Changing Gears: BBye FIM/MIM – Welcome SailPoint

Been working on FIM/MIM for over 6 years now I think and finally time has come to change to something new. FIM/MIM is good for basic syncs etc but when it comes to reporting and PAM solutions among other things, it lacks teeth. But it is good to know all competitors from marketing and implementation point of view. You know the pros and cons of each!!!

Extremely happy to join the SailPoint Crew and represent them Down Under. They are the market leaders in Identity Governance & Administration. The Gartner report speaks of itself and the difference between the competitors.

Going from one extreme end of the graph to the other. It’s certainly going to be challenging and fun. Looking forward to it!!!

So hopefully I should blog more about SailPoint in the coming weeks from now on.


Comparison: Microsoft Azure B2C vs Okta Identity Cloud

Just something one of my colleagues had written up and thought was interesting to share. I don’t take credit for it nor full responsibility of accuracy of it. Feel free to rebuttal.

FeaturesMicrosoft Azure B2COkta Identity Cloud
Ability to protect other application's API using OpenID Connect and OUATH protocol/frameworkYesYes
API based enrolmentYes but can't register a phone number that will be used as a MFA factor. The reason being not able to do this is because of OpenID Connect restriction over impersonation principle. This feature might come in 2019.Yes. But Okta user management is not yet OAUTH/OpenID Connect compliant
Federated SSO based on SAML and OpenID ConnectYesYes
Force Password ChangeNo (not out of the box but can be done through customisation)Yes
Identity Lifecycle Approvals (both for self-enrolment, API triggerred enrolment)NoYes (very suitable for Okta to act as external identity onboarding tool)
MFA FactorsOTP over SMS and Voice Call (Officially). Microsoft App (Separate commercials, professional service engagement and not out of the box at the moment. Official support is expected in 2019)OTP over SMS & Voice Call, Octa Verify Mobile App TOTP and Push Notification, Security Questions, Fido U2F, RSA SecurID, FIDO2 Microsoft Hello (very good range of MFA options - a major strength)
Non federated SSONo (It's designed as not to be)Yes (a major strength)
Notification templates customisations (SMS and Email)only EmailBoth Email and SMS
Password RecoveryYes (only SMS/Voice Call/Email OTP as Identity Proofing methods)Yes (all MFA factors can be identity proofing methods)
Programming support for customisationC#. (Java Script support is expected in 2019)C#, Java, Java Script (a major strength)
Risk Scoring and Step-up MFA (Adaptive/Contextual)NoNo. Okta Threat Insight product is in beta phase now. They would be integrating with Okta Identity Platform in 2019. Currently Okta Identity Cloud support a tightly coupled MFA policy when it comes to IP/network zones, black listed countries, region/location, devices etc.
Self-activation of credential such as setting a password post enrolled through an APINo (a major drawback)Yes
Syncing from on-premise ADYesYes
User Interface Customisation and support of CORS (cross origin resource sharing)Yes (But require Custom Sign On policies for flexibility) and a separate Azure Blob storage subscription.Yes. Very flexible to host custom pages in Okta Identity Cloud tenant and also for pages hosted in remote servers.
User management API compliant with OpenID Connect and OAUTHYes (major strength on security here)No (Proprietary protocol at the moment. Quite surprising)
User to Application access mappingNoYes (pretty good on security here)
Web based self-enrolment and activationYesYes

Identity 101: 2 Factor Authentication and App Passwords

2FA A Must!!!

2 Factor Authentication (2FA) / 2 Step Verification is a big push these days and works as an additional security in this ever increasing world of social engineering and cyber threats. Not just at your work but for your personal account as well.

This should be turned on for every app you use if you care about your security. Many big providers have this option like Facebook, Gmail, Twitter, Dropbox, Apple, Microsoft, Crypto Sites etc… The list goes on and becomes larger day by day!!!

Most common additional security are SMS, Phone and App verification (There are additional types but these are most common). Because these are a separate disjoint method if say your email (in the cloud) is compromised and these methods are not affected by the internet to say as such!!!

For App Verification I say u MUST have an app which has a backup and restore functionality. I have over 20 apps on 2FA and imagine if I lost my device / format then I will have to go to each of the 20+ sites, disable 2FA and then re-register for 2FA. PITA (Don’t think I will even remember all the sites until I hit them some random day and it asks for 2FA code!!! Lol!!!)

Therefore, I really recommend a few:

  • LastPass Authenticator: Backup and Restore functionality and if you already use Lastpass as a password manager, you already have an account.
  • Microsoft Authenticator: Just been updated with backup and restore functionality on iOS a day ago.
  • 1Password Authenticator: If you are already invested in this wonderful Password App.. Don’t look any further!!!
  • Authy: Strong leader in this field.

I therefore simply can’t recommend Google Authenticator as they don’t have a simple backup and restore facility (and looks so dated). Any app supporting RFC6238 TOTP (Time-Based One-Time Password) and site supporting that is good 🙂

Companies enabling 2FA and allowing QR code scan MUST allow you to use any app which a user wishes to use so that you can use a central repository of your own backup and restore (and ease of use). If you are forced to use proprietary apps for each login (say Google says must use google app, LastPass says must use LastPass auth app, Microsoft says must use their app)… you can imagine the number of apps you will end up with on your phone and to manage them.

The positive of individual apps is that since they are customized for the site, they can do push notifications which allows easy login (via allow/deny or yes/no button popup). But I will still like a single app experience.

Sometimes, its a decision to give the “branding” of the company but I totally disagree with this as 2FA should be seamless for a user and if I have everything controlled by 1 app then why not? Bad business decision (user un-friendly) if they force their own auth app over the more popular ones.

But that is normally not the case with most of the big companies and majority didn’t even bother to write their own app (and thus maintain app and code).

Apps are broken after 2FA???

Once you have 2FA ON (say on Google – I am heavily invested in their online ecosystem like mail, calendar, contacts etc), you will suddenly realise that many apps are asking for your password again. Say, for example, I turned on 2FA on my Gmail and I was using the same to log in and send pics to me (IMAP Protocol) of my security cameras when triggered by my security software. It stopped working. Or my contacts or calendar syncing via CardDAV or CalDAV protocols on my iPhone suddenly starts asking for the password.

This is because these apps can’t handle 2FA as they are not built for that. Google gives you an easy method to circumvent this issue by generating App Passwords for them. It allows you to generate a one time random 16 digit passcode which you can enter it on these apps. You DON’T have to remember them or write them down as if you have to re-enter it on the devices, just generate a new code. You can go here to do so.

Screenshot showing an example of what you can do.

Other providers like Microsoft, Yahoo (really? someone using it still?) etc do have a similar method.

TL;DR: 2FA – Turn ON (Not just for your business but for your personal use as well), use an app with secure backup and restore feature for sanity and if some apps suddenly break then look for App Password setting from the provider.