My last post was dedicated to the future of authentication. We discussed passwords, two-factor authentication and newer password-less authentication protocols.
Authentication is an important subject because, as of today, it is often a significant cost center for enterprises and MSPs.
A new survey conducted by Yubico suggests that employees spend around 11 hours per year resetting passwords. Based on the average headcount in this research of almost 15,000, Yubico estimate that the annual cost of productivity and labour loss associated with password resets per company averages £4 million annually.
On the other end, this activity is reflected almost 1-1 on an MSP’s help desk. As an MSP, you are probably spending time addressing access provisioning and password resets, which cuts into your productivity bandwidth and margins.
To make matters worse, in addition to passwords being a cost center for MSPs, they also constitute a security weakness. Hackers have become extremely proficient at exploiting human nature to get users to give away their passwords via phishing campaigns.
Data breaches that result from these phishing efforts often need to be mitigated by the MSP, which is another source of productivity and money drain. This is due to the fact that the procedures that need to be followed are generally not streamlined and involve a lengthy discovery and guessing process. Additionally, conducting global access resets involves all employees in clients’ companies which drains, once again, your resources.
The solution may seem complex on different levels when in fact it should be obvious and can be summed up in four words: “Password Management and 2FA”.
In concept it’s as simple as that. All you need to do is to onboard your team and your clients’ on a password manager and implement 2FA on all external-facing (public/private cloud) services.
Even half measures in this specific case would do the job: Using a password manager without 2FA helps and setting up 2FA without a password manager can also protect you from different types of attacks.
At this point in the article, i assume that most of you sigh and think: “Yeah, ok. Go convince our clients yourself”.
I’m very familiar with this reaction. However, what your customers do not realize, is that when it comes to authentication and passwords, both you and your customer are fully aligned in your decision-making:
- You both lose money when someone forgets a password and needs a reset
- You both lose money when your customer gets hacked and you have to spend an indeterminate amount of time mitigating the breach
The matter of fact is, MSPs know it. Clients don't and it’s a decision making challenge.
Here's a decision tree that represents the thought process that you can walk your customers through to help them see the value of password management.
As soon as your customer understands what a password manager is, how it saves him money and how it keeps everyone secure, you are good to go.
In terms of the approach to follow, what works best in my experience is the following: Go straight to a decision-maker, walk them through this decision tree, and then kick-off a “password manager Proof of Concept” on a small scale (i.e one department). Reassess 2 weeks later, experience proves, they will want to have more people on board.
In terms of what to expect after onboarding customers, these are the results we’ve seen:
- The number of password reset tickets goes to almost 0
- The organization is better protected because employees start to use strong and unique passwords across their accounts, safeguarding the company's online privacy and security
It’s a win-win situation for both you and your customers. The way to adapt to the changing cyber-security landscape is to be ready for more sophisticated attacks and in order to do that you should start by protecting all the gates. Today, passwords act as keys to these gates and safeguarding these keys is essential for any enterprise that expects you, the MSP, to help them stay safe from attacks.
Now for 2FA.
From a security perspective 2FA does the job of protecting your customers from hacks even if their passwords are weak and reused. What 2FA doesn’t do is address the first point that we discussed which is employees forgetting passwords. In other terms, 2FA will not reduce your password reset help-desk activity, it might even increase it as it requires an additional step from the user but, from a security perspective, the added protection that you get from 2FA is far greater than just using passwords. And if you implement 2FA properly it might keep customer satisfaction high and your helpdesk activity relatively low.
In order to successfully implement 2FA, your challenges are threefold: 1) Your customer needs to see the value in it. 2) You need to determine how you’re going to implement it, because some services and internal systems do not support it by default. 3) You need to educate users about it.
It’s definitely a bigger challenge for both yourself and your customer and this is why, in my opinion, you should start by addressing the password problem before focusing on 2FA. This, of course, doesn’t apply if your customer deals with extremely sensitive data and is currently unprotected. In that specific case, you should drive them to set up password management and 2FA at the same time. Generally, we have noticed that companies that handle critical data understand the value of stronger security and are bound to it by different types of compliance requirements.
To show your customer value, your strategy could be to walk them through a tree that is similar to the one illustrated above.
To determine how to implement it, I suggest the following approach:
1- Pick an authenticator. It can be a separate app from your password manager or the same one if the password manager that you use also acts as an authenticator. Careful though, some password managers that store your data in the cloud have also added an authenticator functionality. Although it’s better to have 2FA than not to have 2FA, putting all of your eggs in one basket defies the purpose of 2FA. For this reason, you should definitely either look for a pure authenticator app or for a password manager that stores the data offline and also acts as an authenticator.
2- Find quick-win services that you can implement 2FA on. Go for public cloud solutions such as Office 365, Dropbox, Salesforce, Google Cloud etc. We advise our customers to focus on the social media accounts of the company first, because these accounts are usually shared amongst marketing people and your client can relate to these getting hacked and can imagine the impact that this would have on their business.
3- Educate end-users starting with the most tech-savvy people (go for the marketing department if you decided to start with social media accounts). Get the tech-savvy people onboard and ensure proper adoption. Once you do that, they will act as your intra-evangelists when you deploy to a larger audience and will reduce your efforts of onboarding the rest of the team. You can also ask your 2FA provider to supply you with onboarding and training material.
To summarize the 2FA section. I believe that it is essential to have everyone use 2FA within an enterprise although it requires more work from your end. The security benefits that you reap from having 2FA setup across the board far outweighs the work that you put in.
Password-less authentication protocols are around the corner but as an MSP, you are not in the business of testing nascent tech on your customers. This is why, I believe that MSPs moving their users to password-less authentication will either be driven by big market demand stemming from the successful rollout of the tech at a consumer level or by an extremely simplified process supplied by the service providers (i.e. Google allowing all users to login to any service by just having the Chrome browser installed on your device with a minor configuration steps required from the admin).
My opinion on the matter is somehow mixed. On one hand, I would like to get everyone excited and ready for password-less authentication protocols, but on the other hand, I try to put myself in the position of a decision-maker driven by business rationale. The right answer when it comes to authentication in my opinion is to read up on the subject and assimilate what is out there, so that when we start seeing a wider adoption, you understand the space well enough to take action.
But don’t forget, password-less authentication or device-driven authentication comes with its own set of challenges and limitation. Users authenticate easily in an ideal scenario but access reset and access sharing have a lot of implementation question marks that still need to be clarified and implemented and help desk procedures still need to be developed.
In terms of preparing your customers for the changes, there really is no need for them to think about password-less authentication today. Instructing them about password management and 2FA is already a very big step in the right direction as the mechanics of authentication will be very similar when password-less authentication goes mainstream (user receives a login notification, approves the request and is logged in).
At the end of the day, I assume that all MSPs reading this want to grow their business, and there's no better way to do that than by positioning yourself as a thought leader in a specific subject in IT. Cyber-security, and specifically authentication and access management, is a great starting ground as it is often overlooked. But don't take my word for it, try it out for yourself.
About the Author: Antoine is the Co-Founder & CEO of Myki where he's working on building the tools to help users regain control of their digital identity. The Myki Password Manager & Authenticator for Consumers, Enterprises and MSPs was named one of the best password managers of 2018 by PCMag and Apple. Follow Antoine Vincent Jebara on Twitter or LinkedIn