[{"data":1,"prerenderedAt":1756},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/password-expirations-dont-work-try-these-best-practices-instead":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":563,"faqItemsCollection":564,"faqTitle":62,"featured":6,"hashTags":62,"meta":566,"metaTitle":567,"ogImage":62,"publishedDate":568,"relatedBlogPostsCollection":569,"slug":1732,"stem":1733,"subtitle":62,"summary":1734,"synopsis":1745,"sys":1746,"tagsCollection":1749,"__hash__":1755},"blog/blog/password-expirations-dont-work-try-these-best-practices-instead.json","Password expirations don’t work. Try these best practices instead.",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Tyrone Erasmus","Tyrone","Co-founder / CTO",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/5rkMblymL7lG4pZBiYzWo6/26f0da21be8fc252b13b62aacc22d19d/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-22.jpg",{"json":238,"links":540},{"data":239,"content":240,"nodeType":539},{},[241,265,285,305,314,321,376,383,390,398,404,411,444,450,457,513,519],{"data":242,"content":243,"nodeType":264},{},[244,249,260],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"Passwords and policies surrounding them are perhaps not the sexiest topic to discuss. Even though there are many security vendors shouting \"passwords are dead!\" so that they can sell you their latest 0-touch-magic-super-secure authentication solution, the reality is that the world still runs on passwords. Especially in a world where employees can adopt SaaS themselves without help from IT, there will likely be loads of services in your organization where users are using passwords, rather than social logins or SSO. We wrote up ","text",{"data":250,"content":252,"nodeType":259},{"uri":251},"https://pushsecurity.com/blog/should-i-let-my-employees-login-with-their-work-google-account/",[253],{"data":254,"marks":255,"value":258,"nodeType":248},{},[256],{"type":257},"underline","some guidance","hyperlink",{"data":261,"marks":262,"value":263,"nodeType":248},{},[]," about why you should encourage employees to use social logins, but many will still use username and password to log in.","paragraph",{"data":266,"content":267,"nodeType":264},{},[268,272,281],{"data":269,"marks":270,"value":271,"nodeType":248},{},[],"Recently, ",{"data":273,"content":275,"nodeType":259},{"uri":274},"https://docs.microsoft.com/en-US/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide",[276],{"data":277,"marks":278,"value":280,"nodeType":248},{},[279],{"type":257},"Microsoft blogged",{"data":282,"marks":283,"value":284,"nodeType":248},{},[]," about their updated password policy guidance. We highly recommend that you read the full article, but we want to zoom into one aspect here around password expirations.",{"data":286,"content":287,"nodeType":264},{},[288,292,301],{"data":289,"marks":290,"value":291,"nodeType":248},{},[],"Password expirations are harmful to the quality of the passwords that people choose. There has been some commentary from security industry figures on this, but we think that ",{"data":293,"content":295,"nodeType":259},{"uri":294},"https://twitter.com/WeldPond",[296],{"data":297,"marks":298,"value":300,"nodeType":248},{},[299],{"type":257},"Chris Wysopal ",{"data":302,"marks":303,"value":304,"nodeType":248},{},[],"really hits the nail on the head here.",{"data":306,"content":312,"nodeType":313},{"target":307},{"sys":308},{"id":309,"type":310,"linkType":311},"3DxMMrA6aZkTACuHNV6e73","Link","Entry",[],"embedded-entry-block",{"data":315,"content":316,"nodeType":264},{},[317],{"data":318,"marks":319,"value":320,"nodeType":248},{},[],"The hacking community has long known that password expirations and forced rotations cause predictable passwords. If you had to dump password hashes for any organizations that have a password expiration in their policy you will find the following passwords in use:",{"data":322,"content":323,"nodeType":375},{},[324,335,345,355,365],{"data":325,"content":326,"nodeType":334},{},[327],{"data":328,"content":329,"nodeType":264},{},[330],{"data":331,"marks":332,"value":333,"nodeType":248},{},[],"Password1! to Password9!","list-item",{"data":336,"content":337,"nodeType":334},{},[338],{"data":339,"content":340,"nodeType":264},{},[341],{"data":342,"marks":343,"value":344,"nodeType":248},{},[],"Summer2022!",{"data":346,"content":347,"nodeType":334},{},[348],{"data":349,"content":350,"nodeType":264},{},[351],{"data":352,"marks":353,"value":354,"nodeType":248},{},[],"Winter2022!",{"data":356,"content":357,"nodeType":334},{},[358],{"data":359,"content":360,"nodeType":264},{},[361],{"data":362,"marks":363,"value":364,"nodeType":248},{},[],"January2022! to December2022!",{"data":366,"content":367,"nodeType":334},{},[368],{"data":369,"content":370,"nodeType":264},{},[371],{"data":372,"marks":373,"value":374,"nodeType":248},{},[],"CompanyName1! To CompanyName9!","unordered-list",{"data":377,"content":378,"nodeType":264},{},[379],{"data":380,"marks":381,"value":382,"nodeType":248},{},[],"Why is this? If you make passwords a pain for people, they will do whatever it takes in order to remember their passwords. Some would call this “bad behavior,” but winning at security requires an understanding of human nature. If you make security hard, expect bad results.",{"data":384,"content":385,"nodeType":264},{},[386],{"data":387,"marks":388,"value":389,"nodeType":248},{},[],"Password policies have been a hotly debated topic over the years, especially because various compliance frameworks bake in some questionable practices like password expirations.",{"data":391,"content":392,"nodeType":397},{},[393],{"data":394,"marks":395,"value":396,"nodeType":248},{},[],"Try these tips for helping employees choose strong passwords","heading-2",{"data":399,"content":400,"nodeType":264},{},[401],{"data":402,"marks":403,"value":29,"nodeType":248},{},[],{"data":405,"content":406,"nodeType":264},{},[407],{"data":408,"marks":409,"value":410,"nodeType":248},{},[],"Here at Push, we believe the following about password