A real dilemma our team faces day after day is how to ensure the security and integrity of clients data whilst also trying to find a balance with making the system easy to use.
For example, we used to insist on system access requiring a PIN number as well as a password – we now make that optional for the company to decide whether to use or not. It means the system is quicker and easier to access but it also means if an employee uses the same password on multiple sites and those other sites get compromised then someone could gain “legitimate” access to their Natural HR account and there is NOTHING we can do about it.
Consider also password rules – at the moment the only rules we enforce are made the password 8 characters long and make sure it is not in the top 10,000 most common passwords. That is pretty user-friendly (though we still get hundreds of attempts per week to use passwords in the top 10,000 list) but it still means someone could use a really weak password. The alternative is to force users to make a password of 16 characters long, including numbers, upper-case, lower-case, symbols and so on – the end result is more security but annoyed users as it is hard to remember complex passwords.
A much more recent example of this dilemma has been highlighted in the last few days with a support issue raised by a customer – the customer set-up their account using firstname.lastname@example.org (for example) and then set-up the system including user-level access for their employees. Additionally, they set themselves up as an admin user (admin user can do EVERYTHING in the system including deleting an account). No problems so far – pretty standard though we don’t recommend giving admin rights to user accounts it can be done.
Sometime later, the admin user was in the system and they deleted their account – the other employees and so on are still live but their account is gone. Not sure why they did it but they now can’t log in, they can’t reset their password as the account doesn’t exist – they are stuck!
All is not lost we tell them – you need to login via the main admin account (email@example.com) and you can recreate your user account and all is well! Excellent!
However, the user no longer has access to firstname.lastname@example.org…
They tell us they need us to tell them their password or let them login anyway and here is where security and convenience start to clash – firstly we can’t tell them their password as all passwords are hashed in the database so they are, to all intent’s and purposes, unreadable. Secondly, access to the email address is how we define ownership and they don’t have access.
At this point the support rep escalates the ticket as this is something out of the ordinary – is this a legitimate request? Is this someone trying to get access to the system when they shouldn’t? An ex-employee? A contractor? Someone else?
We go back to the customer and tell them they have to have access to that email account – no access to the email means no access to the system. They are pretty annoyed now – we are being pedantic and stopping them from doing their job.
This goes back and forth a number of times but we stick to our guns – in the end, the customer gained access to the email account and was able to reset their password so it ended well.
However, it got us thinking – how can we prevent this happening again? We considered a few options:
- Don’t allow the deletion of admin accounts – sounds fine in principle but there are going to be scenarios when someone genuinely wants and needs to delete an admin account and this would make things more difficult for them.
- Add some additional questions in the system about the person who set-up the system which they have to answer to prove it is them when they don’t have access to the email – this sounds good in principle but unless we make the questions really obscure then how can we make them hard to guess or find out? For example, how hard is it to find out someone’s mother maiden name or first pet’s name in the world of social media?
- Ask questions about people in the system which only a “genuine” admin would know – the problem here is if this is a disgruntled ex-employee they probably also will know Bob’s date of birth or when John started the company.
We still haven’t got an answer to this – above all, we must ensure data security and that will always remain our top priority. The moral of the story is don’t lose access to your email account but the message is how difficult it is to ensure security whilst not impacting usability. If anyone has any thoughts on alternate ways to address this we would love to hear them!