Keeping Your CMS Secure

We live in a world of passwords. And we live in a world in need of security.

Passwords surround everything we do. For those responsible for managing passwords across family, children, or business, collection and safekeeping of passwords simply become one of the day’s tasks, just like brushing your teeth or putting on socks.

But keeping those passwords safe and hidden is just one side of the battle. Programs like 1Password provide access to easily saved and totally random password strings, helping stay away from basic passwords like “1234” or “password,” but even the longest passwords can be cracked if given enough time — and enough motive.

This means we need more than just a password to protect highly valuable sources of information. Like your personal contacts and photos. Like your bank account information.

And like the content and permissions with your content management system (CMS).

That’s where multi-factor authentication comes in.

Why multi-factor authentication is important.

As a reminder, when we talk about multi- or two-factor authentication, we’re talking about asking for a second or third (or, in rare cases, even more!) pieces of evidence in order to authenticate a user. This most often manifests as entering a second unique ID that’s based on something in close proximity, such as a key fob with an ever-changing number, or a code sent to a secondary device.

What’s important is that the additional layers of authentication happen separate from your already accessible online accounts — something that can’t already have been hacked. For example, when you log in to something like Apple’s iCloud, and a notification pops up on another linked device asking for confirmation — that’s two-factor authentication.

The truth is, strong passwords are still valuable and important, but they’re not perfect. In a lot of cases, a password may have been cracked for days before there’s any indication, simply because there’s rarely any notification when a password has been entered on a strange or new device. Given that your CMS might be accessed multiple times by different people on different devices, this seems obvious — no one wants to get an email every time someone logs in.

But, in reality, most people ultimately do not know when — or how — their sites are compromised. In an article written about Two-Factor Authentication in WordPress sites, it was found that 61.5% of respondents had no idea how an attacker compromised the site.

Even scarier, there’s little idea of what someone might do once they’re in there. They might change a line of text.

Or, they might attempt to throw the site into chaos.

Why you need it for your CMS.

Of course, this is more than just someone stealing your tweets or accessing your Netflix queue. Unauthorized access of your content management system is akin to gaining control of your business’ entire online persona — and, in the case of an organization that depends on content as a business asset or, even more critical, a business that depends on uptime to sell online products, unauthorized meddling in the content management system can lead to loss of reputation, loss of income, and even loss of actual assets.

With the understanding that your CMS is as valuable and private of a tool as your CEO’s laptop or a safe of petty cash, it makes the necessity of two-factor authentication even more crucial. You need to protect your site and make sure only the right people can access it, and this cannot be done through passwords alone.

Because, let’s face it; even the most secure password can fall into the wrong hands, especially for those who don’t depend on password protection software, or those who log in so infrequently that they wouldn’t notice any malicious action for weeks after a security breach.

So let’s get that Episerver site — or any site, really — protected.

How to enable it.

With regards to how to enable 2 Factor Authentication on an Episerver site, we know a guy.

Joshua Folkerts, Blend partner and lead developer — as well as one of the nation’s only Episerver EMVPs — has written a post about Episerver two-factor authentication over at Episerver World. His method provides a QR code that allows for access to a unique six-digit code through Google Authenticator.

Upon setting up the Google Authenticator, it will be active any time you attempt to log into the Episerver site. You’ll still be using your original name and password, but now you’ll simply need to provide an extra always-changing six-digit code to complete the transaction. It’s your code, and your code only, which means you’ve made the CMS — and all the content therein — a lot more secure.

Google Authenticator and other two-factor authentication methods can be used to secure any modern content management system. If you’d like additional information, drop us a line and we’ll see how we can help!