Authentication in NoCode-X.com: Identity Management and Single Sign-On (SSO)
Authentication is a cornerstone of secure access to resources and applications in NoCode-X.com. The platform supports robust authentication mechanisms, including self-managed authentication and Single Sign-On (SSO) integration, ensuring flexibility and compliance with security standards.
Concepts
1. Authentication
Authentication verifies the identity of users accessing the platform. NoCode-X.com supports:
- Knowledge Factor: Something the user knows (e.g., password).
- Property Factor: Something the user has (e.g., TOTP, YubiKey).
- Inherence Factor: Something the user is (e.g., biometrics).
Note: The use of inherence factors (biometrics) is disadvised due to GDPR compliance concerns (see below).
2. Single Sign-On (SSO)
SSO allows users to authenticate once and gain access to multiple applications without needing to log in again. NoCode-X.com supports the following protocols for SSO:
- OpenID Connect 1.0 (preferred for its strict and modern standards).
- OAuth 2.0.
When SSO is enabled:
- The Identity Provider (IdP) becomes responsible for the authentication strength and lifecycle management of user credentials.
- The IdP manages user authentication assurance, including credential revocation and monitoring.
Principles
1. Security by Design
- Authentication mechanisms are designed to meet operational levels of assurance:
- Level 2: For standard users.
- Level 3: For sensitive accounts (e.g., managers, administrators).
- Strong authentication is enforced using multi-factor authentication (MFA).
2. Responsibility for Authentication
- Self-Managed Authentication: When NoCode-X.com’s embedded authentication is used, the application owner is responsible for managing authentication strength and user provisioning.
- SSO with External IdP: When SSO is enabled, the external IdP is responsible for:
- Authentication provisioning.
- Assurance of user identity and credentials.
- Lifecycle management of user accounts.
3. Break-The-Glass Accounts
- Special accounts with additional property factors (e.g., YubiKey) for emergency access.
- Usage is logged and monitored to prevent misuse.
Why Inherence Factor (Biometrics) is Disadvised
The inherence factor (e.g., biometrics such as fingerprints, facial recognition, or iris scans) is often considered a strong authentication method. However, its use in centralized systems for identifying individuals is disadvised due to the following GDPR compliance concerns:
-
No Legal Basis for Centralized Biometric Processing:
- Under GDPR, there is no legal ground to process biometrics in a central repository for the purpose of identifying natural persons.
- Article 9 of GDPR classifies biometric data as special category data, which requires explicit consent or a specific legal basis for processing. Most organizations cannot meet these requirements for centralized biometric processing.
-
Risk of Non-Conformity:
- Centralized biometric processing for identification purposes would result in by design non-conformity for the data controller (the organization managing the data).
- This could lead to significant legal and financial penalties under GDPR.
-
Security Risks:
- Centralized biometric repositories are high-value targets for attackers. A breach could result in irreversible harm, as biometric data cannot be changed like passwords or tokens.
-
Alternative Solutions:
- Instead of biometrics, NoCode-X.com recommends using knowledge factors (e.g., passwords) and property factors (e.g., TOTP, YubiKey) for strong authentication.
Why Use Single Sign-On (SSO)?
Advantages of SSO:
- Improved User Experience: Users log in once and access multiple applications seamlessly.
- Centralized Authentication: Simplifies user management and reduces the risk of password fatigue.
- Enhanced Security: Reduces the attack surface by consolidating authentication to a trusted IdP.
- Scalability: Easily integrates with enterprise identity management systems.
Considerations for SSO:
- The IdP entity is responsible for ensuring the strength of authentication and managing user credentials.
- Processes for monitoring and managing the IdP must be well-documented and regularly reviewed.
Contributions to Security Standards
ISO 27001:2022
- Clause 8.1 (Operational Planning and Control): Ensures authentication processes are planned, implemented, and monitored.
- Annex A.9.4.2 (Secure Log-On Procedures): Supports secure authentication mechanisms, including MFA and SSO.
- Annex A.9.2.3 (Management of Privileged Access Rights): Enforces strong authentication for sensitive accounts.
NIST-53 CSF
- PR.AC-1 (Identity Management): Ensures identities and credentials are issued, managed, and verified.
- PR.AC-4 (Access Permissions and Authorizations): Incorporates least privilege and separation of duties into authentication.
- PR.AC-7 (Identity Proofing): Ensures identities are proofed and bound to credentials.
Cyber Fundamentals Essentials
- PR.AC-1 (Identity and Credential Management): Enforces strong authentication policies, including MFA.
- PR.AC-4 (Access Permissions): Limits access to only what is necessary for users to perform their roles.
- PR.AC-6 (Authentication Assurance): Ensures authentication mechanisms are robust and monitored.
Summary
Authentication in NoCode-X.com is designed to provide secure and flexible access to resources. By supporting both self-managed authentication and SSO, the platform ensures:
- Strong authentication mechanisms aligned with industry standards.
- Clear responsibility for authentication management, whether self-managed or delegated to an external IdP.
- Compliance with ISO 27001:2022, NIST-53 CSF, and Cyber Fundamentals Essentials.
Organizations are advised to avoid centralized biometric processing due to GDPR compliance risks and instead rely on knowledge and property factors for strong authentication.