At work I manage several digital identities every day: The corporate one, with email and the company´s internal tools; the client´s, with another email, management system and internal tools; and even the “personal” one, I really don´t access anything “personal” on my work but I use this category for Spotify (gotta stay in the top 1% of worldwide Genesis listeners) and the RSS feed where I read news and keep track of everything happening in the industry. So, even if there´s a single person in front of the desk, I manage quite a few accounts.

While I mention web identities, in this post I won’t exclusively talk about them. They serve as an introduction to a specific use case in which we have to manage multiple digital identities in a single user of the operating system. I’ll detail my specific situation and how I’ve solved it. Everyone’s situation is different but I hope it can give you clues to adapt them to yours if needed. Instead of switching, sharing identities or logging in and out, I’ve tried to find a way to work in a compartmentalized manner where the change of identities is as seamless as possible.

Web identities: Browser containers

No, I’m not talking about computing containers, despite this being an SRE blog. I’m talking about compartmentalizing the session information that the browser stores as if they were different profiles. So, by separating them I can have a “Client” container where I have the client’s sessions (without saved credentials, I don´t like letting the browser remember credentials), and another “Company” container where I have tabs with sessions on my company’s corporate websites. This is especially useful for me because both the client and the company use Office 365 as an office suite/email and also both use Confluence/Jira. I also have a third container for my personal web sessions. Actually, only for music and news, as I said. Well, also for when it’s time to schedule some training or certification.

I use Firefox and take advantage of the Multi-Account Containers plugin, which allows me to preconfigure containers for each “profile” and even offers the option “Always open this site in this container”. I know there are similar options available for Chrome as well.

This way, I can have different sessions in the same browser and switch between them seamlessly, depending on the active tab. I can have multiple Outlook web sessions open, two Confluence instances, and access pages with one identity or another as needed. It’s much more convenient for me than having to switch between browsers.

There are other creative solutions for this: some colleagues have their personal and work computers connected to a KVM switch and switch between them as needed, while others use a separate browser for each “profile.” I don’t consider the first option because I lose the ability to copy & paste between tabs with different identities, and that’s no way of living. As for the second option, I don’t do it because having more than one browser in use, instead of just one that you really prefer, feels odd to me. Perhaps it’s due to my bias as a “systems” person and that little voice in my internal monologue: “Two programs running for the same task at the same time, what… they give away memory for free now?”

Digital identities: GIT repositories

I work with GIT repositories in both the client and my company (where we have our in-house tool and other repositories for internal workshop practices). In all cases I authenticate using a digital certificate via SSH instead of a username/password. Again, I don’t want to be choosing identities but rather be able to switch in the terminal from one repository to another and not have to worry about anything when I do a pull or push. The most comfortable solution has been leveraging the config file for SSH ~/.ssh/config and add entries based on host to define the identity file (certificate) to use.

 Host ssh.dev.azure.com
 HostkeyAlgorithms +ssh-rsa
 PubKeyAcceptedKeyTypes=ssh-rsa
 IdentityFile ~/.ssh/myCorporateKey
 IdentitiesOnly yes 

 Host *
 HostkeyAlgorithms +ssh-rsa
 PubkeyAcceptedAlgorithms +ssh-rsa
 IdentityFile ~/.ssh/myOtherKey
 IdentitiesOnly yes

In the above example, I define one identity to use with the Azure DevOps repositories and another for the rest. Its just a matter of defining as many host entries as needed. For now I´m lucky enough to not have overlap of identities with all the GIT service sites I have to work with. In the end, by defining once in the file the identities to use, per host, I don´t have to worry about anything when moving from one repo to the next.

By the way, if we’re talking about managing different SSH certificates to connect to machines, it’s straightforward. At the time of connection we can choose the identity (here we use the private key, the public key should already be on the target server) with ssh -i ~/.ssh/corporateIdentity x.x.x.x

What about credentials? Password manager

Since I don´t like browsers remembering passwords nor using the same password for everything (for obvious reasons) I rely on my own password manager. It’s something obvious, I know, yet I’m still amazed by the number of professionals who don’t use one. In that encrypted database I store all client and company credentials. I also duplicate the personal ones I use at work for ease of access. The encrypted database is backed up. At work I use macPass which is an open-source application compatible with KeePass.

Conclusions

There’s no great technical feat in leveraging these small solutions, but they are Quality of Life improvements that save me quite a few minutes each day and clear my mind of these considerations, allowing me to focus on what really matters: solving problems and getting work done.