Introducing Individual Accounts

The next version of Three Rings, Milestone: Promethium will be going live on July the 19th, and it’s bringing with it some long-awaited changes!

As we often do, we’re going to be looking at a few of the upcoming features in depth here on the blog, and we’re going to be starting with the first one, the ability for individual users to “own” their personal Three Rings account, and to increase the security of their accounts by using two-factor authentication.

Individual Accounts

Why are you introducing Individual Accounts?

This is part of the promise we made back when Three Rings turned 10, as seen in our blog post ‘Where Do We Go From Here (Part 3)‘. That post goes into lots of detail about the reasons why we’re introducing this change, and it’s well worth a read if you want more background on where this change has come from.

For those of you in a rush, though, here’s two key diagrams from that blog post which explain what’s happening.

Before Milestone: Promethium, a fictional volunteer like Dave, who works for two different organisations, has to have one Three Rings account for his work with Finnpool Samaritans, and another, completely separate, Three Rings account for his work with Gesway Community Centre:

Graphic showing a number of volunteers at two fictional organisations. Dave, who volunteers at both, has to have two separate Three Rings accounts — Example of ‘Account Sharing’ at the imaginary organisations Finnpool Samaritans and Gesway Community Centre.

Once Milestone: Promethium has gone live, Dave won’t be forced to do that anymore (although he won’t have to change, either! As with any big changes we make to Three Rings, it’s up to Dave whether he wants to make this change happen or not!).

Instead, assuming Dave wants to, he’ll now be able to merge his two Three Rings accounts, and access whatever information each organisation has allowed him to access on Three Rings using a single login:

Here Dave is using just one account, with different permission levels at each organisation, depending on what roles those organisations grant him. Click to see more details.

You’ll be able to convert your Three Rings account into an Individual Account using the “My Account” link, highlighted here at the top right of the screen. Click to see a bigger version

We know this change will benefit a large number of our users – people have been asking for it since the days of Milestone: Copper! – and it’s one we’ve been working towards for some time, but the move to individual accounts doesn’t just benefit people like Dave!

What are the benefits of individual accounts?

Individual Accounts will allow volunteers like Dave to merge their accounts, so that they only need to remember one username and password. This makes it easier to be a volunteer, because they no longer have to remember multiple usernames and passwords: they only need to remember one. This disassociation between your credentials (your username and password) and your volunteering (at one or more organisations) also paves the way for us to one-day add features to do with handling applicant, trainee, and alumni volunteers – all within Three Rings.

On top of that, users who’ve changed to having an Individual Account – whether they choose to merge their accounts or not – will now be able to reset their own passwords if they forget them, taking some of the weight off their local Support People.

Finally, giving individual volunteers the option to convert their Three Rings login to an Individual Account allows us to give you the option of using Two Factor authentication.

For those interested, as far as the Data Protection Act goes – anyone with an Individual Three Rings account will now have Three Rings as their data controller for a few minor aspects of their data (their name and email address: we’ve registered as a Data Controller for these purposes!), although of course the organisation(s) with which they volunteer are likely to remain their Data Controller for the majority of the information stored about them on the system.

Introducing Two-Factor authentication

This is another change we’ve had planned for a long time! The volunteers at Three Rings have been using two-factor authentication to access their administrative tools for some time, and it’s a fairly simple, and very powerful, way to massively boost the security of an account you intend to log into.

Even if you haven’t heard of two factor authentication using those exact words, it’s likely you’ll have encounted the concept already: Google, Facebook, Twitter and eBay are among the ever-increasing number of online services which allow you to use two-factor authentication to log in, but a significant number of online banking services actively require you to use two-factor authentication to log in, either with a mini card reader or just with a small device that generates appropriate codes to validate your identity when you log in.

Screenshot of the Facebook login page asking for a two-factor authentication code — Facebook’s two-factor ‘login approval’ page as it looks in July 2014. Facebook first introduced this security feature in 2011.

What is Two Factor Authentication?
Right now, everyone is using “single factor” authentication to log into Three Rings: all you prove that you’re entitled to log in with your username by demonstrating that you know “one factor” – one piece – of secret information: your password.

Graphic showing a Single-Factor login whose requirements are a single username and password combination — Single-Factor authentication: your password, matched against your username, allows you to log in.

With two factor authentication, you need to know your password and another, frequently changed, code. This code can be generated using a free tool like Google Authenticator, or a purpose-built tool like a Yubikey. To use two factor authentication, you’ll need to convert your Three Rings account into an Individual Account (you can do this whether or not you’re a member of multiple organisations), and select which tool you want to use to generate those codes.

