Monitoring critical user journeys that use 2 Factor Authentication

---

Intro

Security is a leading concern for many businesses, creating high demand for effective solutions. Industry experts often cite 2 Factor Authentication (2FA) as a best practice approach to bolster security of an organisation’s systems and infrastructure. 2FA represents a relatively simple method employed to reduce the risk of hacking systems, accounts and data. By introducing a second login step (usually via SMS or security token), 2FA can prevent malicious agents from accessing accounts, even if they have managed to obtain a username and password.

The security improvements delivered by 2FA are well documented, alongside the relative technical ease of implementation. However, 2FA deployment can cause major issues for application monitoring tools, forcing businesses to sacrifice the valuable insights now considered vital within the IT industry. This is because tools involving synthetic processes are unable to incorporate different technologies, such as SMS or security tokens, as part of their monitoring operations.

2FA multiple technologies require different monitoring approach

Most application performance monitoring (APM) tools operate on an agent-led, browser-based approach, whether they incorporate a RUM (Real User Monitoring) or synthetic method. To simulate an application user journey for synthetic monitoring purposes, most APM solutions use methods such as web browser emulation or scripted web transaction recording. This is generally an efficient and effective method of monitoring and delivers the minimum functionality required. However, when multiple technologies are involved in a user journey under monitoring, the web-based method becomes redundant. This is because web-based APM solutions are restricted to their own technology stack. They cannot interact with or interpret actions of non-web actors working within a user journey, such as security tokens for 2FA.

Workarounds exist for monitoring user journeys with SMS using web-based APM (such as the use of virtual numbers), but they’re generally cumbersome and inefficient. For incorporating security token technology there is no current known method. Synthetic monitoring of mobile applications is an increasingly important component of business operations, yet the weakness of web-based, and often agent-based, APM solutions halts delivery of monitoring.

Without effective monitoring of 2FA processes, businesses expose themselves to a number of risks surrounding their critical user journeys. For example, if an organisation had a bug in the 2FA SMS messaging tool, they’d have no visibility of the issue until it started to affect the end-user. Furthermore, without metrics that report of the performance and availability of the login system, it is extremely difficult to precisely diagnose the root-cause of an issue. This can lead to major delays and wasted resources as an IT team must manually identify the problem root-cause.

Our Solution

Remasys’ Eagle-i monitoring service is a technology agnostic, agentless solution able to provide synthetic monitoring of 2FA processes. End user journeys required to successfully complete a log-on process are automated by utilising “through-the-glass”, screen-based interaction with an underlying system. The service therefore is not restricted to monitoring web-based technologies and can interpret and use 2FA technologies such as SMS and security tokens. This enables a unique insight into end-user experience and an effective early warning system. Issues within the log-on process can be identified before customers are affected.

Remasys’ monitoring experts work with businesses to understand their critical user journeys (i.e. accessing ERP applications) before automating these journeys using Eagle-i. These journeys are then run 24/7 at scheduled intervals, collecting vital performance and availability metrics that are of high value to businesses. This active monitoring approach allows issues to be identified and often resolved by support teams before they affect the end user. In addition, Eagle-i provides visual evidence of issues – a video recording of the user journey.