policies:",{"data":412,"content":413,"nodeType":375},{},[414,424,434],{"data":415,"content":416,"nodeType":334},{},[417],{"data":418,"content":419,"nodeType":264},{},[420],{"data":421,"marks":422,"value":423,"nodeType":248},{},[],"Don't enforce arbitrary specials/numbers requirements, only length requirements.",{"data":425,"content":426,"nodeType":334},{},[427],{"data":428,"content":429,"nodeType":264},{},[430],{"data":431,"marks":432,"value":433,"nodeType":248},{},[],"Don't allow certain common words in passwords, like \"password\" or your company name.",{"data":435,"content":436,"nodeType":334},{},[437],{"data":438,"content":439,"nodeType":264},{},[440],{"data":441,"marks":442,"value":443,"nodeType":248},{},[],"Remove mandatory password rotations - it seems like a good idea but it's not.",{"data":445,"content":446,"nodeType":264},{},[447],{"data":448,"marks":449,"value":29,"nodeType":248},{},[],{"data":451,"content":452,"nodeType":264},{},[453],{"data":454,"marks":455,"value":456,"nodeType":248},{},[],"For your employees:",{"data":458,"content":459,"nodeType":375},{},[460,470,480,503],{"data":461,"content":462,"nodeType":334},{},[463],{"data":464,"content":465,"nodeType":264},{},[466],{"data":467,"marks":468,"value":469,"nodeType":248},{},[],"Make password managers a part of your culture. Roll them out and make them prominent. Generating random passwords that require no extra brainpower can be easy.",{"data":471,"content":472,"nodeType":334},{},[473],{"data":474,"content":475,"nodeType":264},{},[476],{"data":477,"marks":478,"value":479,"nodeType":248},{},[],"Don't re-use passwords between sites. This becomes very difficult without a password manager",{"data":481,"content":482,"nodeType":334},{},[483],{"data":484,"content":485,"nodeType":264},{},[486,490,499],{"data":487,"marks":488,"value":489,"nodeType":248},{},[],"If your account is in a breach, change that password immediately. ",{"data":491,"content":493,"nodeType":259},{"uri":492},"https://haveibeenpwned.com/",[494],{"data":495,"marks":496,"value":498,"nodeType":248},{},[497],{"type":257},"HaveIBeenPwned",{"data":500,"marks":501,"value":502,"nodeType":248},{},[]," is an excellent (free) service that can be used to discover breaches.",{"data":504,"content":505,"nodeType":334},{},[506],{"data":507,"content":508,"nodeType":264},{},[509],{"data":510,"marks":511,"value":512,"nodeType":248},{},[],"Enable MFA on your accounts, it makes password breaches an inconvenience rather than an issue.",{"data":514,"content":518,"nodeType":313},{"target":515},{"sys":516},{"id":517,"type":310,"linkType":311},"50lXnsUhN7txXEkIMNk1xv",[],{"data":520,"content":521,"nodeType":264},{},[522,526,535],{"data":523,"marks":524,"value":525,"nodeType":248},{},[],"Of course, we can help your employees log into SaaS apps and services securely by giving them just-in-time guidance and reaching out via ChatOps (Slack or Teams) to help them fix weak or shared password issues. ",{"data":527,"content":529,"nodeType":259},{"uri":528},"https://pushsecurity.com/features/saas-discovery/",[530],{"data":531,"marks":532,"value":534,"nodeType":248},{},[533],{"type":257},"Learn more",{"data":536,"marks":537,"value":538,"nodeType":248},{},[]," about how we can help.","document",{"entries":541},{"hyperlink":542,"inline":543,"block":544},[],[],[545,555],{"sys":546,"__typename":547,"title":548,"caption":549,"layoutMode":550,"file":551},{"id":309},"Image","Wysopal Tweet Passwords","https://twitter.com/WeldPond/status/1560271804438298624","Centre aligned",{"url":552,"width":553,"height":554},"https://images.ctfassets.net/y1cdw1ablpvd/2s8QmOeB0eo68yQyoy01la/e2ea534a1627efa187fa79c388baf6bc/image1.png",1170,834,{"sys":556,"__typename":547,"title":557,"caption":558,"layoutMode":550,"file":559},{"id":517},"Troy Hunt password dump","Troy Hunt, creator of HaveIBeenPwned, explains how to protect your account even if the login credentials were exposed",{"url":560,"width":561,"height":562},"https://images.ctfassets.net/y1cdw1ablpvd/6iebMadQUiUaNRFv0lTiPk/abb7bfac50f867cc6ec296d04bb192f2/image2.png",1162,226,"json",{"items":565},[],{},"Password best practices for improving security posture","2022-12-15T00:00:00.000Z",{"items":570},[571,1336],{"__typename":572,"sys":573,"content":575,"title":1312,"synopsis":1313,"hashTags":1314,"publishedDate":1316,"slug":1317,"tagsCollection":1318,"authorsCollection":1328},"BlogPosts",{"id":574},"73JjdrO5GKRzYum97MqJ9q",{"json":576},{"data":577,"content":578,"nodeType":539},{},[579,596,603,646,653,698,705,1068,1074,1080,1087,1094,1101,1107,1114,1121,1128,1135,1142,1149,1156,1163,1182,1189,1196,1203,1210,1217,1247,1254,1261,1268,1275,1282,1289,1293,1300,1306],{"data":580,"content":581,"nodeType":264},{},[582,586,592],{"data":583,"marks":584,"value":585,"nodeType":248},{},[],"Before we start, ",{"data":587,"marks":588,"value":591,"nodeType":248},{},[589],{"type":590},"bold","MFA with any method is better than no MFA at all",{"data":593,"marks":594,"value":595,"nodeType":248},{},[],". Although some methods are better than others, they're all leagues ahead of passwords alone. If, for whatever reason, you can only implement MFA using a weaker second factor, you should still do it. You can always improve later and you'll have made a significant improvement even with the weaker second factor.",{"data":597,"content":598,"nodeType":264},{},[599],{"data":600,"marks":601,"value":602,"nodeType":248},{},[],"So, how can one factor be better than others? Here's how we think about it:",{"data":604,"content":605,"nodeType":375},{},[606,616,626,636],{"data":607,"content":608,"nodeType":334},{},[609],{"data":610,"content":611,"nodeType":264},{},[612],{"data":613,"marks":614,"value":615,"nodeType":248},{},[],"User experience: how easy is it to use?",{"data":617,"content":618,"nodeType":334},{},[619],{"data":620,"content":621,"nodeType":264},{},[622],{"data":623,"marks":624,"value":625,"nodeType":248},{},[],"Security: how easy is it for someone to compromise?",{"data":627,"content":628,"nodeType":334},{},[629],{"data":630,"content":631,"nodeType":264},{},[632],{"data":633,"marks":634,"value":635,"nodeType":248},{},[],"Cost: do you need to upgrade your SaaS license, or buy physical