The CoachAccountable Blog

Master CoachAccountable and become the best dang coach you can be. Also, news.

Archive for Security

CoachAccountable and Single Sign On

As we continue to refine and button up elements of CoachAccountable in service of our enterprise customers, we’re now getting inquiries about our SSO capabilities.  Namely: does CoachAccountable support Single Sign On?

The answer is no, not today.

SSO is understandably desirable among IT teams because it allows them to efficiently and powerfully manage the ins and outs of security provisioning for all of their company employees across a multitude of services.  The convenience for employees to simply sign in once and get access to whatever company accounts they need in order to do their job is undeniable.

Here’s why we don’t support it, including what we have in place to close the gap.


On Administrative Convenience

Access in CoachAccountable is highly nuanced with fine-grain user access controls, and that’s even before factoring in coach-client pairing, the mechanism by which to grant a given coach access only to those clients they are working with (or ought to have read-only access).  An SSO scheme of user provisioning isn’t going to give you that sort of control over a landscape that fluctuates as client engagements begin and end.  (Ostensibly perhaps it could using SAML, but that would amount to a lot of work just to reinvent in-app functionality.)

And if members of your team come and go at such a scale in your organization that you require automation around that sort of provisioning, permissions granting, and pairing?  Good news: the openly documented CoachAccountable API allows you to do so for whichever parts you need.


On User Convenience

“We want our coaches to be able to seamlessly jump from our systems to CoachAccountable.”

Indeed, no one wants to futz with another login when you’re trying to get your work done.  To support this, what we recommend is for companies to put a link to the CoachAccountable app itself right within their company intranet/app/website/whatever, a big shiny button that says “Jump to CoachAccountable”.

Such a link, coupled with CA’s ability to “Keep me logged in” on a given device that has been legitimately authenticated on, makes the transition seamless.

If someone happens to not be logged in, they’ll be bounced to the login screen, and a login helper is there if they forgot their password (no one needs to nag you or your IT team for a reset).

This idea also works beautifully for home screen app shortcuts that your users can easily install on their devices.  It’s just a shortcut: nothing to find, install, download, upgrade, or trust from any app store.  It’s also branded as your company, with your own name and app icon, and not as CoachAccountable.

All of this balances security with convenience pretty much on par with SSO.  Perhaps “keep me logged in” seems fraught for your tastes, but if you can’t trust your employees to keep their devices secured, you’ve already lost the security game and SSO won’t save you.


What about for coaching clients?

We were once told by a prospective enterprise customer that SSO was required, not necessarily so much for their own company, but for the client companies they work for, that THEY demand it for THEIR users.

The problem with that is it conflates the notion of who owns the account.  If Company A uses an Identity Provider (IdP) to manage authentication for their employees, they can do so for access into accounts that Company A owns: Company A’s SalesForce account, Company A’s email domain, Company A’s enterprise license of Office 365.

But when you coach clients in CoachAccountable, they are a guest in your account.  It’s your account: you add them when they’re working with you, and delete or deactivate them when they’re not.   You can’t let some other company’s IdP provision their own people into your CoachAccountable account, nor would you want to.  That’s like letting a customer have the key to your apartment with the understanding that they can let in whomever they like, and, worse yet, it’s not your place to kick them out if you want to kick them out.  If you go with a platform that promises SSO, because they promise SSO, you’ll discover this quickly.

Aren’t you conflating authentication with authorization?

If that’s a meaningful distinction for you in the context of wanting SSO, that means you probably only care about the authentication side of the issue.  And if that’s the case, if your concern is to ensure a great client experience by taking login headaches off the table, know that we’re already your ally in that aim.

Making space in one’s life to be coached is already hard enough, and if THEY get distracted from participating fully because of login issues, we already know that as a platform we’ve failed you.

So we’ve engineered CoachAccountable to thoroughly remove all the friction to their participation as mediated by CA.  Alerts and notifications keep things moving, and replying to emails and texts allows them to participate without even needing to log in.  When they need to log in, like for example to do a Worksheet, they get a magic link that jumps them right on in.

In practice, the need for your clients to manually log themselves in is rare if ever.  We can give your clients a great user experience without SSO.


Trustworthy Security and Current Events

Identity Providers that make SSO possible have a tremendous amount of power and responsibility as the arbiters of authentication across so many companies, users, and accounts.  So they themselves have to be trustworthy and properly secured.  If not, every bit of access that they control is compromised.

Given that is their entire reason for being, we’d like to think they’ve got their security game on lockdown, and that a breach of the very infrastructure of trust would not occur.

