A leaner approach: Why we changed our two-factors authentication method and the challenges we faced along the way
IT Service Manager
Since the company’s foundation, PRISMA users have authenticated themselves on the platform via a third party provider – but that’s now changing. Instead, we’re moving to an in-house solution that promises more autonomy, both internally and for our end users. In this blog post, Mozhdeh Mousazadehkamdar, PRISMA’s IT Service Manager, discusses the challenges involved and how we’ve sought to overcome them.
One of our main focuses at PRISMA in recent times has been gaining greater independence by insourcing as many functions and processes as possible. Our cloud migration last May and our ongoing refactoring program have laid the groundwork for many of the changes we’ve made to our platform as we move to a leaner, domain-driven design model.
And this month we reached another milestone as the first phase of our new authentication service went live.
Changing the way our users log into the platform has always been an idea simmering away in the back of our minds. Our previous solution was never truly optimised for our specific needs and goals, and moving to one that creates unique user identifiers that are kept consistent across devices and platforms seemed to fit well with our aim of taking a leaner approach.
A service that benefits everyone
As we shopped around, we quickly became aware of the vast benefits that would come from adopting a more integratable service – both in terms of the user experience and our day-to-day operations. Users would gain enhanced security, accessibility, automation and support, while a cloud-based solution would be far more easily maintained by our internal developers. In short, it was a win-win.
When it comes to security, a stronger password criteria and progressive locking of user accounts for multiple failed login attempts add new layers of protection. Meanwhile the use of mobile tokens that can be stored on a central smartphone app greatly enhances ease of access for users representing multiple entities who were previously required to maintain several hardware token devices.
Then there’s increased automation. With the new system in place, the entire end to end process of mobile token assignment for new registrations becomes a self serviced model. This not only gives new users more autonomy when registering on the platform, but also reduces the workload of PRISMA’S own customer support service - with AWS’s own Business Support Package taking up much of the slack.
But perhaps the most significant benefit of all is our ability to empower users by offering SMS as a fallback solution for authentication, ensuring they have access to the platform any time, anywhere. In an industry where lost time can have substantial financial implications, this represents a genuine game-changer for our users.
The main obstacles
Leaving aside such measurable upside, there was also the question of how we’d go about navigating such a dramatic shift - one that we knew would represent a landmark moment in the evolution of the company. Some of the obstacles in front of us were common to any project of this nature and complexity, but others were unique to our business. Here’s how we faced them head on:
1. All hands on deck
They may cause headaches, but hard deadlines are necessary in every organisation. Once we’d decided on an authentication solution and fully verified our proof of concept, the countdown was on to implement it. This is where our well-established agile methods really proved their worth, allowing us to bring together multiple personnel from across PRISMA to collaborate and drive the project forward, whether it be writing tickets, user testing, or any other task, large or small.
2. A phased migration
It’s been a particularly busy time at PRISMA, with multiple parallel development projects in progress, and with our team spread across these projects it has presented challenges around capacity. In response, when it came to planning the authentication project we devised an iterative approach, with the goal of implementing the minimum viable product (aka MVP) necessary for the first phase to go live. Crucial to this was our decision to split the migration process into voluntary and compulsory phases and run the old and new solutions at the same time. For phase one, users who volunteered for mobile tokens were invited to migrate to the new solution, and we used this phase to work on implementing the features necessary for phase two, when users with hardware tokens would make the migration. This served to maximise preparation time and ensured that we could reach our end-goal without compromising or cutting corners on any aspect of the project.
3. A customer-centric approach
Since a large number of our users depend on accessing our platform on a daily basis, we knew it was critical to keep disruption down to an absolute minimum. So early on we adopted a customer-centric approach that put our users at the front of our thinking. As well as allowing for a phased migration, we also strived to be as transparent as possible, explaining the scope of the changes, what it means for individuals, and keeping users in the loop via multiple channels, whether it be through newsletter updates, emails, or other means of communication
4. Tailored solutions
Far from being a homogenous mass, PRISMA’s users have varying needs in terms of how they access and interact with our platform, and this has had implications for how we set up our new authentication process. The best example of this would be users who don’t have a business smartphone, or do have one but aren’t allowed to use it for accessing the PRISMA platform. For such users, we created a customised solution that involved us giving them hardware tokens that generate a time-based one-time password (TOTP) that can then be used to log into the platform.
So that’s how we tackled the challenges of moving to a new authentication solution
I’m confident that once all of our users have made the migration, the solution we’ve developed will continue to run smoothly and self-sufficiently, giving users maximum peace of mind and helping PRISMA thrive as a leaner, more scalable, and more efficient business operation.