bits?",{"data":637,"content":638,"nodeType":334},{},[639],{"data":640,"content":641,"nodeType":264},{},[642],{"data":643,"marks":644,"value":645,"nodeType":248},{},[],"Support: how widely can it be used?",{"data":647,"content":648,"nodeType":397},{},[649],{"data":650,"marks":651,"value":652,"nodeType":248},{},[],"Just want the answers? ",{"data":654,"content":655,"nodeType":375},{},[656,666,688],{"data":657,"content":658,"nodeType":334},{},[659],{"data":660,"content":661,"nodeType":264},{},[662],{"data":663,"marks":664,"value":665,"nodeType":248},{},[],"Using an app on your phone, like Microsoft or Google Authenticator, to receive notifications or use a one-time password are the top all-round options today - they're free, intuitive for users, relatively easy to set up, and widely supported. ",{"data":667,"content":668,"nodeType":334},{},[669],{"data":670,"content":671,"nodeType":264},{},[672,676,684],{"data":673,"marks":674,"value":675,"nodeType":248},{},[],"The gold standard is a FIDO2-capable security key, like the ",{"data":677,"content":679,"nodeType":259},{"uri":678},"https://www.yubico.com/products/yubikey-5-overview/",[680],{"data":681,"marks":682,"value":683,"nodeType":248},{},[],"YubiKey 5 series",{"data":685,"marks":686,"value":687,"nodeType":248},{},[],", or a security key built-in to your device, like Touch ID  - it's the most secure, provides the best user experience, but has an upfront cost as each user will need a key or a compatible device. The main drawback today is they aren't supported on all platforms yet so might not be an option everywhere.",{"data":689,"content":690,"nodeType":334},{},[691],{"data":692,"content":693,"nodeType":264},{},[694],{"data":695,"marks":696,"value":697,"nodeType":248},{},[],"Factors that rely on your phone number, such as SMS and phone calls should be avoided if possible as they are the least secure and provide the worst user experience.",{"data":699,"content":700,"nodeType":264},{},[701],{"data":702,"marks":703,"value":704,"nodeType":248},{},[],"Here's a summary:",{"data":706,"content":707,"nodeType":1067},{},[708,763,816,866,918,967,1018],{"data":709,"content":710,"nodeType":762},{},[711,722,732,742,752],{"data":712,"content":713,"nodeType":721},{},[714],{"data":715,"content":716,"nodeType":264},{},[717],{"data":718,"marks":719,"value":720,"nodeType":248},{},[],"Method","table-header-cell",{"data":723,"content":724,"nodeType":721},{},[725],{"data":726,"content":727,"nodeType":264},{},[728],{"data":729,"marks":730,"value":731,"nodeType":248},{},[],"User experience",{"data":733,"content":734,"nodeType":721},{},[735],{"data":736,"content":737,"nodeType":264},{},[738],{"data":739,"marks":740,"value":741,"nodeType":248},{},[],"Security",{"data":743,"content":744,"nodeType":721},{},[745],{"data":746,"content":747,"nodeType":264},{},[748],{"data":749,"marks":750,"value":751,"nodeType":248},{},[],"Cost",{"data":753,"content":754,"nodeType":721},{},[755],{"data":756,"content":757,"nodeType":264},{},[758],{"data":759,"marks":760,"value":761,"nodeType":248},{},[],"Support","table-row",{"data":764,"content":765,"nodeType":762},{},[766,777,787,796,806],{"data":767,"content":768,"nodeType":776},{},[769],{"data":770,"content":771,"nodeType":264},{},[772],{"data":773,"marks":774,"value":775,"nodeType":248},{},[],"App Notification","table-cell",{"data":778,"content":779,"nodeType":776},{},[780],{"data":781,"content":782,"nodeType":264},{},[783],{"data":784,"marks":785,"value":786,"nodeType":248},{},[],"Good",{"data":788,"content":789,"nodeType":776},{},[790],{"data":791,"content":792,"nodeType":264},{},[793],{"data":794,"marks":795,"value":786,"nodeType":248},{},[],{"data":797,"content":798,"nodeType":776},{},[799],{"data":800,"content":801,"nodeType":264},{},[802],{"data":803,"marks":804,"value":805,"nodeType":248},{},[],"Free",{"data":807,"content":808,"nodeType":776},{},[809],{"data":810,"content":811,"nodeType":264},{},[812],{"data":813,"marks":814,"value":815,"nodeType":248},{},[],"Widely supported",{"data":817,"content":818,"nodeType":762},{},[819,829,839,848,857],{"data":820,"content":821,"nodeType":776},{},[822],{"data":823,"content":824,"nodeType":264},{},[825],{"data":826,"marks":827,"value":828,"nodeType":248},{},[],"App code",{"data":830,"content":831,"nodeType":776},{},[832],{"data":833,"content":834,"nodeType":264},{},[835],{"data":836,"marks":837,"value":838,"nodeType":248},{},[],"Moderate",{"data":840,"content":841,"nodeType":776},{},[842],{"data":843,"content":844,"nodeType":264},{},[845],{"data":846,"marks":847,"value":786,"nodeType":248},{},[],{"data":849,"content":850,"nodeType":776},{},[851],{"data":852,"content":853,"nodeType":264},{},[854],{"data":855,"marks":856,"value":805,"nodeType":248},{},[],{"data":858,"content":859,"nodeType":776},{},[860],{"data":861,"content":862,"nodeType":264},{},[863],{"data":864,"marks":865,"value":815,"nodeType":248},{},[],{"data":867,"content":868,"nodeType":762},{},[869,879,889,898,908],{"data":870,"content":871,"nodeType":776},{},[872],{"data":873,"content":874,"nodeType":264},{},[875],{"data":876,"marks":877,"value":878,"nodeType":248},{},[],"Security key (external)",{"data":880,"content":881,"nodeType":776},{},[882],{"data":883,"content":884,"nodeType":264},{},[885],{"data":886,"marks":887,"value":888,"nodeType":248},{},[],"Best",{"data":890,"content":891,"nodeType":776},{},[892],{"data":893,"content":894,"nodeType":264},{},[895],{"data":896,"marks":897,"value":888,"nodeType":248},{},[],{"data":899,"content":900,"nodeType":776},{},[901],{"data":902,"content":903,"nodeType":264},{},[904],{"data":905,"marks":906,"value":907,"nodeType":248},{},[],"Expensive",{"data":909,"content":910,"nodeType":776},{},[911],{"data":912,"content":913,"nodeType":264},{},[914],{"data":915,"marks":916,"value":917,"nodeType":248},{},[],"Some platforms",{"data":919,"content":920,"nodeType":762},{},[921,931,940,949,958],{"data":922,"content":923,"nodeType":776},{},[924],{"data":925,"content":926,"nodeType":264},{},[927],{"data":928,"marks":929,"value":930,"nodeType":248},{},[],"Security key (internal)",{"data":932,"content":933,"nodeType":776},{},[934],{"data":935,"content":936,"nodeType":264},{},[937],{"data":938,"marks":939,"value":888,"nodeType":248},{},[],{"data":941,"content":942,"nodeType":776},{},[943],{"data":944,"content":945,"nodeType":264},{},[946],{"data":947,"marks":948,"value":888,"nodeType":248},{},[],{"data":950,"content":951,"nodeType":776},{},[952],{"data":953,"content":954,"nodeType":264},{},[955],{"data":956,"marks":957,"value":805,"nodeType":248},{},[],{"data":959,"content":960,"nodeType":776},{},[961],{"data":962,"content":963,"nodeType":264},{},[964],{"data":965,"marks":966,"value":917,"nodeType":248},{},[],{"data":968,"content":969,"nodeType":762},{},[970,980,990,999,1009],{"data":971,"content":972,"nodeType":776},{},[973],{"data":974,"content":975,"nodeType":264},{},[976],{"data":977,"marks":978,"value":979,"nodeType":248},{},[],"SMS",{"data":981,"content":982,"nodeType":776},{},[983],{"data":984,"content":985,"nodeType":264},{},[986],{"data":987,"marks":988,"value":989,"nodeType":248},{},[],"Poor",{"data":991,"content":992,"nodeType":776},{},[993],{"data":994,"content":995,"nodeType":264},{},[996],{"data":997,"marks":998,"value":989,"nodeType":248},{},[],{"data":1000,"content":1001,"nodeType":776},{},[1002],{"data":1003,"content":1004,"nodeType":264},{},[1005],{"data":1006,"marks":1007,"value":1008,"nodeType":248},{},[],"Cheap",{"data":1010,"content":1011,"nodeType":776},{},[1012],{"data":1013,"content":1014,"nodeType":264},{},[1015],{"data":1016,"marks":1017,"value":815,"nodeType":248},{},[],{"data":1019,"content":1020,"nodeType":762},{},[1021,1031,1040,1049,1058],{"data":1022,"content":1023,"nodeType":776},{},[1024],{"data":1025,"content":1026,"nodeType":264},{},[1027],{"data":1028,"marks":1029,"value":1030,"nodeType":248},{},[],"Phone call",{"data":1032,"content":1033,"nodeType":776},{},[1034],{"data":1035,"content":1036,"nodeType":264},{},[1037],{"data":1038,"marks":1039,"value":989,"nodeType":248},{},[],{"data":1041,"content":1042,"nodeType":776},{},[1043],{"data":1044,"content":1045,"nodeType":264},{},[1046],{"data":1047,"marks":1048,"value":989,"nodeType":248},{},[],{"data":1050,"content":1051,"nodeType":776},{},[1052],{"data":1053,"content":1054,"nodeType":264},{},[1055],{"data":1056,"marks":1057,"value":1008,"nodeType":248},{},[],{"data":1059,"content":1060,"nodeType":776},{},[1061],{"data":1062,"content":1063,"nodeType":264},{},[1064],{"data":1065,"marks":1066,"value":815,"nodeType":248},{},[],"table",{"data":1069,"content":1073,"nodeType":313},{"target":1070},{"sys":1071},{"id":1072,"type":310,"linkType":311},"7rgrP5FFAKG63lscwhAsW1",[],{"data":1075,"content":1076,"nodeType":397},{},[1077],{"data":1078,"marks":1079,"value":775,"nodeType":248},{},[],{"data":1081,"content":1082,"nodeType":264},{},[1083],{"data":1084,"marks":1085,"value":1086,"nodeType":248},{},[],"One of the most common methods today is the app notification. Using an app on your phone, like Microsoft Authenticator, to receive a push notification when you login.",{"data":1088,"content":1089,"nodeType":264},{},[1090],{"data":1091,"marks":1092,"value":1093,"nodeType":248},{},[],"Free, easy to use, and secure - this is a good choice if your users all have devices to install the app on and will reliably have a network connection to receive the notification.",{"data":1095,"content":1096,"nodeType":264},{},[1097],{"data":1098,"marks":1099,"value":1100,"nodeType":248},{},[],"Your challenges with using this method will be getting the app setup on everyone's device, getting everyone enrolled, and making sure users understand to only hit approve when they actually performed a login (seriously).",{"data":1102,"content":1106,"nodeType":313},{"target":1103},{"sys":1104},{"id":1105,"type":310,"linkType":311},"4ybLnYAdHltdWCluLbr4di",[],{"data":1108,"content":1109,"nodeType":397},{},[1110],{"data":1111,"marks":1112,"value":1113,"nodeType":248},{},[],"App Code",{"data":1115,"content":1116,"nodeType":264},{},[1117],{"data":1118,"marks":1119,"value":1120,"nodeType":248},{},[],"The early days of MFA looked like RSA tokens; those devices you used to have to carry on a key chain with a code that changed every minute. Those devices worked by having a \"seed\" value that both the device and the server knew which changed predictably. So long as that seed value stayed safe, this provided a convenient second factor for users that was difficult to compromise.",{"data":1122,"content":1123,"nodeType":264},{},[1124],{"data":1125,"marks":1126,"value":1127,"nodeType":248},{},[],"Today, this approach is more common via an app, where the app provides a code that changes every minute, but the concept is exactly the same.",{"data":1129,"content":1130,"nodeType":264},{},[1131],{"data":1132,"marks":1133,"value":1134,"nodeType":248},{},[],"This approach uses what is officially called One Time Passwords (OTP) but is often just referred to as an app code. It has some advantages, such as not needing signal after setup which can be handy if that's a concern. ",{"data":1136,"content":1137,"nodeType":264},{},[1138],{"data":1139,"marks":1140,"value":1141,"nodeType":248},{},[],"However, as was true of the RSA tokens of the past, if the seed value is compromised all future values can be predicted. The odds of this happening in practice are exceptionally low so this remains a good choice.",{"data":1143,"content":1144,"nodeType":264},{},[1145],{"data":1146,"marks":1147,"value":1148,"nodeType":248},{},[],"Your challenges with using this method will again be mostly in rolling it out to all users and getting everyone setup.",{"data":1150,"content":1151,"nodeType":397},{},[1152],{"data":1153,"marks":1154,"value":1155,"nodeType":248},{},[],"Text message / phone call",{"data":1157,"content":1158,"nodeType":264},{},[1159],{"data":1160,"marks":1161,"value":1162,"nodeType":248},{},[],"As MFA gained popularity, receiving a code via text message (SMS), or sometimes a phone call, quickly became the de-facto method. Before everyone had smartphones and therefore the ability to install apps, using text messages or phone calls was the only way to implement MFA without having to provision RSA tokens for everyone in the