Application Specific Passwords / Login Aliases at LuxSci

December 14th, 2017

LuxSci now supports the creation of “application-specific passwords” for individual user accounts.

What are these?  The are essentially “login aliases.”

Increase your security through application-specific passwords
Users can create distinct username/password combinations for use with different applications, devices, or for shared account access.  These login aliases can have limited privileges; for example, granting access only to email or only to web site file storage.  Use of application specific passwords can greatly enhance user security.  In this article, we will discuss application-specific passwords, what their benefits are, and how to use them effectively.

Wait…. What Exactly is an Application-Specific Password?

Lets explain through a example.

Lets say your email address and login to LuxSci is “sales@security.com”.  You have some really strong and secret password (in fact you are very proud of your password) and you do the right security things.  You have two-factor authentication enabled for WebMail access.  You don’t use this password with other online services.  You always connect to LuxSci securely.  Still…. every login you make to LuxSci uses this same username/password combination.  This includes your logins to WebMail, your iPhone’s mail program, Outlook on your desktop, the secure FTP program you use to update your web site files, the App you have integrated with LuxSci’s API, etc.

What’s the problem?  Seems simple and secure.

Let’s play “what if:”

  • What if your phone or computer is stolen?
  • What if a third-party application where you have stored your credentials is compromised?
  • What if you need to give your developer access to your web file space?
  • What if you are going on vacation and need to give your business partner Sarah access to your account for a week for business continuity reasons?
  • What if you don’t want to have to change your password everywhere?
  • What if you would like to be able to track what device or application is doing what?

Ordinarily, with just a single username and password, these “what if” scenarios lead to frustration and inconvenience at best and data loss/account compromise at worst.  This is where “Application-Specific Passwords” shine.

You’re smart and you catch on quickly.  You see the utility in Application-Specific Passwords and you create several of them:

  1. “sales@security.com/iphone” and a unique password is used on your phone
  2. “sales@security.com/outlook” and another unique password is used in Outlook
  3. You give “sales@security.com/files” to your web developer
  4. You give “sales@security.com/sarah” to Sarah, your business partner.

Now, this means:

  • Each of these four logins is unique with a unique password.
  • Each login provides access to your real account.  I.e. they are like “login aliases”
  • Each login can have restricted access.  The first two, “/iphone” and “/outlook”, provide access to your email via POP, IMAP, SMTP, and MobileSync only.  The 3rd one provides only access to your web files (via SFTP or SSH).  The last one you have decided should provide complete access for your business partner.

How does this help with our security “what if” situations?

What if your computer is stolen?

The username and password that you saved in your computer can only access your email.  It can’t be used to access WebMail, administer your account, or access your web site.  Your audit trail can tell you exactly when and if this login was used.  Finally, you can revoke this login any time you like without impacting any of your other logins.  I.e., you don’t have to change your password or reset things in other devices or accounts.

What if a third-party application where you have stored your credentials is compromised?

In this case, it is very likely that your username and password fell into the wrong hands and it is likely that it will be used, at least to try to login to WebMail.  Since you have an application-specific password, this password is unique and not tied to anything else.  Since it is restricted to your email, an attacker will not be able to use it to login to your Web interface and fully compromise your identity.  As this access is unique and tracked, you can see if/when the stolen credentials were used and you can revoke these credentials without impacting anything else you have setup.  Once again, you don’t have to change your password everywhere.

What if you need to give your developer access to your web file space?

By creating an application-specific password and restricting its access to your web file space, you can give this to your developer and not worry about that developer gaining access to your email or administration interface.  You also do not need to create a separate user for your developer and move around your files.  You can track when s/he has logged into the file space and you can revoke access when s/he is done.

What if you are going on vacation and need to give your business partner access to your account for a week for business continuity reasons?

People usually just share their passwords with others when they need to provide business continuity or shared access.  They should not … but people do a lot of things that they should not.

Using an application-specific password, you can make a special login for this person and avoid sharing that password that you are so proud of.  You can then also see if/when Sarah logged into your account.

LuxSci goes a step further in protecting you as well.  Because she will be logging in to your account with this special login, her access will still be slightly restricted.  She will not be able to change your password; she will not be able to make other application-specific passwords; and she will not be able to set up quick login access to your account.  This protects you, to some degree, from Sarah.

What if you don’t want to have to change your password everywhere?

By using application-specific passwords, you simply revoke the access that you have granted when you are done with one or when you think it may have been compromised.  You never have to change your super-awesome main password.

What if you would like to be able to track what device or application is doing what?

Every login to every service is tracked in LuxSci.  Along with the IP address and time and date of the activity, LuxSci records what application-specific username was used.  So, even though they are all logging into the same account, you can differentiate between “/sarah” and “/iphone” and “/files” so you know exactly who/what is accessing your account … and when.

How do I Make an Application-Specific Password?

To create a new application-specific password:

  1. Login to your LuxSci account.
  2. Go to your Security Settings page.  Click here.
  3. Find the section entitled “Application Passwords”
  4. Click “Use Application Passwords”
  5. Click “New Password”
    1. Enter descriptive title for this login
    2. Select what access this login should have.  The options include:
      1. All access
      2. WebMail access
      3. Email access (i.e. POP, IMAP, SMTP)
      4. FTP, SFTP, SSH
      5. API, MobileSync, Outlook Plugins
    3. Choose the login suffix.  E.g., “sarah” if you want to make “sales@security.com/sarah”.
    4. Press “New Password”
  6. The new login will be ready for use within 2 minutes.

You can revoke access just by clicking on the “X” delete icon in the same area.  Revoking can also take up to 2 minutes.  Note that revoking only blocks NEW logins to your account … anyone who already logged in will remain logged in (as you) until their login session expires or they explicitly logout.

What’s Special about LuxSci’s Application-Specific Passwords?

The concept of application-specific passwords is not new; some other companies do offer a similar feature. However, LuxSci’s application-specific passwords are particularly useful because:

  1. Restricted Access:  LuxSci allows you to limit access to your account through application-specific passwords.  Most other services that offer similar features simply provide alternate passwords that gives full access to your entire account.
  2. Audit Trail: You can see which logins were used and when in your login success and failure audit trails.  Even many of the actions taken while you are within the LuxSci portal (e.g., creating or deleting users, emptying email folders, etc.) are audited and LuxSci tracks exactly which custom login performed the action.  Most other services do not give you any visibility into the details of how and when alternate login credentials were used.

Also:

  1. Each user can have up to 30 separate application-specific passwords.
  2. Account administrators can restrict their users from making application-specific passwords.
  3. Application-specific passwords can not be used when your account has enabled expiring passwords.  I.e., when users are forced to change their passwords with some frequency.  (These days, it is well know that this forced password changing is actually detrimental to security…. but, organizational policies often lag best practices.)

Not a LuxSci customer yet?  Get a Free Trial and give application-specific password and our other security features a go.