Making Sure You’re You

We’ve been hacked!

Those are probably the three words that any CEO, CTO, CSO, CISO, or “VP whatever” dreads more than any other. But it’s bigger than that. While those with Cs and Vs in their titles will be the ones answering tough questions very soon, those three words will often mobilize the whole organization. Nobody is going to get much sleep until the breach is contained.

With the average cost of a data breach reaching $4.24 million, it’s no surprise that global cybersecurity spending is skyrocketing and is forecasted to reach $345 Billion by 2026. Still, for all the safe-guards that well-meaning companies put in place, in the end, data breaches are a “people problem,” with 95% of cybersecurity breaches caused by human error.

By far, the most common “secret key” needed to access your account on any web service is still your password. And in most cases, it’s the only key needed. But, usually, passwords are not secure for many reasons. In fact, most passwords can be hacked within 13 seconds, with “123456” being the most popular password found in data breaches in 2020. But even if you’re vigilant and always use a strong password (which is easy enough with a password manager like LastPass, 1Password, etc.), there are so many ways malicious hackers can steal your credentials through social engineering, like phishing attacks or using malware like password dumpers. It’s exactly for this reason that we have upped our security posture here at Ozcode and vastly upgraded authentication on Ozcode Live Debugger.

Ozcode Live Debugger now offers best-of-breed authentication, providing different ways to authenticate users in your organization. We have upgraded all our servers to provide enterprise-grade security for your valuable data, and if you haven’t noticed it already, you’ll see the new login screen next time you sign in to your Ozcode account.

Let’s learn about the different ways you can now be authenticated and access your Ozcode Live Debugger account.

Authenticating with passwords is based on a secret password you’re supposed to keep to yourself, or “what you know.” Since, as we’ve seen, we’re not very good at keeping secrets, modern systems ask you for additional means of authentication based on something you pysically possess. Some of us have used hardware keys, such as YubiKeys to log into secure systems, but these are only viable for enterprises, not the general public. But everyone has a phone today.

SMS is the most common form of MFA in use today. Most of us have already encountered OTPs, one-time passwords texted to us when trying to access our credit card statements online, or some other sensitive site from a new device. But the truth is, SMS is not secure. Messages are not encrypted, may travel through different networks, and security of the infrastructure is questionable. A more secure form of MFA is through an authentication application such as Google or Microsoft Authenticator, which is what Ozcode offers today. 

Any user can (and should) enable MFA for their account, although it is optional. As an administrator, you can enforce MFA, and I highly recommend you do so to make sure nobody gets unauthorized access to your source code and data.

While MFA does provide a high level of security, it still requires users to have a password for Ozcode. In an enterprise setting, users may have to log in to many different applications, and ensuring every employee safely manages all those passwords with a password manager becomes impractical. That’s why many enterprises enforce SSO – Single Sign-On. Today, Ozcode supports SSO using any authentication provider, including Azure Active Directory, Google, and others. Once an Ozcode administrator connects the organization’s Live Debugger account to the authentication provider, all users are automatically logged in once authenticated with any other application connected to the SSO provider.

Ozcode also supports SSO for on-premises instances of Active Directory. Just select SAML as your IDP when configuring SSO.

While MFA and SSO are the most significant updates in this release, a well-rounded security posture would not be complete without the following measures that Ozcode also supports now:

1. To prevent brute force attacks, you can configure the maximum number of incorrect password entries before users get locked out of their accounts.
2. To prevent users from repeating previous passwords, you can specify how many passwords back to keep track of.
3. Audit logs maintain a record of all user activity connected with security and authentication.
   

Learn more about Ozcode Live Debugger Security in our white paper: