|
What is Izon?
Izon is a website ARINCDirect built for two reasons: (1) to provide a portal for accessing any of the web-based tools we offer and (2) to implement secure identity management. Multifactor authentication is a cybersecurity best practice in which you need two credentials, a username/password AND a second factor, typically a phone-based authentication method.
Why did we implement it?
Business-aviation data is very sensitive and protecting your information is of paramount importance to us. Our cybersecurity controls across the board are specific and stringent. Our backend systems and communications platforms are hardened and themselves require complex passwords and a second factor for access. Further, ALL web access over the Internet must be traceable to an individual human user who has logged in with username/password and a secure second factor.
The ”traceable to an individual” requirement is the reason that we can no longer permit ARINCDirect usernames to be shared. It IS possible, however, for one Izon account ID to have access to more than one ARINCDirect username. That can be helpful for administrators of multiple companies, contract pilots, and the like.
Two different sets of credentials
We are in a transition period to multifactor authentication, and for the foreseeable future, you will have two sets of credentials: Izon account ID and ARINCDirect username. This can be confusing, so we’ll describe both credential sets below. If you’ve forgotten a password, you’ll want to use the relevant reset page.
Izon account ID: This gives you access to the flight-planning website and other web-based tools. This account ID is always an email address. Entry of this email address for logging in is NOT case-sensitive. This email is set up at the time of new-user creation or when a user migrates to Izon and MFA. It’s typically the same address as your “regular” email address for ARINCDirect but it can be another email address that you have access to.
Izon account password: Your Izon account ID has its own 15+-character password, with complexity requirements that must be met when it’s created. The creation dialog is helpful here in that each requirement turns green when your entered password meets it. Izon passwords do not expire. If you forget your password, visit https://izon.direct.arinc.net/ and click “Forgot password?”. Enter your Izon account ID in the resulting dialog box and submit it. An email with reset instructions will be sent to your account ID (email). It originates from do-not-reply@izon.direct.arinc.net/, so if you don’t receive it, that origin will help you find it in case it got filtered.
ARINCDirect website username: This is the username you’ve been used to. It’s typically letters and digits, but it can be an email address. It might. be less confusing if it is not an email address, but that's entirely up to you.
ARINCDirect website password: Like Izon, it must be 15+ characters long with complexity requirements. ARINCDirect usernames DO expire if your company administrators have activated the expiration feature; they do not otherwise have to expire.
To reset your website password, visit https://direct.arinc.net/ and click “RESET PASSWORD.” Enter your ARINCDirect username (NOT your Izon account ID!) in the resulting dialog, solve an easy CAPTCHA, and submit. You will receive an email at the address configured in your user profile (your “regular” email). That can be different from your account ID. The reset email originates from donotreply@direct.arinc.net.
When will you need an ARINCDirect website username? There are two circumstances when you need to know your username and password for the website: (a) when you initially link an ARINCDirect username into your Izon account and (b) when you log in to the ARINCDirect iPad app or the ADMini phone-sized app.
Types of “second factor” supported
We have several options for the second factor: (a) Push notifications, (b) Authenticator apps, (c) hardware keys, and (d) SMS messaging. We’ll describe these here and suggest by their ordering our recommendation for primary and secondary methods. You can have more than one second factor set up. This is aviation-related, and you already know that redundancy is A Good Thing.
Push notification apps: This MFA method pushes a request to your phone and allows you to approve or deny it with a button click. This is quick and convenient. Our default phone-resident app for push notifications is Auth0 Guardian, but some others (including Okta Verify) will work also.
Authenticator apps: These apps also reside on your phone and generate 6-digit one-time passwords (OTPs) on demand. Some examples are Google Authenticator and Microsoft Authenticator. Some push-notification apps will also generate OTPs. One important reason to use an authenticator as a backup method: you don’t need any connection (cellular or WiFi) to your phone to obtain a valid 6-digit OTP.
Hardware keys: These are small pieces of hardware, typically USB keys, that conform to an authentication standard called FIDO2. Once they’re set up, you plug it in to a USB port on your laptop (some don’t have to be plugged in – they use near-field communication over short distances). These are trickier to set up than the other methods.
SMS messaging: This method sends an SMS message with an OTP during the login process. It is easy to set up but can be problematic in practice. They require of course a cellular or WiFi connection to your phone, and we have found that downstream delivery isn’t as reliable owing to network transit problems or cellular providers in some countries blocking unregistered SMS senders to cut down the amount of unsolicited SMS messaging.
Our identity-management system (Auth0) also supports biometric recognition on some platforms. This can take the form of face or fingerprint recognition. You’ll be offered to set it up if your current platform supports it. IMPORTANT: Biometric recognition cannot take the place of one of the second factors above. It can, however, get you past the password prompt more quickly.
Making it easier and faster
Even though there are extra steps needed for a secure login to ARINCDirect, there are things you can do to make it easier. We recommend storing your Izon account ID and password in a password manager, so it gets entered automatically at login time. If you’ve set up push notifications as your primary MFA method, there’s just one more step to approve the login. Depending on your phone hardware and smart watch, you may be able to approve it right on your wrist.
Consider also “cleaning up” the list of available buttons and widgets in Izon to reduce confusion. You can turn on or off buttons and widgets in the Dashboard Configuration menu (three-dot menu on the right edge of the buttons row).
Looking to the future
We are working on a few initiatives to improve multifactor authentication. We’re investigating the feasibility of email-based and phone-call-based delivery of one-time passwords for those companies that cannot allow devices in their operations centers. And we are always tweaking the onboarding process to make it more straightforward. When our customers are fully migrated to Izon, we can greatly simplify new-user setup. And we want to be able in the future to use the same credentials for Izon, the iPad app, and ADMini, without affecting their ease of use and criticality while in-flight.
We hope that this has been helpful. As always, questions and comments about Izon and multifactor authentication are welcome. Contact us at +1 410-266-2299 or ad-flightops@collins.com. We want to hear from you!
| 
