As Joan mentioned, we use SaaS products a lot here at Sumo Logic. On an average day, I log into sites on the internet tens or even hundreds of times, supplying a username and password each time. The proliferation of usernames and passwords creates three issues:
- Password hygiene. In this day and age, it is reckless to reuse passwords across sites. At the same time, it is impossible to remember arbitrarily many unique passwords.
- Strength. With rainbow tables and the tumbling cost of compute power, passwords need to be increasingly long and complex.
- Efficiency. I shouldn’t have to spend half my day logging into sites.
What we need are tools that:
- Encourage you to use different passwords everywhere.
- Are secure, ideally using two factors of authentication.
- Require the least number of keystrokes or mouse actions to get past login screens.
Here are a few tools we use and like.
1Password is the password manager most of us use. It stands out from many other password managers in several ways:
- It is a native Mac application and has excellent integration. There is a version for Windows.
- Support for iOS and Android.
- Well-implemented sync via Dropbox, including for iOS.
- Plugins for the 3 major browsers (Safari, Chrome, Firefox).
- Keyboard compatible.
One of the major benefits of 1Password is that it’s designed to stay out of your way. To log into a site:
- Without 1Password, I enter the URL in the address bar, navigate to the login form. Then, I enter my login, then my password. A lot of typing.
- With 1Password, I enter 1pinto the address bar, start typing the site’s name to select from the list and hit enter. Then, I watch 1Password log me into the site.
Properly used, 1Password can be regarded as a one and a half factor authentication solution. There’s a great discussion on Agile Bits blog. We’ll share some power user tips on 1Password in the near future.
IronKeys are cool toys. They’re USB sticks with “spook-grade” crypto and self-destruction capabilities. We issue every developer an IronKey for the storage of all key files, such as ssh private keys and AWS credential files. Aside from being geek-chic, the IronKeys offer two benefits:
- The key files are only exposed while the IronKey is plugged in and mounted. Not when people are at Starbucks browsing the web.
- If an IronKey is ever lost, we can remote-detonate them. The minute they get plugged into a USB port, the software on the IronKey phones home and gets a self destruct signal. This requires an internet connection, but we’ve configured IronKeys to not unlock without one.
OATH (Google Apps and AWS)
Google’s Two-Step Verification and Amazon Web Service’s MFA both use the OATH open architecture, not to be confused with OAuth. OATH is a software replacement for traditional hardware-based two-factor authentication tokens.
Google offers open sourced client applications for iOS and Android that serve as the second factor of authentication. This reduces clutter, since you don’t need to carry any hardware tokens. Having the phone be your token also makes it more likely that you have your token with you most of the time.
Google has also taken several steps to remove friction:
- To set up your phone, you simply scan a QR code form the screen.
- After the first two factor authentication with your phone, you can check a box “Remember me for 30 days”. The browser cookie then serves as your second factor of authentication.
AWS initially only supported classical hardware MFA tokens. To make matters worse, one MFA token couldn’t be shared across multiple AWS accounts. More recently, they’ve also added support for OATH. In fact, the same Google Authenticator apps work for AWS, as well.
Traditional two-factor authentication approaches based on hardware tokens are painful to use. OATH, 1Password and IronKeys strengthen security without adding too much pain to people’s lives.