Evolving Past the Password: The Multi-factor Security Strategy

June 28, 2018 Glenn Weinstein

Enterprise systems like Workday contain tons of private information. Are you protecting that information as well as you could be?

Yes, you should train your users to create secure passwords. But as the saying goes, that's necessary but not sufficient. (And good password policies have changed a lot in the past five years — are your policies up-to-date?)

But even if users set strong passwords, we still need to worry about compromised passwords. Think your employees use the same password for your corporate network and some random third-party systems? What if one of those third-party systems gets hacked? Even more likely, your employees could fall victim to phishing —where they're tricked into providing their password over the phone or on a fake website.

Two-factor identification

IT veterans will note that traditional corporate networks are often protected by more than just passwords. A common additional enterprise security layer is to require a hardware key fob — like an RSA SecurID, which produces a unique six-digit code every 30 seconds, in order to access the corporate network. This second requirement — to ask users to prove not only "something they know" (their password), but also "something they have" (their key fob) — is also known as "two factor authentication" (or 2FA). And it's more secure than passwords alone. Even if an employee's password is somehow compromised, it can't be used to access the corporate network, since the hacker won't have the key fob.

Bringing modernization to security

So far, so good. Corporate IT has been using key fobs to protect their networks since the 1990s.  But a few things have changed since then. 

  1. Cloud-based systems like Workday may not be protected behind the corporate network.
  2. Forcing users to carry a physical key fob seems antiquated.
  3. Everyone carries a mobile phone, everywhere, all the time.

First, the corporate network served as a de facto "single sign on" (SSO) system for many organizations.  Once you're on the network, you could access lots of different applications. But nowadays, we're all dealing with tens or hundreds of different applications, hosted in various places, all with their own passwords. This has led to the rise of a new type of software vendor, called Identity and Access Management (IAM), to provide secure SSO across all sorts of different apps — both behind the firewall and in the cloud. This is great. Now we just have to remember one password, for the IAM system.

IAM vendors soon realized their systems could be used to beef up security, by providing 2FA, like the old corporate networks did. And 2FA can be a lot easier now, because that mobile phone in your pocket can replace the functionality of the old key fobs. Just install an "authenticator" app that produces six-digit codes every 30 seconds, and you're in business.

2FA has caught on big-time in the consumer world. Most banks and financial services firms, apps like PayPal and Facebook, and even email providers like Gmail now offer native 2FA. The "second factor" is a code that's sent to your phone via SMS text message — or it's generated by an authenticator app on your phone (or built into the app itself, like Facebook does).

But 2FA is only slowly showing up in the enterprise world.  Which is crazy, because enterprise systems are exposed to many employees, and contain valuable data.

Vendors, like Workday, are doing their best to protect us. They monitor IP addresses for suspicious logins. (Measures like this are a huge advantage of using a true public cloud-based system like Workday.) They offer native 2FA, and have robust integrations for most of the big IAM vendors.

Here's the bottom line. Your corporate IT should be:

  • Providing a consumer-grade worker experience, using SSO, for accessing cloud apps like Workday.
  • Securing corporate data using 2FA (or even MFA — multi-factor authentication!).

At Appirio, we've been using Workday as our core HCM and Financials platform since 2009, and we've used Okta for SSO and 2FA since 2013.  To learn more about how Appirio can strengthen your security strategy using Workday, visit our Workday solutions page. And check out the Appirio Hub to learn more benefits of the Workday platform. What are you using?

Previous Article
Retail Banking Discovers the Power of Salesforce’s Financial Services Cloud
Retail Banking Discovers the Power of Salesforce’s Financial Services Cloud

Many recognized banks have started implementing Salesforce's Financial Services Cloud. Find out how it can ...

Next Article
Joining the AI Revolution
Joining the AI Revolution