SORSS - 2 Factor Authenticator Security Update

Why we’re implementing 2 Factor Authentication (2FA)

We are implementing Two-Factor Authentication (2FA) across our software and we will be rolling this out in phases over the next 4 - 6 weeks. 

This is an important security feature that is quickly becoming industry standard and is only provided as an extra layer of security for your data. It also provides further, more accurate accountability for actions performed on the system, multiple users using a single log-in is not ideal. We do not charge per user, so each user should have their account, we are custodians of sensitive customer data, we should know exactly who is accessing the data, why, and when.

We understand changes are sometimes difficult to adapt to, but we must stress that our software is constantly evolving - we will implement changes and new features which we feel benefit our clients and this will be done at our discretion, especially when it affects the security of personal data.

Phase 1 - Collection of Data, specifically a unique email address and mobile number
Phase 2 - Password Strength Requirement Implementation
Phase 3 - Internal User 2FA implementation
Phase 4 - Customer User 2FA implementation

2FA also negates poor password practices especially shared logins which bring in a host of other problems, for example, 'do you have strict procedures to update passwords when people leave?' If not, 2FA prevents ex-employees from logging in on shared users as they can't log in without the generated code.

Cyber defence, compliance, and reducing risk 
We have regulatory requirements under GDPR to better protect customer data, unfortunately, this can’t be waived by individual customers, purely because leaving attack vectors into the system leaves the whole system exposed – everyone’s data would still be at risk and 2FA protects us from brute force, data leaks and other forms of cyber attacks

Live Changes/Updates
Users are now required to enter a unique Email Address & Mobile number. When they log in, they will be taken to the View User page to update their details accordingly, eventually, this will be forced and the user won't be able to continue with an account that does not have unique contact details - this applies to both internal and customer users.

  • User Mobile numbers are not available to view/edit by anyone other than the account owner (Internal & Customer)
  • Reset 2FA Option when Viewing a User is available to all Users with Access Level 1, which will remove the Mobile number and allow the user to update on their next login attempt