When considering an authentication provider, many organizations consider ease of configuration, ubiquity of use, and technical stability. Organizations cannot always rely on these metrics alone. There is a growing need to assess corporate ownership, policies, and the stability or instability that they bring.
The Impact of Leadership Change on Stability
A prominent example in recent months is Twitter. The Twitter platform has been around since 2006 and is used by millions of people worldwide. Organizations with large numbers of users and seemingly robust authentication systems used Twitter as their primary or secondary authentication service.
Inconsistent leadership and policy means platform stability can change. This is especially true on Twitter these days. The change of ownership to Elon Musk has caused widespread changes in staffing and policies. These changes resulted in the layoff of a large portion of staff, including many individuals responsible for the technical stability of the platform.
This caused Twitter’s SMS two-factor authentication to stop working. Many users were unable to log into Twitter because the text was delayed or missing. This has affected systems that rely on Twitter as their primary and secondary authentication provider.
Beyond authentication issues, this change raises new concerns about user data safety and privacy. Twitter has been hit with an FTC consent order due to past issues with user data, and a sizeable portion of its compliance staff has been laid off. Even with a working authentication provider, your organization may be put in an uncomfortable position regarding the state of information stored on Twitter’s servers.
Strategies for authentication service stability
Using the platform’s established and robust authentication services saves organizations time and money over implementing their own authentication services. Eliminating third-party platforms is usually not feasible or even recommended. Instead, proactive planning is essential if your organization needs to maintain stability and security in your authentication platform.
When considering how your organization’s authentication service handles potential confusion of authentication providers, it is very important to answer the following questions:
- Does your organization’s authentication service support multiple identity providers?
- If my provider is not available, is there a backup provider and how quickly can I switch providers?
- What is the confusion for users? Will it log you out of your current session or will it be seamless and take effect on your next login?
- What are the options available when MFA is configured? Are there multiple ways to verify a user? Will removing one degrade the authentication service?
If your organization has chosen Twitter as a source of two-factor authentication, you may find that recent events indicate a necessary change. In that case, switching may be easier if multiple MFA platforms are already available and configured.
If organizations were able to choose an active authentication system based on their current needs, even the problems exhibited by major platforms such as Twitter would be mitigated and their users would see little change.
Offering multiple MFA options
To understand how this works in practice, you can turn to Microsoft. In Azure, once you’ve configured MFA, you can offer some options or limit the verification methods available. Instead of SMS, you can receive calls or use hardware tokens. If you provide all three, you won’t be locked out of your account if a particular service is unavailable.
Google Workspace, which can offer one or more authentication options, is pretty much the same. With multiple enabled, you don’t lose the ability to authenticate users in the event of a service failure. Both Microsoft and Google could be more flexible. Neither offer a wide range of options for integration with services like Twitter.
An example of a system that offers a myriad of options is Okta. Enabling social login allows users to log in from popular services such as Facebook and Twitter. However, we recommend backing up that social login with an MFA configuration that can include options such as SMS, an authenticator application, or a hardware device such as a Yubikey.
Mitigating authentication instability with Specops uReset
Organizations can be uncomfortable with changing authentication providers. If so, implementing a product like Specops uReset can take the problematic authentication platform dependency off the table, at least for password resets.
With the flexibility to choose from multiple weighted authentication providers, you can easily remove offending providers and reset passwords for your users and service desk workers. Change the weighting to offset the loss of previously used providers and get your users back to work in no time!
With multiple providers in use, end-users can leverage a combination of trusted identity services to perform self-service password reset without worrying about losing access to previously critical authentication services. will be
Managing platform instability through planning
Platform changes are difficult to anticipate and respond to, but foresight and planning can help organizations prepare for any change. Building a flexible authentication service helps even the most capricious of leaders plan.
Using a product like Specops uReset ensures that users are not locked out when the authentication service goes down. Get back to work in no time with a variety of password reset options.