team.",{"data":1164,"content":1165,"nodeType":264},{},[1166,1170,1178],{"data":1167,"marks":1168,"value":1169,"nodeType":248},{},[],"The major downside to using these methods is their reliance on the security of the phone number. If attackers really want to target an account, and they know the phone number used for MFA, they can try something called ",{"data":1171,"content":1173,"nodeType":259},{"uri":1172},"https://en.wikipedia.org/wiki/SIM_swap_scam",[1174],{"data":1175,"marks":1176,"value":1177,"nodeType":248},{},[],"SIM-swapping",{"data":1179,"marks":1180,"value":1181,"nodeType":248},{},[]," to hijack the phone number, and hence nullify the MFA.",{"data":1183,"content":1184,"nodeType":264},{},[1185],{"data":1186,"marks":1187,"value":1188,"nodeType":248},{},[],"The most important thing to note in that scenario is how targeted it is. With no MFA, any attacker on the Internet can simply guess passwords on an account - the cost is extremely low. To bypass SMS or phone call MFA using SIM swapping has a significantly higher cost. The attack is definitely practical, but would only happen when you're specifically targeted.",{"data":1190,"content":1191,"nodeType":264},{},[1192],{"data":1193,"marks":1194,"value":1195,"nodeType":248},{},[],"Additionally, the user experience isn't as good. Firstly, the user must have mobile signal to receive the SMS or call. Secondly, there can often be a delay in delivery, due to the less-reliable mobile network. Finally, there is almost always a usage cost associated with these methods, since it costs money to send SMSs or make phone calls.",{"data":1197,"content":1198,"nodeType":264},{},[1199],{"data":1200,"marks":1201,"value":1202,"nodeType":248},{},[],"Because of this, SMS or phone calls are often considered least desirable MFA methods today.",{"data":1204,"content":1205,"nodeType":397},{},[1206],{"data":1207,"marks":1208,"value":1209,"nodeType":248},{},[],"Security keys",{"data":1211,"content":1212,"nodeType":264},{},[1213],{"data":1214,"marks":1215,"value":1216,"nodeType":248},{},[],"FIDO2 is the name for a set of authentication protocols and standards developed by a consortium of tech companies to be the future of authentication. FIDO2 solves a lot of the problems we've dealt with in the past: it's secure, usable, impossible to spoof.",{"data":1218,"content":1219,"nodeType":264},{},[1220,1224,1232,1236,1243],{"data":1221,"marks":1222,"value":1223,"nodeType":248},{},[],"Without digging into the weeds of how that works (",{"data":1225,"content":1227,"nodeType":259},{"uri":1226},"https://fidoalliance.org/fido2/",[1228],{"data":1229,"marks":1230,"value":1231,"nodeType":248},{},[],"the official page from the FIDO alliance is worth a read if you're interested",{"data":1233,"marks":1234,"value":1235,"nodeType":248},{},[],"), you will need what's commonly referred to as a \"security key\" to make use of it. This is a small physical device, often plugged into your USB port - modern devices that understand FIDO2, like the ",{"data":1237,"content":1238,"nodeType":259},{"uri":678},[1239],{"data":1240,"marks":1241,"value":1242,"nodeType":248},{},[],"YubiKey 5 Series",{"data":1244,"marks":1245,"value":1246,"nodeType":248},{},[],", are preferable. Once setup, you simply touch the key on login and the magic of cryptography ensures a high degree of security.",{"data":1248,"content":1249,"nodeType":264},{},[1250],{"data":1251,"marks":1252,"value":1253,"nodeType":248},{},[],"In fact, this approach is so secure, it is the basis of a \"passwordless\" revolution, where this strong factor of authentication can feasibly be used as a single-factor of authentication, and users don't even need to remember passwords anymore. Though in its infancy at the moment, expect to hear more about that in the coming years.",{"data":1255,"content":1256,"nodeType":264},{},[1257],{"data":1258,"marks":1259,"value":1260,"nodeType":248},{},[],"The primary drawback of this method is the cost, with devices typically costing around $50 each. Also, although you can expect them to be supported on major platforms, they aren't supported as widely as other methods just yet.",{"data":1262,"content":1263,"nodeType":264},{},[1264],{"data":1265,"marks":1266,"value":1267,"nodeType":248},{},[],"If you are unable to justify their cost for all users, a common implementation is to use security keys for high privilege accounts.",{"data":1269,"content":1270,"nodeType":397},{},[1271],{"data":1272,"marks":1273,"value":1274,"nodeType":248},{},[],"Built-in security keys",{"data":1276,"content":1277,"nodeType":264},{},[1278],{"data":1279,"marks":1280,"value":1281,"nodeType":248},{},[],"Many modern mobile devices like laptops, tablets and phones have built-in security keys (e.g. Apple TouchId,  Android phones, and Windows Hello). These have many of the advantages of stand-alone security keys, but without the cost!",{"data":1283,"content":1284,"nodeType":264},{},[1285],{"data":1286,"marks":1287,"value":1288,"nodeType":248},{},[],"Support for these keys is a fairly recent development and is still ongoing but opens up an exciting future where users will increasingly be able to very easily add a second factor, or even go passwordless, in a secure way, without much effort or thought.",{"data":1290,"content":1291,"nodeType":1292},{},[],"hr",{"data":1294,"content":1295,"nodeType":264},{},[1296],{"data":1297,"marks":1298,"value":1299,"nodeType":248},{},[],"In conclusion there are multiple options you can choose from to fit almost any scenario you have. While some options are better than others, even the worst option is still a massive improvement on passwords alone. In the end, the best MFA method is the one you can start rolling out today, you can always improve down the line.",{"data":1301,"content":1305,"nodeType":313},{"target":1302},{"sys":1303},{"id":1304,"type":310,"linkType":311},"2y0INxqAi594O7rCAVKhTI",[],{"data":1307,"content":1308,"nodeType":264},{},[1309],{"data":1310,"marks":1311,"value":29,"nodeType":248},{},[],"Which MFA methods should you use?","SMS, Authenticator apps, Security Keys, and more! We compare them from a user experience, security, cost, and security