Protecting your identity with MFA, password managers, and SSO
By Alex Norman —
Every startup and every founder is different. We’ve tried to take a general approach across the widest set of personas we could while also being practical. Kinde does not specifically endorse or recommend any specific vendors, they are merely provided for reference.
One of the first things you’ll do to establish your startup is create a branded company email account. This is the heart of protecting your identity. It’ll likely be the dumping ground for everything important - notes, investor emails, co-founder messages, legal docs, etc. It will also be how the internet sees you when interacting online since you’re likely going to use your email as the login username for pretty everything.
The main threats that you will be protecting yourself against are phishing and credential stuffing.
Usage of multi-factor authentication (MFA), password managers, and single sign-on (SSO) will overlap with each other depending on the services you’re using them for. You may find that one service doesn’t support SSO, but does support MFA. Or another service that supports SSO, which means you don’t need to worry about the password or MFA for it. Start with the important things for, such as your primary email and cloud hosting, then work you way out.
What | Start | Next |
---|---|---|
Multi-factor authentication | MFA everything | Use hardware keys |
Password managers | Use any password manager for all passwords | Pay for a password manager |
Single sign-on | Use your email social login | Enforce with SAML or use an SSO identity provider |
The easiest way to help secure your email is to enable MFA. The terms MFA, 2FA, 2SV, U2F, etc are used depending on different situations, but all are used to help protect your accounts. The point is to use it when available. For purposes of this article, we’re just going to say MFA. This feature should be table stakes for all email providers out there. Most of the founders and startups we come across use Google or Office 365 for their email, both of which come with a variety of MFA options. After setting up MFA on your email, you should enable MFA on your cloud hosting portal and on every other service you use if possible.
Password breaches happen. Getting your password stolen from a phishing website happen. The additional authentication step will help prevent attackers, who may have stolen your password or are trying to guess it, from gaining access to your accounts.
Basics to get started? Setup any form of MFA on your email account. MFA comes in a variety of flavours now with options like the 6 digit authenticator app codes, one-time-passcodes through email or SMS, proprietary push methods, or USB hardware keys. Each have their own set of advantages and friction.
Both Google and Microsoft accounts default to their own preferred method, Google Prompt and Microsoft Authenticator respectively, but they also support one time codes via authenticator apps, email, phone, SMS, as well as hardware keys. If you’re using someone other than Google or Microsoft, please reach out to their support team for help.
When it comes to your cloud hosting, the options will vary wildly depending on the vendor. But most importantly here, make sure to protect your cloud admin account. Beyond that, start looking at all the other business critical services that you use on a daily basis and set them up with MFA.
What’s next? Take a look at using hardware keys, such as a YubiKey. These are physical USB keys that can be plugged into your laptop or use an NFC connection if you’re authenticating to something on your mobile device. Why is this the advanced approach? An attacker will physically need the hardware key to pass the MFA check.
What does Kinde do? We use Google Workspace for all our emailing and enforce Google’s 2-Step Verification. For anyone who has admin rights in the Google Workspace, we’re beginning to use a hardware key as the only available MFA choice. Further down the line, we want to give every employee a set of Yubikeys to further protect our business. And with our cloud portal, we’ve linked it via single sign-on back to our Google accounts, so they’re protected by all the security features we’ve already implemented.
There are both free and commercial options out there depending on their feature sets, cool integrations, ability to safely share passwords with other co-workers, and a ton of other features. The point is to have a password manager of some kind. Any will do.
First off, it will help you index and capture all the different places you use passwords. Think about the 10’s and 100’s of websites where you have an account. Second, it will auto-generate and securely store the password for you. This is huge. Use your password manager’s auto-generate feature to create a random string of junk when setting a password. And third, use the browser plugin that most password managers come with. The plugin will auto-fill the login pages for your website, automatically detect when a password change has been requested, and generally make your life a lot easier.
At least one (probably more) of the services that you’ve signed up with has had a breach of their password database at some point. It’s not hard to find examples. Those passwords are dumped into massive lists online. A great resource to check if your credentials are part of an existing breach is HaveIBeenPwned. If you’ve been using a password manager with auto-generated passwords, then you know that the breached web service has a password that is unique to that one service and not everything you use.
Basics to get started? There are a load of amazing commercial, paid, free, and open source options out there. For example, there’s a massive list from the Password Management category on G2. They are all very user friendly since it’s a hot market to be in.
What’s next? Pay for your password manager. It’ll come with support, backups, and features to make your life easier. Most commercial password managers are starting to support API integrations for managing server or infrastructure secrets automatically. This is a big jump and might not be practical for years to come.
What does Kinde do? We’ve licensed 1Password for everyone in the company. Apart from the usual duties of promoting strong password hygiene, 1Password also provides an easy place for staff to store and share one-off authentication secrets such as API keys within our teams.
Linking all your main systems back to a single identity is a bit of a holy grail. Almost every online service supports logging in via your Google account and most support Microsoft. Use them if available. This means that you can only log into that service once you’ve authenticated with your Google or Microsoft account, which at this stage has been locked down with a strong password and MFA.
You won’t need to create and store a password for that service. One less password! You also don’t need to deal with MFA for that service either. You may be thinking that all your authentication ducks are in one bucket. But think about the 10’s or 100’s of online services you’ll end up using. It’s a lot easier to do a good job protecting with less things to protect.
Basics to get started? If you’re using Google or Microsoft as your main email, then use that helpful “Login with Google” or “Login with Microsoft” button. If you’re using a different email provider, then you may need to look at using a dedicated identity management service. I’ll link off to the Cloud Identity category on G2 for reference on this one. But don’t fret. If SSO is turning out to be more taxing that it’s worth, you can help compensate by making sure that the password manager is being used effectively.
What’s next? All the vendors that support identity management will also support Security Assertion Markup Language (SAML), which is an open federation standard allowing an identity provider to authenticate users for other applications and services. In short, offloading authentication to someone else. It requires a bit more work to get setup, not always supported, but will provider stricter authentication controls, such as forcing everyone with your domain name to use SSO instead of it being optional. This becomes more important when you end up having to off-board employees from your growing company since you only need to disable their account in the places that aren’t linked with SAML, which means less work.
What does Kinde do? We’ve set a company policy for all staff to use the “Login with Google” button for any online service they use. It’s not always an option and sometimes the they don’t enforce SSO, but so far it’s been a positive experience since there’s less passwords to deal with. And where possible, we connect those services to our Google account via SAML, which does enforce the use of the Google identity. For any service that doesn’t support Google SSO, everyone will use 1Password to manage the credentials.