Beefing Up Our Identity and Access Management System (IAM) with One-Time Passwords (OTP)

December 3, 2019

Very Good Security(VGS) is continuously looking for ways to facilitate security and minimize the potential risk for our users, including when it comes to identity management.

According to PCI Security Standards: to prevent misuse, the integrity of the authentication mechanisms and confidentiality of the authentication data need to be protected. The controls defined in PCI DSS Requirement 8 provide assurance that authentication data is protected from unauthorized access and use.

We are upgrading our Identity and Access Management (IAM) system and moving to a new Multi-Factor Authentication (MFA) provider, as part of our ongoing effort to consistently offer the safest access control tools and the latest identity management approaches to our users.

The changes made will allow us to support WebAuthN in the future so you could easily and securely authenticate your login with a single tap. The new authentication flow system will give an ability to select which authentication method you prefer for login, for instance, OTP credential or a WebAuthn credential. The new mechanisms will also allow us to craft flows for password-less login, for example, just using WebAuthn as an authentication method. As a result, our users can have multiple OTP devices and multiple WebAuthn devices. The same system that allows a user to select which type of device to use during login also will allow that user to select which specific device to use.

MFA adds an additional factor to the login process in order to prevent unauthorized user access. It includes something you know (your password, the first factor) and something you have (a one-time password, the second factor). One-time password (OTP) is a widely used industry standard for MFA. Such passwords (codes) have an incredibly short lifespan and are safer than using SMS or any other IAM solutions.

otp

It’s quick and easy to set up the new OTP feature, and VGS makes sure that transitioning from the existing MFA solutions to OTP will be fast and painless for all our users.

The migration process for our users will look as follows:

  • Setting up a one-time password (OTP) upon logging in to the Dashboard
  • Setting up a new password to log in to the Dashboard

Each of these changes will be followed by email confirmation, a notification on the dashboard and a message in the designated customer’s channel.

credentials-submit-process

When you submit credentials (username/password) that are successfully validated, you will then be led to the next factor for validation, which is to enter your one-time password (OTP).

Related posts:

Ulyana Falach Ulyana Falach

Product Lead

Share

You Might also be interested in...

squads-structure

Embracing the Squad: How We Structured Our Engineering Team for Growth

Julianna Lamb December 5, 2019

plaid-partnership-vgs

Announcing Very Good Security’s Partnership with Plaid

Amanda Heinemann November 25, 2019

center

Iframes as a Security Feature

Kenneth Geers, PhD November 21, 2019