aspect.",[1315],"MFA","2021-03-15T00:00:00.000+01:00","which-mfa-methods-should-you-use",{"items":1319},[1320,1324],{"sys":1321,"name":1323},{"id":1322},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1325,"name":1327},{"id":1326},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"items":1329},[1330],{"fullName":1331,"firstName":1332,"jobTitle":1333,"profilePicture":1334},"Andy Waugh","Andy","VP Product",{"url":1335},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"__typename":572,"sys":1337,"content":1339,"title":1714,"synopsis":1715,"hashTags":62,"publishedDate":1716,"slug":1717,"tagsCollection":1718,"authorsCollection":1724},{"id":1338},"1pbtctbbJRqLuz8dOsecOt",{"json":1340},{"data":1341,"content":1342,"nodeType":539},{},[1343,1350,1357,1363,1370,1376,1383,1390,1397,1404,1411,1417,1424,1432,1439,1457,1475,1493,1523,1550,1568,1575,1582,1589,1596,1603,1610,1628,1661,1668,1686,1693,1700,1707],{"data":1344,"content":1345,"nodeType":264},{},[1346],{"data":1347,"marks":1348,"value":1349,"nodeType":248},{},[],"We have all seen the option on websites to login using a variety of different tech giant accounts (“Login with Google, Login with Microsoft”), instead of creating a new account or using username and password. This is known as a social login and, less often, social sign-in or social sign-on. ",{"data":1351,"content":1352,"nodeType":264},{},[1353],{"data":1354,"marks":1355,"value":1356,"nodeType":248},{},[],"Normally, this is more associated with personal use than business use, but it’s just as possible for employees to log into a SaaS platform using a business Google Workspace account - but should we be encouraging or discouraging this behavior? We’ll answer that question in this article but, spoiler alert, at Push Security we encourage it in most cases and we’ll explain why in this article. ",{"data":1358,"content":1362,"nodeType":313},{"target":1359},{"sys":1360},{"id":1361,"type":310,"linkType":311},"47o2DQc4uabGwXXN85HBUG",[],{"data":1364,"content":1365,"nodeType":264},{},[1366],{"data":1367,"marks":1368,"value":1369,"nodeType":248},{},[],"We've created a quick and dirty video demo of a social login to help explain the concept: ",{"data":1371,"content":1375,"nodeType":313},{"target":1372},{"sys":1373},{"id":1374,"type":310,"linkType":311},"2rIwQIeOZ9cZY47vUrYkf3",[],{"data":1377,"content":1378,"nodeType":397},{},[1379],{"data":1380,"marks":1381,"value":1382,"nodeType":248},{},[],"What is a social login?",{"data":1384,"content":1385,"nodeType":264},{},[1386],{"data":1387,"marks":1388,"value":1389,"nodeType":248},{},[],"So what actually happens when you click to login with Google? Aren’t you just giving your Google password to some random website? That’s a security concern many people have but, thankfully, that isn’t the case. ",{"data":1391,"content":1392,"nodeType":264},{},[1393],{"data":1394,"marks":1395,"value":1396,"nodeType":248},{},[],"Social logins actually work using OAuth 2.0, which stands for “Open Authorization.” It’s a standard to allow third-party apps to access your data. OAuth is actually for a much broader set of use cases than just social logins, but that’s for another article. ",{"data":1398,"content":1399,"nodeType":264},{},[1400],{"data":1401,"marks":1402,"value":1403,"nodeType":248},{},[],"Let’s focus on what happens when you click to sign-in with Google. You’re actually redirected to Google’s own servers and asked to authorize the website to be granted any access to your data that it has requested. In a simple social login case, the website should only be asking for minimal access to view simple details, such as your email address and full name in order to verify your identity.",{"data":1405,"content":1406,"nodeType":264},{},[1407],{"data":1408,"marks":1409,"value":1410,"nodeType":248},{},[],"If this is the case, Google does not even specifically ask you to accept those permissions, it just verifies which Google account you would like to use. If you are already logged in with Google then you won’t even need to enter your password.",{"data":1412,"content":1416,"nodeType":313},{"target":1413},{"sys":1414},{"id":1415,"type":310,"linkType":311},"2PbJH7qfRYIxJRBmHJLSdI",[],{"data":1418,"content":1419,"nodeType":264},{},[1420],{"data":1421,"marks":1422,"value":1423,"nodeType":248},{},[],"…and that’s it, you’ve just socially logged in to a website using your Google account. You didn’t need to create an account, set a password, use a password manager or even enter your Google password. It was so easy! But is it secure?",{"data":1425,"content":1426,"nodeType":1431},{},[1427],{"data":1428,"marks":1429,"value":1430,"nodeType":248},{},[],"Security Benefits","heading-1",{"data":1433,"content":1434,"nodeType":264},{},[1435],{"data":1436,"marks":1437,"value":1438,"nodeType":248},{},[],"The short answer is - yes, it is secure, and there are actually many security benefits. Let’s consider some of them:",{"data":1440,"content":1441,"nodeType":375},{},[1442],{"data":1443,"content":1444,"nodeType":334},{},[1445],{"data":1446,"content":1447,"nodeType":264},{},[1448,1453],{"data":1449,"marks":1450,"value":1452,"nodeType":248},{},[1451],{"type":590},"Multi-Factor authentication (MFA) everywhere!",{"data":1454,"marks":1455,"value":1456,"nodeType":248},{},[]," - You’ve followed good security practice and enabled MFA for all of your Google accounts, right? Great, well then every other SaaS platform that your employees use social logins just inherited MFA protection for free! Not only does the platform not even need to support MFA on its own (most don’t), but you don't even need to set it up!",{"data":1458,"content":1459,"nodeType":375},{},[1460],{"data":1461,"content":1462,"nodeType":334},{},[1463],{"data":1464,"content":1465,"nodeType":264},{},[1466,1471],{"data":1467,"marks":1468,"value":1470,"nodeType":248},{},[1469],{"type":590},"Easy password resets",{"data":1472,"marks":1473,"value":1474,"nodeType":248},{},[]," - Ok, so one of your employees gets their (commonly shared) password phished. All those SaaS accounts could be immediately compromised and how many password resets now need to be performed? Oh, they use a password manager? Ok, what if their laptop