Dear Mr. Godgart,
I would like to congratulate you and your team in your recent update for AutoTask to allow for two-factor authentication. It is good to see organizations who take responsibly for safeguarding their client’s business information assets, and the addition of an optional strong authentication credential really helps to solidify that. Professional services automation (PSA) solutions, especially when managed online, have such critical and sensitive information that is easily accessed from anywhere, at any time. The misuse of a shared, stolen or easily guessed password make it a big risk to the IT services industry, and your development of a more effective identity assurance solution is a welcome change from the attitudes of many of your competitors who feel a password is “enough” in an industry where we know that isn’t so.
Bob, we share many of the same customers. I have several clients who continue to ask me on a regular basis to add support for AutoTask, as they want to use the same AuthAnvil token to authenticate to all their client networks as well as their PSA and RMM tools. We already provide solutions to help many of these IT firms out, but AutoTask is one of those hosted solutions we just don’t have the ability to secure without your support.
It has come to my attention that your architects have done a great job in engineering a strong authentication subsystem in the back end which allows for the capacity of supporting more than one token method or provider. That is great news, and a smart decision. I am unsure if you are aware, but we use the same CRYPTOCard KT-1 tokens for our own solution, but reprogrammed and the code rewritten to be more usable and elegantly deployed for the small and midsized business market which we focus on. Driven through a simple web services infrastructure, we can add two-factor authentication to pretty much any web based application in just a few minutes.
This brings me to the purpose of this email. Bob, I would like to offer an open invitation to work with you and your team to add AuthAnvil web service support into AutoTask, and maybe even extend AutoTask to use other two-factor authentication solutions through open standards like RADIUS. With cooperation from Mark Crall and his crew at Tech Care Team (a mutual client who would really like to see such support and is willing to act as a test site) we would welcome the opportunity to work with you to make this happen. Clients who currently host their own AuthAnvil Strong Authentication System could centrally manage all their user access to all customer networks, and their LOB PSA tools like AutoTask from the AuthAnvil console. If a staff member leaves or changes roles, a simple click in AuthAnvil will revoke that staff member’s access to all systems simultaneously, including AutoTask. This breaks the shackles of the different password silos our clients routinely have to live with, and is a great benefit to all our mutual clients now, and in the future.
If you would like to discuss this further, please feel free to send me an email at dana@scorpionsoft.com or give me a call at (888) 407-4285 x704 at any time. Alternatively, if you are ready to go, feel free to have your development team reach out to me. We could have AuthAnvil support wired in the next day or two, and turned over to your quality assurance team for review. :-)
Regards,
Dana Epp
President, CEO
Scorpion Software Corp.
Dana - hello, I'm Patrick Burns, product manager at Autotask who worked on the two-factor project. From the beginning, we saw this as a 2 part effort -- implement a solid solution as quickly as possible in response to customer demand; and add other methods and integration capabilities in the future.
I'm not sure how soon we'll have resource available to work on intergation, but I believe your proposal makes alot of sense for us and our customers. Let's stay in touch and hopefully we'll have bandwidth to do something later this year.
By the way - you guys must be doing a good job because I've had several inquiries about supporting AuthAnvil, in addition to Tech Care Team. Good luck!
Posted by: Patrick Burns | January 12, 2009 at 01:21 PM
Hey Patrick,
Thanks for visiting the blog and leaving a comment. I appreciate the insight and look forward to working with you and your team as resources become available. Although I am sure integration time will be extremely quick, I respect the time it will take to approach the design and test the solution before it could be rolled out to your clients. Feel free to contact me offline when you are ready to move down that path.
If I could make a suggestion that could help the entire industry, it would be that all vendors consider their approach to using strong authentication. You have already shown you understand the problem with static passwords. That is a great start. But it doesn't have to really end there.
With the various strong authentication vendors that already exist in the industry such as Scorpion Software, CryptoCard and RSA, a more robust solution would be to seperate the authentication process from the application of authorization and privilege, allowing your clients to make the determination of what system they want to trust, and allow them to drive the identity metasystem the way they feel is appropriate. This way, they don't have to fret about buying MORE software or hardware (be it dongles, usb keys, smartcards, Information Cards etc), and can leverage their existing investment in authentication and identity management solutions that they may already have in place. Most of our mutual clients have to log onto hundreds of different servers and workstations, and it doesn't make a lot of sense to carry even more authentication devices to do so. Using one across all systems is a much more usable way to go. And letting them choose which vendor they prefer opens up the opportunity for you significantly.