Last month such a breach of Okta, the self-professed “World’s #1 Identity Platform” as provider of IdP and SSO solutions, was revealed.  The breach began over two months prior to that revelation, and they tried (and failed) to keep it swept under the rug.

So no, using SSO is NOT assuredly net-positive for your company’s security posture, and hints of that awareness coming into the zeitgeist can now be seen.  Stripe, for example, is a payments platform that we know and love to process our payments, and it has this alert on its page about its own (still in beta, invite-only) support for SSO:

Talk about reading the room.

A visit to the most recent snapshot of this page from January suggests this warning was a recent addition. It was probably added in within days of the Okta breach revelation.

The Hacker News discussion about the breach contains a pertinent observation:

And this is why I would ultimately never trust a centralized company with our authentication infrastructure: because something like Okta is an infinitely more attractive target than we are. Their offering is sweet, and I’m always tempted to just give in, but this confirms me in my decision.

Do I feel that SSO is forever unfit for CoachAccountable in light of this?  No.

But for now, I’m content to forego the added complexity for a very narrow sort of win.  Instead, I prefer to channel those efforts into enhancements that actually make coaching better, even if that decision comes at the expense of failing to make select IT staffers happy.

In light of the Okta hack, I feel good of making a decision that ultimately amounts to what’s best for the security of our users, for there simply are no junior engineers at CoachAccountable to make the sort of rookie mistakes that lead to the sort of high-profile hacks that large companies routinely suffer.

Ultimately, a coaching platform is here to add value to the work coaches do and to the experience of those on the receiving end.  SSO is, apropos of anything, a fine thing to have on your list of checkboxes when vetting the fitness of various solutions under consideration.

But, in practice, it might not be that essential for your coaching platform.


2-Factor Authentication via SMS

Last week we got an earnest inquiry Andrew Hinkelman of Priority 1 Group that was very simple:

Do you offer multifactor authentication (MFA) for client credentials/login? If so, I assume one factor could be a code sent via text message?

When Morgan replied the truth of the matter, no we do not, we got back:

Is multifactor authentication on your roadmap? If so, roughly when?

Well, at the time it really wasn’t.  Morgan let him know the full scoop, and got back the following:

I’m an executive coach working with leaders in tech. I’m also a recent CTO and managed a team responsible for information security. So… I think not having an additional authentication factor is a deal-breaker for me. I simply cannot direct my corporate clients to use a SaaS service that is not hitting baseline security measures and expect them to use the platform for sharing/storing our 1:1 coaching work.
I really loved everything else I saw about coach accountable so I’m bummed to have to restart my search…

“Not hitting baseline security measures?!?”  Well now, that’s really throwing down the gauntlet, isn’t it? :)

And far be it for me to make Andrew have to restart his search!

In truth, adding 2-factor authentication isn’t terribly hard, ESPECIALLY if we skip over authenticator apps and just start with SMS-based.  CoachAccountable is already set up to transact via SMS in countries that represent over 90% of our users.

I’ve had MFA come up as a request a few times over the last several years (expressed interest has been really quite rare, actually).  I didn’t jump on cooking up SMS-based 2FA on account of cutting edge security researcher reports that SMS was technically not a fully secure channel, owning to the possibility of various SIM card attacks and other niche weaknesses.

But really that was an instance of me letting perfect be the enemy of good.

The fact remains that even humble SMS-based second-factor authentication is a practical step up: in a world where defense-in-depth matters (and indeed it does, for we don’t ALL live in a spy movie being targeted by nation state actors), even mostly secure measures make a meaningful difference!

So I’m happy to report CoachAccountable now supports 2-Factor Authentication over SMS, i.e. for all our users in the US, Canada, UK and Australia1.  Let’s see how it works!

» Continue reading “2-Factor Authentication via SMS”

  1. Or, more precisely, users who have a US, Canadian, UK, or Australian phone number capable of receiving SMS messages.

Delightful Collaboration XI: Client Present Mode

It’s been a while since I’ve written up an entry in the Delightful Collaboration series.  Though it may look like it’s only the 11th time (judging by the roman numeral above), acting on the input of our community to make CA better happens roughly once a week!

This one comes from Michiel Bosman of Open Forest Evidence-Based Online Coaching.  He wrote:

I am probably asking for the impossible, but this is very important to me from a privacy/NDA standpoint: I do a lot of CA screen sharing with my clients.

I would love to have a Single Client Mode: I click a checkbox, system will not show anything related to any other client, until I click that checkbox again.