is compromised with malware? You need to assume the password manager is compromised too. That’s still a lot of password resets. On the other hand, if you use social logins for everything you only have one password to change. If you have MFA too, it probably would have been tough for the attacker to make use of that password during the compromise window before the change, too.",{"data":1476,"content":1477,"nodeType":375},{},[1478],{"data":1479,"content":1480,"nodeType":334},{},[1481],{"data":1482,"content":1483,"nodeType":264},{},[1484,1489],{"data":1485,"marks":1486,"value":1488,"nodeType":248},{},[1487],{"type":590},"Easy offboarding -",{"data":1490,"marks":1491,"value":1492,"nodeType":248},{},[]," When an employee leaves the company, it’s not so hard to delete their core business accounts, but it’s much more painful to have a process for removing all old SaaS accounts too. If social logins are well implemented by the SaaS provider then the removal of a Google workspace account automatically means the corresponding SaaS accounts are no longer accessible either.  ",{"data":1494,"content":1495,"nodeType":375},{},[1496],{"data":1497,"content":1498,"nodeType":334},{},[1499],{"data":1500,"content":1501,"nodeType":264},{},[1502,1507,1511,1519],{"data":1503,"marks":1504,"value":1506,"nodeType":248},{},[1505],{"type":590},"Visibility",{"data":1508,"marks":1509,"value":1510,"nodeType":248},{},[]," - If employees use custom logins for all their SaaS platforms, you’ll have no idea what SaaS platforms are in use (unless you use the Push browser extension ;)). With social logins, you can see exactly which platforms your employees are using across the organization. (",{"data":1512,"content":1514,"nodeType":259},{"uri":1513},"https://support.google.com/a/answer/7281227?hl=en#zippy=",[1515],{"data":1516,"marks":1517,"value":1513,"nodeType":248},{},[1518],{"type":257},{"data":1520,"marks":1521,"value":1522,"nodeType":248},{},[],") ",{"data":1524,"content":1525,"nodeType":375},{},[1526],{"data":1527,"content":1528,"nodeType":334},{},[1529],{"data":1530,"content":1531,"nodeType":264},{},[1532,1537,1541,1546],{"data":1533,"marks":1534,"value":1536,"nodeType":248},{},[1535],{"type":590},"Simplicity ",{"data":1538,"marks":1539,"value":1540,"nodeType":248},{},[],"- Complexity is often the enemy of security and, let’s face it, getting all your employees to use password managers with different passwords for large numbers of accounts, creating new accounts every time, handling password changes for all of them, etc., is the definition of complexity. On the other hand, social logins are just so simple. You login to Google once, then any other SaaS platform you want to access that supports them you just click “login with Google”, select your account and you’re done. That’s it - ",{"data":1542,"marks":1543,"value":1545,"nodeType":248},{},[1544],{"type":590},"simplicity benefits security",{"data":1547,"marks":1548,"value":1549,"nodeType":248},{},[],". ",{"data":1551,"content":1552,"nodeType":375},{},[1553],{"data":1554,"content":1555,"nodeType":334},{},[1556],{"data":1557,"content":1558,"nodeType":264},{},[1559,1564],{"data":1560,"marks":1561,"value":1563,"nodeType":248},{},[1562],{"type":590},"No shared passwords ",{"data":1565,"marks":1566,"value":1567,"nodeType":248},{},[],"- Let’s face it, it’s difficult to get employees to use password managers for everything and commonly people end up using the same one or two passwords for everything. Then all it takes is for any one platform to be compromised and that account is compromised for any other platforms where the password is shared. Therefore, your security is dependent on the security of the weakest platform you use of many. On the other hand, if you use social logins for everything, there is only ever one strongly protected account, which is much less likely to be compromised.",{"data":1569,"content":1570,"nodeType":264},{},[1571],{"data":1572,"marks":1573,"value":1574,"nodeType":248},{},[],"Our view is that it’s better to have one account that you put all your focus on securing as best as possible than many accounts that individually have a lower level of security. ",{"data":1576,"content":1577,"nodeType":264},{},[1578],{"data":1579,"marks":1580,"value":1581,"nodeType":248},{},[],"But why would I want everything in one account, protected with one password?If your Google account is used to access everything then all your eggs are in one basket right? If your Google account is compromised, or even Google themselves are compromised, then everything else you use is compromised too. Pretty concerning, right? This is true and it does remain a risk. ",{"data":1583,"content":1584,"nodeType":264},{},[1585],{"data":1586,"marks":1587,"value":1588,"nodeType":248},{},[],"However, if you’re a Google Workspace user then you’re trusting Google with most of your key data anyway - all your email, documents, calendar appointments etc are stored with Google and accessed using Google accounts. Also, if your Google email gets hacked that can generally be used to password reset all your other accounts anyway! Plus, using a password manager could be argued to also be putting all your eggs in one basket too.",{"data":1590,"content":1591,"nodeType":264},{},[1592],{"data":1593,"marks":1594,"value":1595,"nodeType":248},{},[],"We’ll go into some of the potential concerns of using social logins in this next section because there may be some valid use cases where you won’t want to use them.",{"data":1597,"content":1598,"nodeType":1431},{},[1599],{"data":1600,"marks":1601,"value":1602,"nodeType":248},{},[],"Security Caveats",{"data":1604,"content":1605,"nodeType":264},{},[1606],{"data":1607,"marks":1608,"value":1609,"nodeType":248},{},[],"Ok, we said at Push Security that we encourage the use of social logins. But we aren’t going to wave our hands and cover up any downsides - as always, there are always some. We consider some of the following to be key drawbacks:",{"data":1611,"content":1612,"nodeType":375},{},[1613],{"data":1614,"content":1615,"nodeType":334},{},[1616],{"data":1617,"content":1618,"nodeType":264},{},[1619,1624],{"data":1620,"marks":1621,"value":1623,"nodeType":248},{},[1622],{"type":590},"Giving