Implementing user authentication
When it comes to protecting and securing your information online, usernames and passwords are the most used forms of authentication for your system. Nevertheless, usernames and passwords are also one of the most insecure forms of user authentication. This article outlines how Maxxton ensures the process of authentication.
To keep and secure your system, Maxxton provides a single point of entry using a self-hosted identity and access management system. This ensures that the access to your system is secure, user-friendly, fast, and centralised. To make this possible, Maxxton has built an Authentication server via Keycloack. By means of this, you are provided with Standard Protocols such as Opened Connect, OAuth 2.0, and SAML 2.0. In addition, it is easy for you to connect to existing user directories, such as social login providers and active directories using LDAP.
How does the authentication setup work?
To gain access to the software environment, the authentication server provides you with a JSON Web Token through an Identity and Access management server built on top of Keycloak. Only with this token, the user can access the software. The token can be used independently from the server. This does not require session management (stateless) and prevents access when the expiration time is exceeded.
This can be done through Single-Sign, Two-factor authentication (2FA), and authentication keys. Maxxton offers a great deal of flexibility and can be connected with all conceivable user databases.
Temporary access is suitable for temporary employees, e.g. for cleaners and the maintenance service. Temporary hired employees receive a Time Based One Time Password (TOTP) to gain access to accommodation.
Single-Sign on
You can easily connect the authentication server with the user database of a third party. The username and password of the external third party never pass through our system but are always filled in at the third party’s login page. After that, our system is granted access to the details of the user that exists in the external user database. As soon as the authentication server recognises that the individual requesting for username and password meets the requirements, a token is then granted and the user gains access to the system.
Consider here the connections with an account at Google, Linkedin, Facebook, Twitter, etc. Another practical feature is the recognition of an already logged-in account and granting this particular account a token, so the user obtains direct access to the software. When you are logged in in your browser with the following e-mail address, ‘@mycompanyaccount.com’, which is automatically linked to the user database. In Maxxton Software a new user is created in case the provider does not exist in the Maxxton database yet. After it is created the user gets linked to the external provider and closing the account at the provider’s side also prevents access to Maxxton Software.
Recommended by LinkedIn
Two-factor authentication
Two-factor authentication is highly recommended to prevent unauthorised access to the software environment. Accordingly, there are numerous possibilities. Think of sending a verification code by email or by text message. Another method is the use of free OTP/Authenticator Apps. The well-known are the Google Authenticator and Microsoft Authenticator. It will take an additional 15 to 30 extra seconds in the login process, but this is definitely worth the extra security. Extra time burden can be reduced by periodically using the second step. This step can also be applied when suspicious conduct occurs. It is common practice to request an extra code once a month or once a quarter.
Authentication keys
It is also possible to request an authentication key. There are special USB keys, e.g. FIDO2, and WebAuth that are conditional to gain access to the software. This is a slightly different type of two-factor authentication that prevents phishing attacks, something which the previously mentioned implementations do not conduct. This type of authentication also supports passwordless authentication which is still one of the safest ways to protect the system, while being quick.
Time-Based One Time Password
Through Time Based One Time Passwords (TOTP) you can simplify the process to get access to accommodation. A manager who is connected to the central Authenticator Server through an app automatically obtains access tokens with a limited duration (e.g. for half-day) that are sent to the temporary employees’ mobile phones. With Smart Lock technology it is then possible to open the door via a mobile phone. Hence, the manager does not have to accompany the temporary employees on every occasion. Additionally, generic (nonpersonal) user accounts can be used by multiple temporary employees.
Benefits of a modern authentication method