ExchangeDefender OAuth Support for Google and Microsoft Authenticators
ExchangeDefender is proud to announce the successful rollout of the first phase of our OAUTH implementation across three of our major products: ExchangeDefender Mail Security (Admin Portal), Encryption and WebShare. Originally, our rollout was planned to be a massive shotgun change across all services which would have required users to reset their passwords, but users had to be aware of their current password. In December, we started to log and analyze the entry points users took into the application and found that a majority of users relied on “one-click” login methods like quarantine reports to access their portal and would then jump to other services like Encryption via the “quick links.” Armed with the aggregated analysis, we realized our previous deployment strategy would unfortunately lead to many users being unable to access their services as many users were never aware of their password, thus putting an additional strain on our partners. However, we also know that the current security method was not sustainable for the future.
Enter: Deployment 2.0.
We knew our login system had to be smarter, safer, but also flexible. We knew we needed to rethink a lot of our auxiliary entry points (like quarantine reports) as well as our main entry points to work together in tandem, instead of hard cutovers or independent, one off operations. For example, we needed to continue to allow the legacy password hashing style to be accepted during login, but in-line upgraded to our new hashing algorithm. There were a lot of technical difficulties to overcome as each product maintained its own login page (which many users would save in their browser credential store) and in some instances, had additional security features that do not exist in other products (such as IP restrictions and 2FA in admin, but not encryption or Webshare).
Even more complicated than individual service login logic, some services maintained a list of users who are external entities to the end user’s organization (think Webshare or encryption recipients), and in most cases, these external recipients aren’t in the ExchangeDefender eco system. Ultimately, we decided to allow ExchangeDefender users to continue using each service’s independent login screens for a few weeks before disabling the legacy functionality and hinting to users to click the OAUTH login button “Login with ExchangeDefender” (or even “Login with Google” or “Login with Microsoft” more details below).
Originally, our plan involved redirecting all users to the new login server, which unfortunately would be the Achilles heal of those users who relied on their browser credential store. Ultimately, we landed on a hybrid approach, using the flexibility of using different OAUTH grant styles depending on the application.
The Deployment Timeline
Feb 19th: Activate the new login system for Encryption and Webshare
Feb 21st: Activate the new login system for Admin
Feb 26th: Activate the new centralized navigation headers
Feb 27th: Activate “Login with ExchangeDefender/Google/Microsoft” button to Admin, Encryption and Webshare. Add warning notification to users about the incoming login changes.
Mar 6th: Disable legacy password grant from services, enforce “Login with ExchangeDefender” when a user attempts to login with a username and password on each services page.
Throughout the remaining quarters of 2021, we will continue to integrate the rest of our services into the new login system, including support.ExchangeDefender.com, Compliance Archive, LiveArchive. Time permitted, we also plan on releasing a few tools to improve end user experience such as our Outlook/OWA plugin, built from the ground up to manage quarantine and user whitelists.
New Features to Expect
1 – Integration with Google and Microsoft OAUTH: Users are now able to utilize Google and/or Microsoft as their login provider. Authenticated users will now see buttons to link their Google or Microsoft identity to their ExchangeDefender account. Once linked, users can utilize the “Login with Google” or “Login with Microsoft” buttons instead of inputting their ExchangeDefender credentials to login.
2 – Improved 2FA integration: Users are now able to integrate 2FA applications like Google Authenticator or Authy. To setup 2FA users should login to admin.exchangedefender.com and navigate to the Settings for their account. Please keep in mind that the enforcement of 2FA logins (when enabled by the user) will come with the March 6th deployment. We strongly encourage users to set up 2FA before the full activation of our new login system.
3 – Trusted Devices: Coupled with 2FA, users can elect to mark a device they’re logging in with as a trusted device. Once a device is marked trusted, subsequent logins using the same device will not be prompted for 2FA again for 3 months.
4 – Improved Remember Me: On our login server we improved the remember me functionality to allow users to remain authenticated for 7 days if selected during login.
5 – Login to one, access to all: Users who now login to admin, encryption or webshare will inherently be authenticated to all other services using the new login method. This list will grow as we continue integrating services into the new login system.
6 – Centralized Navigation: Users will see a consistent navigation system across all products utilizing the new login system. More importantly, navigation to other products is streamlined and consistent.
7 – External Integrations: While redesigning the login system, we also elected to start centralizing API endpoints in anticipation of allowing partners and external providers to design their own tools and solutions, backed by ExchangeDefender.