11.7 C
New York
Friday, March 24, 2023

Safety Keys at Grammarly Half 2: Classes Realized

This text was co-written by Vika Basarab, technical program supervisor at Grammarly, and Igor Maxuk, system engineer at Grammarly.

Grammarly lately made a giant push to require FIDO2 for each workforce member login, changing OTP. In Half 1 of this collection, we shared why we determined to undertake such a sophisticated transition. Take a look at that article to learn why we couldn’t rely solely on biometrics authentication (like TouchID) for implementing FIDO2 and wanted to additionally assist {hardware} keys (YubiKeys).

FIDO2 is a comparatively new commonplace, and assist for it’s nonetheless a piece in progress for some apps and companies. Plus, getting each workforce member all over the world to undertake a brand new approach of logging in just isn’t a simple process. On this article, we’ll share what this rollout taught us from each a technical and an operational standpoint. We hope it would assist different groups which might be enterprise the change to FIDO2.


Step one in our rollout was to find out what techniques modifications we would wish with the intention to ship the fullest potential assist and be sure that the person expertise was clean, handy, and constant throughout totally different platforms and functions.

We shortly ran right into a roadblock involving “embedded” browsers. An embedded browser is concerned when a local app authenticates with SSO on macoS by opening a Safari window to acquire session data. This works with login, password, and OTP, however embedded Safari doesn’t assist FIDO2. We couldn’t discover a technique to remedy it immediately, and as we’re primarily an Apple store, we needed to put in workarounds:

The nice

We reworked the authentication course of for our F5BigIP VPN shopper fully. Beforehand we’d used the embedded window for authentication in Okta, however we discovered a technique to change to OAuth authentication via the default browser for the OS. In 99 p.c of circumstances, the person is already authenticated in Id Supplier earlier than connecting to the VPN, so the shopper can get the username and set up a session with out asking further questions. We ended up with a greater UX, and our VPN shopper is much more steady, a win-win.

The unhealthy

There have been no such options for a handful of different native apps, together with Microsoft 365. We determined that solely these functions can be allowed to authenticate through OTP/push. The issue with that was that our most important SSO system, Okta Traditional, didn’t assist versatile authentication insurance policies. Fortunately, Okta created a brand new product referred to as Okta Id Engine (OIE) that did have this assist. Thus, we had been capable of develop a sensible resolution that provides us the most effective safety potential: Essential apps and SaaS authenticate through FIDO2 solely; every little thing else authenticates through FIDO2 if it’s supported and falls again to utilizing OTP/push.

And the ugly

Whereas making ready for the migration to OIE, we discovered that saml2aws, our main CLI authentication device for AWS, doesn’t work with OIE and AWS Federation. After migration, none of our engineers may manipulate AWS infrastructure from their code. This blocker virtually buried the FIDO2 venture. We needed to fully rework your complete integration between Okta and AWS and educate engineers on methods to use AWS SSO integration from the CLI.

Classes realized

  • As a precondition, test if your whole important techniques (VPN, SSO, SaaS, cloud supplier, on-premise, desktop apps, and combos of those) assist the FIDO2 commonplace.
  • FIDO2 can not absolutely substitute the password in SSO techniques but. There are nonetheless techniques the place safety keys don’t work nicely, principally because of an absence of assist for Internet Authentication. Take into consideration how you’ll authenticate legacy companies and apps that lack FIDO2 talents.
  • A number of firms are creating options for these points. For instance, Okta has developed FastPass, which we plan to make use of for native apps. Keep tuned for extra on this in a future weblog submit.


We launched alpha trials with small teams of workforce members one month earlier than starting our main rollout. Earlier than starting the trials, we had already ready preliminary documentation, reminiscent of FAQs and YubiKey setup guides. Trials helped us prolong the documentation, figuring out bottlenecks and factors of confusion.

We uncovered essential nook circumstances throughout our trials. For example, YubiKeys mix a number of safety interfaces. Certainly one of them works as an OTP utilizing a digital keyboard driver; it offers a time-based generated string like “ccccccril….” adopted by the Enter key. However for those who by chance touched the important thing’s contact plate whereas writing on Slack, you might find yourself abruptly messaging this random string of textual content to a whole lot of coworkers. We began to see a number of Jira tickets that contained these OTP strings! (Fortuitously, we found out methods to flip off this habits.)

Biometrics can even provide you with an unreliable authentication expertise. For instance, if the person must reset their session within the browser, they gained’t have the ability to log in to Okta anymore, as a result of macOS TouchID FIDO2 requires reenrollment after such actions.

Classes realized

  • Trials give you a chance to fail quick in case your assumptions or implementation doesn’t work.
  • Furthermore, trials are an important technique to get suggestions and polish the person expertise. You must take a look at your resolution and manuals and see how they work along with your staff’ enterprise processes.


The problem of rolling out safety keys is that you could’t do it routinely or programmatically; every workforce member should arrange the keys themselves.

At Grammarly, we tackled this in a number of methods:

  • We made FIDO2 a required authenticator in Okta, so customers needed to enroll their biometric authentication (TouchID).
  • As quickly as a workforce member obtained an choice to obtain the YubiKeys, we launched a Slack bot that the IT workforce developed to watch workforce member elements in Okta. If customers didn’t enroll in YubiKeys, the bot would ping them immediately as soon as every week. We determined that “loud” messages on world channels gained’t do the job. The reason being that we have now to ask individuals to enroll two keys (in case one is misplaced). Typically, individuals register only one key and suppose they’re executed, so they may ignore the message on the worldwide channel. But it surely’s a lot tougher to maintain ignoring direct pings from bots!
  • In parallel, we routinely gathered statistics on the adoption fee and despatched notifications through our customized bot to the managers of people that didn’t enroll keys.
  • Final however not least, if a workforce member enrolled a minimum of one key, particular automation would flip off all elements besides FIDO2.

Classes realized

  • To hurry up your rollout with out harmfully impacting day-to-day work, eradicate the opposite choices as quickly as potential for every particular person.
  • Use automation to remind the viewers concerning the deadlines, so that you don’t need to do it.
  • Begin gathering information in your progress early. That is one thing that managers like to see!
  • Communication is among the most vital elements of a FIDO2 rollout. All of your staff ought to know concerning the new initiatives and perceive why you’re altering the method and what advantages it would deliver to the corporate.


Grammarly launched its remote-first hybrid work mannequin in 2021. Whereas this has benefited our workforce in numerous methods, it meant that our IT workforce confronted a logistical problem in delivering YubiKeys throughout the globe.

For brand spanking new workforce members, we use the Yubico enterprise portal’s bulk add performance to ship their YubiKeys together with their laptops. For present workforce members, we use a self-service mannequin that permits them to order safety keys from Yubico’s regional distributors or choose them up from one in all Grammarly’s 5 hubs, our coworking and collaboration areas.

Classes realized

  • Anticipate the logistics problem and plan for it early, together with questions like the way you’ll take care of misplaced packages.
  • Understand that whereas Yubico’s regional vendor community is in depth, there are nonetheless locations the place the keys aren’t potential to seek out regionally.

Wanting ahead

Sooner or later, we plan to optimize our logistics and cut back friction by offering a self-service resolution for workforce members to shortly get new keys and invalidate previous ones in the event that they had been misplaced—all in two clicks.

We’re additionally enthusiastic about how the FIDO2 commonplace and the Yubico safety {hardware} keys implementation give Grammarly a stable basis for going past passwords at login.

We hope you realized one thing from this text that you could apply to your personal rollout. Does the best way we method issues at Grammarly resonate with you? We’re hiring! Take a look at our careers web page.

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles