As technology advances and security risks increase along with it, your company is probably looking for a login approach that is both user-friendly and safe for data. With today’s technology, IT security and ease of access are in constant conflict. On one hand, data must be kept safe from unauthorized individuals. On the other hand, there is a desire to make technology as easy to use as possible. In order to tackle these concerns for Louisville Gas and Electric, Development Team Lead, Ryan Black modernized his PeopleSoft authentication methods by identifying potential problems, creating solutions, and monitoring their functions. The company ultimately decided to leverage two-factor authentication and single sign-on within its PeopleSoft system.
Key Takeaways
Here are just a few high-level key takeaways of Ryan’s presentation:
- You can modernize your PeopleSoft authentication methods by writing two-factor authentication and single sign-on into your current code.
- These features will enhance the security of sensitive company data, as well as provide an enjoyable user experience for employees.
- It is highly recommended that you apply an expiration timeline to codes that are used for logins to keep old codes from granting unwanted access.
- It is also a good idea to re-route user security roles for those accessing data from an external location.
The Problem
In his situation, Ryan faced a need to provide a fully functional external option for employees to access pay stubs and W2 information in order to align with union agreements.
Previously, his company had utilized a vendor application to support external login functionality that allowed them to change external login passwords without risking internal login exposure. However, the security division at LG&E identified that the application contained a vulnerability that would allow anyone on the outside to change a password to any account.
As a result, confidential company data was at high risk of a breach. Ryan needed a solution quickly in order to meet union contract requirements and protect sensitive data.
The External Solution
Ryan and his development team considered Google’s two-factor authentication as an example of modernizing the login experience. They decided to develop a version of this that would allow access to PeopleSoft accounts within LG&E for external users. To do this, the team created an external web service that took the following three steps:
- Take in the user’s ID.
- Create a randomly generated code.
- Text the generated code to the phone number listed in PeopleSoft via SMS.
After the service completes these actions, the user enters his or her internal ID, internal password, and recently received SMS code to log into the system. The SMS code is only valid for five minutes. If the user does not log in within five minutes, he or she must request a new one.
Once the user gains access to PeopleSoft from outside of the company network, the user only has access to company-approved off-site data. This is because login PeopleCode actually changes the user’s roles when logging in externally to limit access to MyHR only. Essentially, the system recognizes that the user is trying to login externally, stores his or her actual security roles in a temporary place, and grants the user access to only off-site approved information. Roles will revert back to regular access when the user logs in internally.
For a demonstration of the two-factor authentication method, check out the video below.
Extending the Solution
With the 9.2 upgrade, Ryan and his team ran into new issues that needed to be addressed. Although the upgrade provided ease of use for employees by introducing mobile capabilities, there were no login enhancements built in.
Since single sign-on is a prevalent feature in most cloud-based applications, LG&E decided to find a way to provide the same functionality for their users. However, PeopleSoft does not naturally support SSO, meaning it had to be implemented through some method of a service call. This meant that the company could either pay an external vendor to support SSO with PeopleSoft, or they could create their own. They decided to do the latter.
With the mobile capability offered through Fluid at the onset of 9.2, LG&E wanted users to be able to see everything on their cell phone without having to create and enter an additional password. Users first had to log in to the mobile tool, and then log in a second time to the application. The development team wanted to create a better user experience by mitigating the issue while maintaining the security necessary for company data. They decided to extend the web service they had already and build a single-sign-on solution.
In short, the solution takes property from the HTTP request (the user’s Windows login) as validation of who the person is and communicates it to the application. At that point, a 25-character unique key is generated and passed into the login functionality. The user never sees this key, which only has a lifetime of 5 seconds.
Within the login PeopleCode, Ryan verified that the codes matched and deleted the code that was created whether they matched or not. He would then reset any missing roles that were taken out by the external login functionality.
These steps created a seamless method for users to log into the system without having to do anything but go to the site. This also led to a method for users to still enter their login information if they needed to log in as someone else or if SSO was down for some reason.
To learn more about LG&E’s experience of modernizing their authentication methods through single sign-on and how to protect your PeopleSoft system from security risks, check out the full presentation.