This immediately jumped out at me as interesting.  CoachAccountable has always had the power to serve as a de facto shared, virtual workspace between coach and client.  Coach sharing his or her screen with client (or vice-versa) is a powerful way to invite structured collaboration (e.g. during a session, when actions are being planned, insights are being captured, and so forth).

But I really appreciate the abundance of caution that this request entails.  Indeed, when it’s coach doing the screen sharing, well, there’s a LOT of other data that coach can bring up with a click or two (a convenience that is quite intentional!), yet much of it is data that’s NOT suitable for a given client to see.

So I get the desire for a sort of “single client mode”: that power to accidentally wander over into another part of the system not meant for a client’s eyes could make the prospect of sharing your screen nerve wracking.

We’re always keen to make CA more thoroughly accommodating to expectations of privacy and confidentiality, for they are expectations that such sensitive work truly merits.  To that end, I present to Michiel and the rest of the CA community what we call “Client Present Mode”.

» Continue reading “Delightful Collaboration XI: Client Present Mode”

CoachAccountable and the GDPR

If you’re a coach in the European Union, you’ve probably already heard of the GDPR.

If you’re not, you’ve probably seen numerous relics of the GDPR over the last few weeks, namely in the form of emails from websites you use announcing a change in their Privacy Policies.

What’s it all about?  It’s the EU’s General Data Protection Regulation.

It’s a good bit of law, I think!  Oh sure, it’s caused it’s share of grousing and griping among businesses for how much work it’s entailed as everyone wades through legalese and policy in order to get compliant (myself included!).  But I view it as a step in the right direction for end users to have greater control over their data and privacy.

Basically, it demands of companies that they don’t do terrible things with individual’s data, and that all usage of such data must be documented and above board.  Companies must get explicit consent to use someone’s data for a given purpose, and that consent can’t be buried in a huge pile of indecipherable legalese.  End users must have some real control over their data, including the ability to delete it.

As individual, this sounds good to me.

As a company, CoachAccountable has never had any business trafficking in user data in unexpected or vaguely nefarious ways.  And our in-app “Delete” buttons really do delete data (much to the chagrin of the occasional coach who accidentally deleted an entire client record!).  So our compliance is largely a matter of paperwork: basically to document and agree to be legally bound to the very practices we’ve always adhered to.

What this means for CoachAccountable customers

First off, our privacy policy has been updated, much like the policies of everyone else.  I encourage you to check it out: like most privacy policies, it’s largely boring, BUT I’ve been happy to lay out clearly what data we collect and what exactly we use it for (and why).  Part of this updated policy is that CoachAccountable is registered and listed with Privacy Shield, which is basically a fancy way of saying “we actually mean everything we say in this policy, AND we’re in legal trouble if we don’t hold true to it”.

Yep, we attest that we really mean what we say in our privacy policy.

In other words, the privacy policy isn’t just flowery language. :)

Second, for our customers who work with anyone in the EU: by setting those clients up within your CoachAccountable account, the GDPR applies to you.  Part of that applying to you is that you need to verify that any partner involved in processing your data is ALSO above board when it comes to the GDPR regulations.

In this case, that’s CoachAccountable!  You need to verify that CA is handling your EU citizen personal data in accordance with the law, so that your handling of that data [by way of CoachAccountable] is in compliance with the law.

To allow you to do this, we’ve got a Data Processor Agreement (DPA) available.  The DPA essentially states that you (as controller of your client data) and CoachAccountable (as processor of that data) mutually agree to handle that data appropriately and in compliance with the GDPR; that we’ve each got our part to play for the lawful handling of data; and that we each take responsibility to do so.

Given the sweeping nature of the GDPR, we’ve updated our Privacy Policy (and Terms of Service) to include the DPA itself.

These terms apply only to the extent that your work is within the scope of the GDPR (i.e. work with any clients in the European Economic Zone).  You can find the CoachAccountable Data Processor Addendum here.

And that’s about it: an updated privacy policy and a DPA if you need it.

What if I’m not in the European Union?

If you coach anyone in the EU (or ever will) this still applies to you.  But if you don’t, then this very well might not mean anything to you.  One caveat to that, though: the GDPR mandates certain rights for citizens in the EU, as laid out in the privacy policy.  I’m happy to say that when it comes to CoachAccountable, these rights apply to everyone worldwide, and not just EU citizens.

GDPR looks to be a great way to better balance the rights of individuals against the companies they do business with.  There’s some work for those of us who handle the data of those individuals in order to reach compliance, but it’s reasonable and worthwhile.  We’ve done our best to make it easy as possible for coaches to be compliant in their handling of data with CoachAccountable!