Released: October 25th, 2020 as part of Platform Update - Q4 2020
We take security seriously and are always looking for ways to make Agility CMS more secure. We also strive to ensure security measures never adversely affect the ability to use Agility CMS.
Agility CMS is introducing an update that will improve how users authenticate with Agility CMS, make it more secure, and easier to log in using external providers such as Google, GitHub, or Microsoft.
This update applies to only Agility CMS users logging into the Content Manager app.
What has Changed?
- Your existing login email and password will NOT change and will continue to function as is
- Easier to login by using GitHub, Google, or Microsoft in addition to regular email login
- Extra security via Multi-factor authentication (via Authenticator app or email) can be enforced for Enterprise and Grand-fathered plans
- Stronger password requirements for all Agility CMS user accounts will be enabled when setting your password
- At least 8 characters in length
- Contains a lower case (a-z), upper case (A-Z), and a number (0-9)
- Contains a special character (!@#$%^&*)
- Cannot re-use a password that was used previously (within last 5 passwords)
- Any password expiration policies currently enabled will be deprecated in favor of using Multi-factor authentication
- Improved single-sign-on using Azure Active Directory where you can force your users to only be able to authenticate to Agility CMS using Azure Active Directory login - this must be enabled by Agility CMS
- Why are we Deprecating Password Expiration Policies?
- What will happen to my current Password Expiration Policy?
- How Multi-factor Authentication Works
- Enrolling in Multi-Factor Authentication
- Logging with Multi-factor Authentication
- Unable to Provide One-Time Code with Authenticator App
- Why Can't I Log in to Microsoft using my Azure Account anymore?
- Logging in Without Azure Active Directory Login
- How Single Sign-On works with Azure Active Directory
- Enabling Single Sign-On with Azure Active Directory
Why are we Deprecating Password Expiration Policies?
Password expiration policies have been common practice for a long time in the IT industry. They were born out of necessity as a way to combat brute-force attacks. For example, long ago, it was widely understood that it could take up to 90 days to brute-force a password (a machine constantly guessing passwords). Therefore, forcing a user to reset their password every 90 days was a good way to stay ahead of any machines trying to guess passwords.
Since then, the landscape has changed, computers are more powerful and can guess passwords much faster than 90 days. Changing your password frequently no longer makes it more secure. In addition to this, users who need to change their passwords often are far more likely to choose basic or predictable passwords.
We are not alone in this. Microsoft has recently updated its recommendations for password policies.
"Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers which are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them." - docs.microsoft.com
Rather than rely on password expiration for additional security, we recommend enabling Multi-factor authentication for your Organization.
What will happen to my current Password Expiration Policy?
If you had a password expiration policy enabled, your users' passwords will no longer expire. In its place, your users will instead have Multi-factor authentication enforced which provides the highest level of security by requiring a one-time passcode in addition to your regular login password in order to authenticate to Agility CMS.
How Multi-factor Authentication Works
Multi-factor authentication (MFA) provides a method to verify a user's identity by requiring them to provide more than one piece of identifying information. This ensures that only valid users can access their accounts even if they use a username and password that may have been compromised from a different application.
Multi-factor Authentication (MFA) can be enabled for all enterprise or grand-fathered plans. It is enabled at the Organization level and will enforce MFA for all users that have access to that Organization. This allows organizations to manage their policies across all of their Agility CMS instances.
When a user signs up for an Agility CMS account or an existing user has access to an Organization that requires MFA to log in, they will be prompted during login to enroll in MFA. They will not be able to log in until they have completed the MFA setup.
Enrolling in Multi-Factor Authentication
If Multi-factor authentication (MFA) is enabled for your organization, you will be prompted to enroll in MFA the next time you login to Agility CMS.
You will need to use an Authenticator app (see below for options) on your phone that is capable of scanning the enrollment QR code and complete the handshake required to enroll. Then, you will use that same Authenticator app for reference when you are prompted to enter your one-time code.
Supported Authenticator Apps
The following authentication apps have been tested and officially supported.
Looking for additional app support? Please contact firstname.lastname@example.org and we'd be happy to look into your request.
Saving your Recovery Code
Once you've established a connection with your app, you are presented with a recovery code you may use to reset your MFA enrollment if you lose your phone or are otherwise unable to access your authenticator app anymore. Keep this code in a safe place.
Logging with Multi-factor Authentication
Once you've enrolled, when you login you will be prompted for your one-time code using the autheticator app that you originally enrolled with. Open your app and type-in the code.
If your are logging-in on a trusted device, check the box Remember this device for 30 days to prevent having to authenticate using MFA each time you login.
Unable to Provide One-Time Code with Authenticator App
If you lose your phone or uninstall your authenticator app that you originally enrolled with, or are otherwise unable to provide a one-time code, you can try another method.
You can use your previously recorded recovery code. If successful, this will provide you with another recovery code and allow you to login. Store the new recovery code in case you need it in the future.
Still Can't log in?
Please contact email@example.com where we can verify your identity and reset your Multi-factor authentication enrollment.
Why Can't I log in to Microsoft using my Microsoft Work/Azure AD Account anymore?
If you are trying to login to your Agility CMS account using Sign in with Microsoft, this now only supports personal Microsoft accounts such as domains ending in @outlook.com, and @hotmail.com.
If you are trying to login using a work account with a custom domain or @on.microsoft.com, then you can enter your email address in the email address field.
If Azure Active Directory single sign-on is enabled for your email domain, then you will be redirected to the correct Microsoft login portal for work accounts.
Logging in Without using your Microsoft Work/Azure AD Account
If you previously used the login with Microsoft and do not have a password for Agility CMS, and your Active Directory single sign-on is not enabled, you can reset your password and login via email/password combo.
In the future, if you enable Azure Active Directory single sign-on, it will link to the same user account as your email/password combo.
How Single Sign-On works with Azure Active Directory
While logging into Agility CMS using your Microsoft Azure AD account is not new, we have made it more secure by forcing you to only be able to sign-in with Azure AD if it is enabled for your email domain.
Previously, you could optionally login using a Microsoft Work/Azure AD account or email/password combo and that decision was left up to the end-user.
This meant that your IT administrators couldn't force you to login with Microsoft Work/Azure AD account and meant your email/password combo would still enable you to log in even if your Microsoft Work/Azure AD account was disabled or deleted.
To make this more secure, we've opted to introduce identity-first authentication. This works by inspecting the email address you are trying to login with and then automatically determining your allowed authentication method.
This means when a change occurs in your company and a user's email account is disabled or deleted, their access to Agility CMS is also removed since there is no way to authenticate the user anymore.
In the case of Azure Active Directory login, we inspect your email address and will automatically use your Microsoft Work/Azure AD account to authenticate.
Note the "Single Sign-On Enabled" label and that the password field disappears if your email domain matches a registered single sign-on domain in our system. Clicking Log In will then take you to the Microsoft Azure login page to authenticate.
Enabling Single Sign-On with Azure Active Directory
If you wish to force users with a specific email domain (i.e. @fabrikam.org) to login with their Microsoft Work/Azure AD account to access Agility CMS, please contact firstname.lastname@example.org and we can look at enabling this for your email domain (company-wide).