Gluu Blog

Follow us:
Back to Blog

Gluu + Cred Mgr = Google’s Authentication for Everyone Else

William L. March 26, 2018

According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen and/or weak passwords.

To combat password-related security issues many websites and applications now support two-factor authentication (2FA). 2FA has proven to be an effective deterrent, but account recovery is “the Achilles’ heel” of multi-factor authentication–that is, how does a person “reset” their account when they lose their strong credential?

If a strong credential can be reset by a weaker one, for instance an email to an unsecured account, the additional security can be easily bypassed. If an operator needs to be called every time someone gets a new credential, 2FA becomes prohibitively expensive to support (and perhaps equally susceptible to human hacking).

So how can organizations offer strong security that is easy-to-use and convenient to support?

Follow Google

Google does a really nice job supporting strong authentication. Billions of user accounts and dozens of mission critical applications have provided Google with lots of data to figure out how best to roll out secure and usable 2FA. Let’s explore how Google locks down accounts, and how you can do the same with mostly free open source software.

Single Sign-On (SSO)

One of Google’s best “tricks” for account security is central authentication, a.k.a. single sign-on (SSO). You maintain one account for access to every Google app: Gmail, YouTube, Calendar, Maps, Drive, Adwords and more.

Fewer passwords and sign-ins is clearly better for people. But from a security perspective, SSO reduces the surface area for attacks and makes it easier to fortify accounts.

At Gluu, our flagship product is called the Gluu Server. The Gluu Server is a free open source software platform for central authentication that supports open web standards for SSO like SAML and OpenID Connect.

Strong Authentication (a.k.a. 2FA)

Once people have SSO, 2FA can be enforced in one place for access to many apps.

Google requires all accounts to have a phone number on file where OTPs can be text messaged (“SMS OTP”) if/when a login attempt seems fraudulent, for instance when you sign in from a new device or unknown location. SMS OTP is just one form of 2FA. In fact, Google supports multiple forms of 2FA including:

  • U2F security keys, like Yubikeys
  • Any OTP mobile app, like Google Authenticator, Authy, Duo Security, etc.
  • The free Google Push app
  • SMS OTP

This combination of free and low-cost 2FA options empowers virtually all users to protect their accounts with strong security.

Self-Service Management

With billions of users, strong security can’t come at the expense of support-ability. That’s why Google also offers a self-service portal where people can enroll, delete and manage their own strong credentials (explore: https://myaccount.google.com/signinoptions/two-step-verification).

A self-service dashboard empowers people to take control over their 2FA devices. If one is lost or stolen, they can simply login and remove the device from their account. No call to Google necessary!

With our new open source web application, Credential Manager, you can host your own self-service portal where people can manage their 2FA credentials in your Gluu Server, including:

  • U2F security keys, like Yubikeys
  • Gluu’s free 2FA mobile app, Super Gluu
  • Any OTP mobile app, like Google Authenticator, Authy, Duo Security, etc.
  • SMS OTP

This enables you to support the same type of strong and convenient account security as Google for access to your digital resources.

To recap…

SSO with 2FA is the foundation for Google account security, and with the Gluu Server and Credential Manager, any individual or organization can launch their own Google-like authentication service.

So what are you waiting for?

And take control over your security!

One final note

All components listed in this article are free open source software. The one piece of commercial software not mentioned is Gluu’s OpenID Connect client software, oxd, which is used to facilitate SSO between Credential Manager and its corresponding Gluu Server. oxd costs around USD $10 per application per month. Learn more in the oxd docs.

Be sure to subscibe to
our RSS Feed

William Lowe

As the marketing and operations leader at Gluu, Will works across channels to ensure the successful release of new products, features and services to Gluu's international community of identity & access management gurus!