There’s a number of changes wrapped up and just-about ready to go that will give you many more options to increase the security of your system. There’s a fair few, so we thought it’d be useful to explain them in detail in advance.
1. Two-factor Authentication
Two factor authentication adds a layer to the login process. At the moment, you need “something you know” – your password. Two-factor authentication also requires “something you have” – your mobile phone. When set up, an app on your phone generates a 6-digit code every 30 seconds, which is only valid for 30 seconds. (This is a bit like the little widgets some banks give you to do online banking). You have to enter your username/password, and then this 6-digit code, to log in.
Two factor authentication massively increases the security of your system, and is strongly recommended by security experts for use with all online services that support it. This pdf from SANS (a well respected IT security organisation) explains why in a bit more detail.
To use two-factor authentication with Lamplight, you’ll need to install an app on your phone. Instructions for most devices are available on the Google support pages. If (like me) you have a Windows phone, there’s an app called ‘Authenticator’ made by Microsoft in the Marketplace. You can use these apps for lots of other online services, and they don’t send any information anywhere.
To set it up, you need to go into the admin section of Lamplight and click on ‘Enable two-factor authentication’. Lamplight will generate a secret code that you need to enter into the app on your phone. Once your phone and Lamplight both have this shared secret, they can both generate the 6-digit code you need to log in.
Each operator logging in will have their own secret code (and not everyone has to use it, if it’s impractical for some). We strongly recommend enabling two-factor authentication if at all possible. While it does add an extra step to the login process, the security benefits are so significant it’s really worth doing.
2. Password policies
System Administrators will now be able to set up password policies, which all operators have to follow when changing their password. You can require that passwords:
- be at least a certain length
- contain at least one lower-case character
- contain at least one upper-case character
- contain at least one number
- contain at least one punctuation symbol
- do not contain any of the top 500 most popular passwords
- be changed every <x> days
As a general rule, longer passwords are better than short passwords with a mix of characters in them. We recommend that you use long passwords (say 20 characters or more) and a password manager (here’s another ‘Securing the human’ pdf about them) to store them, if possible. Password managers can actually make security easier, as well as stronger, particularly if you use them across a number of sites.
3. Force password change
System Administrators can force someone to change their password the next time they log in, through the ‘add, edit and remove database operators’ section of the admin menu. If you’re adding a new password policy, you might want to do this afterwards to ensure that everyone has to change their passwords to comply with the new policy.
4. Login policies
System Administrators can set up Login Policies that determine where and when different operators can log in to Lamplight. For example, you might have a ‘sessional staff’ policy that only allows logins between 2pm and 6pm on Mondays and Thursdays, and 9am – 1pm on Fridays (because that’s when they work). Or you might have an ‘office hours’ policy that only allows logins between 9am and 5pm, Monday to Friday, from your office internet connection.
You can set up a series of these policies, and then choose which to use for each member of staff. Someone trying to login ‘outside’ of these policy restrictions will see a ‘sorry, not now’ page.
The restriction on where you log in from, uses the IP address of your computer. You really need a fixed IP address (which your Internet Service Provider may or may not allow) to use this. If you don’t have one, your IP address is likely to change at some point, and then you won’t be able to log in at all.
When is this happening? Tell me more!
The updates are all ready and waiting for our code review process over the next week or so. Providing that nothing major comes up in that, these changes will go live the weekend of the 25th October. Your existing login process will be just the same afterwards as it is now, until your system administrator adds some policies or you set up two-factor authentication.
Next week we’ll also add a video to our YouTube channel explaining all these changes in more detail, and showing you how to set them up in Lamplight. We’ll add a note to the login page at that point too.
It’s also well worth subscribing to the “Securing the Human” newsletters and circulating them internally. They come out monthly and explain ‘end-user’ computer security issues really well.
Any other business…
The changes we’ve made to enable this have also allowed us to add ‘multi-system’ logins. If you use more than one Lamplight at the moment, you need a different email address for each. We can now combine these to a single email address, and when you log in you’ll get a choice screen to select the system to log in to. You’ll need to contact us about this if you’d like to use it.
You can see these changes in action on this short YouTube video