How can this be done? One way would be to leverage traditional open standards like RADIUS to allow an association of trust between a client's AutoTask logon and their own RADIUS server. Most vendors of strong authentication solutions will have support for this already, which means making such a change allows ANY vendor 2FA system to be used with AutoTask.
An even better way would be to take a more forward looking position and consider making AutoTask become a "claims-aware" application. By doing so, you could leverage industry standards like SAML to deliver a single sign-on (SSO) experience with a client's existing infrastructure through simple claims-mapping. Combined with Microsoft solutions for federation, you could go as far as managing that through Active Directory Federation Services (ADFS) or the new Microsoft Federation Gateway to bridge almost any authentication technology, including new technology like Information Cards and AuthAnvil, into the fold.
And of course, AuthAnvil will work in either scenario. AutoTask could communicate with a client's AuthAnvil RADIUS Server which in turn will validate against an AuthAnvil Strong Authentication Server, or use the AuthAnvil Identity Server to request to do the same and return a SAML token which you could consume. This way, if a user of AuthAnvil is already logged in somewhere, based on their privileges and roles they could immediately work with appropriate AutoTask data they are permitted to access without even needing to sign on again.
Of course, these type of sophisticated authentication options are a lot for the IT industry that we both serve. But it will be more common place in the next few years as more and more cloud based systems need to work together, especially when trust is involved. I would be more than happy to explore such options with your team when the time is right. That's part of what we do here. Our mission includes a level of security ambassadorial work to ensure that small and midsized businesses can securely work together. No matter if your personal choice is a competing vendor, our goal is to ensure you make the best security decisions that will help the SMB industry as a whole, which we are part of.
I am sure all our mutual customers will appreciate that. I look forward to hearing from you later this year.
Thanks for stopping by.
Posted by: Dana Epp | January 12, 2009 at 02:59 PM
Hi Dana, Bob Godgart here.
This was a pretty exciting project for us and we learned a lot quickly! The Card works with Autotask, Autotask Mobile and even Passthru Shortcuts. We even supported a secure method to temporarily let someone log in if they lost access to the Token!
As Pat mentioned, we felt it was very important and responsible to get started with 2-factor Authorization - especially with our new configuration management solution on the way. The good news is that the plan was always to support multiple authorization vendors and we implemented an architecture that will let us do it in the future.
As far as supporting AuthAnvil, please work directly with Pat so he can determine what it will take and lets keep track of customers who are interested in it so we can make a good business decision.
Just so we all have realistic expectations, It is unlikely that we can apply resources for this project in the first half of this year. However, since AuthAnvil uses the same CRYPTOCard Token keys as we use in Autotask today, my suggestion is to use the Autotask-CryptoCard Solution now and when we support AuthAnvil, you can reprogram the Tokens to support both Autotask and other solutions simultaneously.
Hope that helps.
Regards,
- Bob
Posted by: Bob Godgart Autotask CEO | January 13, 2009 at 10:51 AM
Thanks for stopping by Bob, and setting some reasonable expectations.
AuthAnvil tokens indeed use the same KT-1 tokens, but use a different set of code. Both in how it is programmed, and how it is used. We don't actually use CRYPTOCard's API as at the time it couldn't meet our requirements and needs, and instead have written and audited the code from the ground up. Like our other tokens, it is simply the OTP generator.
However, your idea of reprogramming tokens is a good idea. So here is a commitment I will give to all AutoTask clients who are also AuthAnvil clients. If customers immediately need two-factor authentication for AutoTask, my recommendation is that they purchase those tokens from you. They would need to carry two tokens for the time being to continue to also use AuthAnvil. I would recommend they somehow mark the tokens so not to get too confused. No one wants to lock a token because they are using the wrong one!
Once AutoTask has support for AuthAnvil, Scorpion Software will provide any AutoTask client who purchased KT-1 tokens the opportunity to have their token reprogrammed for free to work with AuthAnvil. In this way, they can repurpose the token as new/spare tokens to use in their business going forward, reusing the current investment in the tokens themselves. If AutoTask wishes, I will be more than happy to work with you to see if we can build a migration tool to do this completely online, so tokens do not have to be shipped to one of our distribution centers in Canada or Australia.
Appreciate the insights Bob. I look forward to working with AutoTask later this year as you have resources available.
Posted by: Dana Epp | January 13, 2009 at 12:00 PM
You know, 90% of this security stuff is over my head. ;-) I'm just glad we are having an open dialog that ultimately benifits everyone, especially the customer.
Posted by: Mark Crall | January 14, 2009 at 01:58 PM