to the people most aware of each user’s role, you can enlist them to make short work of this review process. 

Again, an IAM tool will help you efficiently review and update who has access to what and whether that access is still valid.

Returning to the workplace doesn’t have to be disruptive

The workplace we’ll return to will not be the workplace we left, at least for a while. There are plenty of logistical and IT challenges you’re probably planning for to ensure the return is smooth and keeps everyone productive. 

By including these three potential password issues in your plan, you can ensure everyone is off and running, with access to everything they need, as soon as they’re back at their desks.