away sensitive data",{"data":1625,"marks":1626,"value":1627,"nodeType":248},{},[]," - This article has been entirely focused on social logins, but we said at the start that OAuth was for more than that. When a user logs in using Google, the website can ask for permissions far beyond what is needed for a simple social login. These can be sensitive, such as allowing access to emails, calendars, Google Drive documents etc and the user will be prompted separately to accept or refuse this. In most cases, you’ll probably find websites do not request additional permissions for a simple login/signup but may do if you enable more advanced integrations. However, some websites may just ask for the kitchen sink from the first login. It’s possible your employees may then start giving away sensitive access to third parties without a second thought.",{"data":1629,"content":1630,"nodeType":264},{},[1631,1635,1646,1650,1658],{"data":1632,"marks":1633,"value":1634,"nodeType":248},{},[],"There are also malicious apps created simply to exploit permissions so they can gain access to an employee’s or company’s data by requesting excessive permissions and requesting the employee to opt into them by default. This is called consent phishing and we’ve written up a ",{"data":1636,"content":1640,"nodeType":1645},{"target":1637},{"sys":1638},{"id":1639,"type":310,"linkType":311},"1bV8YTSQHvveCTnRc4H8su",[1641],{"data":1642,"marks":1643,"value":1644,"nodeType":248},{},[],"quick guide","entry-hyperlink",{"data":1647,"marks":1648,"value":1649,"nodeType":248},{},[]," here about what the risk is, how it works, and how to handle it. ",{"data":1651,"content":1653,"nodeType":259},{"uri":1652},"https://pushsecurity.com/blog/consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa/",[1654],{"data":1655,"marks":1656,"value":29,"nodeType":248},{},[1657],{"type":257},{"data":1659,"marks":1660,"value":29,"nodeType":248},{},[],{"data":1662,"content":1663,"nodeType":264},{},[1664],{"data":1665,"marks":1666,"value":1667,"nodeType":248},{},[],"You can always see what access has been given by your employees to different platforms and review accordingly and you can even configure more sensitive permissions as restricted so your employees can’t accept them on their own. However, this risk remains, whereas it’s not as easy for an employee to inadvertently open up significant data access with a custom login for a website.   ",{"data":1669,"content":1670,"nodeType":375},{},[1671],{"data":1672,"content":1673,"nodeType":334},{},[1674],{"data":1675,"content":1676,"nodeType":264},{},[1677,1682],{"data":1678,"marks":1679,"value":1681,"nodeType":248},{},[1680],{"type":590},"Privacy and Anonymity",{"data":1683,"marks":1684,"value":1685,"nodeType":248},{},[]," - if you use social logins for everything, then every SaaS platform your employees use will have at least some access to basic personal information for your employees that use them. Google will also probably have more information about what SaaS providers you are using than they would otherwise, too. ",{"data":1687,"content":1688,"nodeType":264},{},[1689],{"data":1690,"marks":1691,"value":1692,"nodeType":248},{},[],"Maybe you just wanted to try out a new SaaS service without getting spammed by their sales team for the next 12 months? For that, you might want to go with an anonymous, disposable email address. Whatever the case, social logins will always give away basic personal details at a minimum and there might be times where this isn’t desirable. But for most companies, we’ve found those to be edge cases.",{"data":1694,"content":1695,"nodeType":264},{},[1696],{"data":1697,"marks":1698,"value":1699,"nodeType":248},{},[],"You may not necessarily want the public (or your adversaries) to know what SaaS apps employees are using. If an attacker gained access to your Google or Microsoft account that you were using for social login, they would be able to see the apps that are accessed with social login. On the other hand, if an attacker gets access to your primary core business platforms, this is likely going to be the least of your concerns.",{"data":1701,"content":1702,"nodeType":1431},{},[1703],{"data":1704,"marks":1705,"value":1706,"nodeType":248},{},[],"Conclusion",{"data":1708,"content":1709,"nodeType":264},{},[1710],{"data":1711,"marks":1712,"value":1713,"nodeType":248},{},[],"Social logins are good for business use for third-party SaaS platforms, not just for personal use. They save time and bring many security benefits in most cases too. As long as you understand the residual risks that remain and are happy managing those risks, you should consider encouraging your users to use social logins. ","Should I let my employees login with their work Google account?","Is logging in with Google or Microsoft secure? Yes, with caveats. ","2022-10-04T00:00:00.000Z","should-i-let-my-employees-login-with-their-work-google-account",{"items":1719},[1720,1722],{"sys":1721,"name":1323},{"id":1322},{"sys":1723,"name":1327},{"id":1326},{"items":1725},[1726],{"fullName":1727,"firstName":1728,"jobTitle":1729,"profilePicture":1730},"Luke Jennings","Luke","Vice President, R&D",{"url":1731},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg","password-expirations-dont-work-try-these-best-practices-instead","blog/password-expirations-dont-work-try-these-best-practices-instead",{"json":1735},{"data":1736,"content":1737,"nodeType":539},{},[1738],{"data":1739,"content":1740,"nodeType":264},{},[1741],{"data":1742,"marks":1743,"value":1744,"nodeType":248},{},[],"Password expirations lead to more predictable passwords. Use password managers, MFA, to prevent password theft.","Password expirations are still commonly recommended, but most security pros agree that they lead to more predictable passwords. Here's what to do instead.",{"id":1747,"publishedAt":1748},"38LFVv412IBfFmoBCHosy1","2024-03-21T09:25:48.011Z",{"items":1750},[1751,1753],{"sys":1752,"name":1323},{"id":1322},{"sys":1754,"name":1327},{"id":1326},"DR8RlXMM0fXSez-J1ARFj3cwDz7Iaxc85V9qvR463Lw",1784196727979]