Normally, I’m not what I would call an “idea guy.” I’m not someone who sees all sorts of innovative new things and shares his creations with the world – it’s just not the way my brain works. I’m a problem solver. I see a problem, I come up with a fix, workaround, or solution – that’s what I do. Every now and then, however, there’s an overlap between problem solving and innovation. This may be one of those.
I want a way for a custodian of a system (think “computer technician”) working on a system, to be able to do everything needed to set up, maintain, and troubleshoot said system, without requiring any credentials from the owner. This is tricky because if I want, for instance, to set up your email for you, without requiring any interaction from you, I need to have your password. Sure, I could set up everything except the password and then have you fill it in later, but this road sometimes leads to frustration on the part of the end user, as they don’t have a “completely” working system that they asked for.
Encrypting the owner’s data does not meet this goal, as it needs to be decrypted for the custodian to do their job. Two-factor authentication doesn’t solve this because the password would still need to be placed in the hands of the custodian, along with the second factor, at least temporarily. Combining these two, along with a forced password change, go a long way to securing your data from your custodian’s prying eyes, but don’t ultimately solve the problem.
Do you have a fix for this? Does anyone? Drop me a line and let me know.