The YeshID kitchen: where security and usability meet
Identity and access management is a nuanced problem. Everyone hates it, and with good reason.So, welcome to YeshID’s metaphorical kitchen. Notice it’s spotless! Let’s take a quick tour, and I’ll point out how we do things differently.Let’s start over there. Do you see the sign “Customers never hacked because of YeshID”? That is where we create the secure foundation for managing the identities of customers, and employees, the services they need to access, and the authentication methods we provide. Notice the minimalism. How simple everything is. Simplicity minimizes mistakes and ensures precision work. No rough cuts or shortcuts here! The chefs use Golang, a simple, fast, statically typed language created by Google to power our backend.Next is the frontend station. It’s the one with all the colorful spices and ingredients. Do you see the “Dead simple and delightful to use” sign? We want everything that comes out of the YeshID kitchen to be a perfect balance of security and usability. Every step is continuously refined: customer onboarding, deployment, the employee on and offboarding, security, compliance, privacy, and simplicity. We eat with our eyes first and keyboards next.The next station, the one with the storage islands, charts and whiteboards, lab instruments, and measuring tools, is our metrics station. Here is where we measure everything we do. The goal here is to identify what – exactly – works. How much time did you spend onboarding a new employee? How many clicks did you have to make? What was the employee’s experience? How can we make it easier and more secure for everyone? We try to measure everything and turn it into actionable information so that the next dish is better for everyone.The last thing I am going to show you is the most important: our team. Our talented chefs work across all stations. Together, we yesh things into existence–building everything from nothing. We’ve built the kitchen and tools; we’re growing the ingredients, and assembling the dishes. We’re obsessed with the customer experience, your experience as an admin, your experience as an employee, and your experience as a user of the YeshID wallet. We constantly iterate on every aspect and try new ingredients, new combinations. We’re never satisfied. This is why one of the values in our metaphorical kitchen, but very real company, we put in our first blog post: “Innovate until experience & security exist in harmony.”Our chefs are experienced. They have tasted good dishes and bad ones. They experiment and innovate mixing old ingredients and new, and delight when they create something delicious that no one has ever seen, tasted, or smelled before.Let me tell you a little about why we felt compelled to start YeshID - the frustration that drove us.Imagine you are responsible for digitally onboarding new employees to your company, AcmeLabs. You just hired Fred or Sally. And you (or someone charged with that duty) need to assign an @acmelabs email address (and temporary password) for each new hire. They need to make sure that the email and password are sent securely and that the new hire enabled 2FA.So here’s the classic recipe:
- Get the new hire’s personal email address (the one that’s been used in the hiring process)
- Go to Google Workspace and create a new user account. Assign a user name based on the company’s standard (an alias can be added later)
- Add the personal email and phone number (if known) as backup contact points.
- Send an email to the personal email address with a log-in link.
- When they click the link they’ll have to replace the temporary password with a new one. Yikes! Passwords.Of course, you’ve set up a domain-wide password policy – the minimum and maximum password length; whether to require strong passwords; how often they expire; Yes, replace a password with a password. And users never make mistakes. And they never forget the passwords that they’ve entered or increment that last digit. Never. And they never let the link expire – like you sent it on Friday and they don’t get to it until Monday. Two weeks from now. Oh never!
- And of course, you’ve enabled 2FA for the domain. So after they replace a password with a password they have to choose their second authentication method. And that’s not dead simple. It’s easy to screw up and then you’ve got to fix it.
- By the way, how long a grace period do you give new users before they provide their second authentication method? And do you want to enforce it? Hint: if enforcement and no grace period, then they can’t log in! And if there’s a grace period, what happens when the grace period lapses – as it will? And how many steps do they go through to authenticate with their phone?
- If you’re using a third-party MFA solution, make sure it’s been installed ahead of time and your new hires already know how to use it, or they’ll get locked out.
Taste good so far? Or is it kind of bitter? And that’s not all of it. There are lots more things that can go wrong.And will.And we wonder why 40% of help desk tickets have to do with credentials.What about YeshID? How do we make it dead simple, completely secure, and delightful to use?Stay tuned as we share more about our special sauce in upcoming posts.Hungry? Take a bite. Reach out to Dana or me.Want to build with us? Chefs needed! Check out: https://www.yeshid.com/web-frontend-engineer.