For the sake of argument, let’s imagine you’ve set up Google Authenticator as your second factor for accessing Three Rings. Now, each time you log in with your username and password, Three Rings will also ask you for an extra code, which you’ll get from your Google Authenticator app. That code will change every 30 seconds: it might be 290 456 right now, and in half a minute, it will have changed to something else – say 271 097.

This means that even if someone manages to get hold of your password, they still can’t break into your account, because the odds that they’ll guess the correct code to get past the two factor authentication stage are incredibly small – and they only have 30 seconds to get it right!

Apart from the first time you set this up, the second factor doesn’t really make things harder for you: unlike a password you don’t need to memorise what the extra code is, because it changes all the time anyway – you just need to know where to get it from! – so you get a huge boost to the security of your account (and your organisation’s data) without having to worry about remembering extra information yourself.

Graphic showing that Two Factor requires the combination of the correct username and password with a separate two-factor code to enable login — With two factor authentication: you need a second factor – a changable item of information separate to the username and password combination – to log in, making it much, much harder for any unauthorised people to access your account.

For those of you who prefer non-technical explanations – imagine the Three Rings login page is a door protected by a guard. Using traditional one-factor authentication, the guard recognises your face (your username!) and will let you through as long as you show your ID badge (your password).

Under a two-factor system, the guard recognises your face (your username), notes that you’re wearing the correct ID (you typed your password correctly), but also asks you for – say – the codeword of the day, which anyone legitimately allowed to pass through the door should already know (the second factor). Only once you’ve proved you know that as well as your password will he let you in. Two factor authentication works for Three Rings the same way, but the codewords change more than than once per day!

Screenshot of the Two-Factor prompt when logging into Three Rings — If you’ve set up two factor authentication using Google Authenticate, this is the page you’ll see after entering your username & password correctly.

As always, you’re under no obligation to start using two-factor authentication – but in line with our core value of security – we’d recommend that you do if you can, especially if you’re one of your organisation’s administrators.

If you’re really security-concious, you‘ll now be able to use the new “Security” button in Admin to require users with permissions to access your Admin tab to have enabled two-factor authentication before they can access Admin (just make sure you give them time to set up two-factor first or they’ll wonder where their Admin tab went!)

And speaking of administrators…

What does all this mean for organisations & administrators?

We wouldn’t be Three Rings if we weren’t dedicated to giving you the maximum degree of control over your organisation’s data and policies that we possibly can! So, although it might sound like we’re introducing seriously big changes, we’re not doing anything too radical from the perspective of organisations.

What you can’t do, is stop individual users of the system from converting their Three Rings account into an Individual Account. And you can’t stop them from using two-factor authentication if they want to add that extra layer of security to their account, although – naturally – the system won’t force anyone to start using two factor authentication, even if they convert their account to an Individual Account: they’ll have to enable it themselves. But this shouldn’t actually matter to you very much – just because a user has an Individual Account, it doesn’t mean you can’t control and restrict what they can do within your organisation.

You’ll still be able to give a role to any user, whether they have an Individual Account or not, and you’ll still be able to take roles away from them. You’ll still be able to lock a volunteer’s account, or put it to sleep when they leave your organisation. Any extra permissions a volunteer has with a different organisation will still only apply to the other organisation, not to yours (unless they legitimately gain those permissions through a role they have when volunteering with you).

You won’t be able to change their username (it’ll be their username!), but you’ll be able to ask them to do that if it should prove necessary. And you won’t be able to reset their password because they’ll be able to do it for themselves (for those organisations that have been asking us to make it possible for volunteers to conduct their own password resets and take the weight of their support people: congratulations!).

Screenshot of a self-managed Three Rings account, for the fictional "Norman 156" — If you’re an Admin, looking at the Directory page of a volunteer with an Individual Account, you’ll see a message telling you that, rather than the usual “Change Username” & “Send Password” options. Click to enlarge.

In case you’re concerned about that, by default Three Rings will be set up so that any volunteer who does reset their password will be unable to see any of your organisation’s data until you’ve revalidated their access, so not even that will change! (But if you’re not concerned, you can change that setting to make easier for volunteers who have forgotten their password, but have an Individual Account, to get stuck back in and keep helping your organisation.

The changes we’re making to volunteer accounts in Milestone: Promethium have been promised for a very long time – and we apologise for spending so long making sure we get them just right! – but now they’re here they’ll be great news for anyone using Three Rings at more than one organisation, or anyone who wants to take advantage of the huge boost in security they can achieve by enabling two-factor authentication on their Individual Three Rings Account, so we’d like to think they’ve been worth the wait!