Finance, Security and Dual Authentication Part 2: The solutionJamie Allen
As a follow-up to my previous article on security and dual authentication, I promised to share some of the ways in which we help accountants and businesses navigate their way through the issues of providing secure cloud systems to their clients so they can collaborate more easily. In short, many system providers are moving towards obligatory requirements to set up dual authentication apps to access their systems. It is a sensible and necessary move to ensure hackers cannot guess passwords and access your data.
But taking this forward, businesses will have many systems and API integrations to implement dual-authentication for and having dozens of codes and passwords is likely to cause a headache so we believe businesses and accountants need to be aware of this change early on.
For those of you familiar with our service, you will be aware we have a single sign-on (SSO)/portal which our clients use to access the systems we integrate for them. This means we have 1 strict requirement; you must have 1 memorable strong password to access our portal and consequently, the other system credentials we store in here. There are also enforced restrictions on setting this password with capitals, lower case, numbers, and special characters. We also do not allow your computer to remember this password (no keychains allowed). It must be typed.
Once you are logged in, you will be presented with your own personal dashboard of apps that you use, and we have links into 100s of cloud-based systems and can add more on request. All you need to do to access a system is put in the username and password within a “widget” or tile once and the system will remember and encrypt these credentials (see below).
If we can set credentials and manage this for you, we will create a password of the maximum complexity possible in these systems and then delete the password as it is no longer needed once entered in the SSO. If we cannot set it for you, we would ask you to do the same. You can google a strong password creator, set your parameters and we encourage a minimum of 13 characters with variations (lower/upper case, numbers, special characters).
Now you might say, “Ok, that is all well and good, but if all the systems set up authenticators, I still need all the codes on my phone. So, it doesn’t really help”. That could be true, but we also have a link to these authenticators. This means, on setup and based on the provider letting us, we can collect the authenticator codes in the portal and store on the widget as below.
All you have to do is click the code I have highlighted in yellow above (badly [sorry]), this will copy the code, you can then click on the widget, the password and username is entered automatically and then you just paste the code into the next box and press enter. You’re in! No phone required and it’s really easy.
There is also a huge amount of other security settings you can maintain in our portal around creating user groups and levels of access, all designed to make the user experience easy and keep out the hackers. You also have complete control over what systems users can see and can then also create multiple “Sign On’s” to 1 system.
We would really encourage all businesses and accountants to think about this area after Xero’s recent announcement. Please don’t ignore this issue. As your app stacks increase in size along with user numbers and costs, we can really help. Keychains and systems like Lastpass only go so far and can even be a security risk if not used properly. If you want to know more about our security solutions, please do not hesitate to contact us here or at www.4pointzero.co.uk.