Authentication Methods¶
Access to the vault is primarily controlled in two ways. The vault can communicate with LDAP-compliant directory servers (Active Directory/Azure AD) for user onboarding, management, and authentication. It also communicates with SAML-based Single Sign On solutions for authentication. Securden also leverages RADIUS authentication and Smartcard authentication too as the primary authentication mechanism.
Alternatively, the vault comes with its native authentication as part of which accounts are created for users locally.
How does AD authentication / Azure AD authentication work?¶
In this case, Securden doesn’t store the passwords. Instead, it connects with the AD through SSL and authenticates against AD or Azure AD.
How secure is the native authentication?¶
Securden uses the bcrypt hash function, which is considered an advanced algorithm that could withstand brute force attacks, to create one way hash of the Securden user password. The hash is then encrypted using the AES-256 algorithm.
The Securden installation key (which is unique to every installation) is used as the encryption key. Bcrypt enforces security best practices by requiring a salt as part of the hashing process. Hash when combined with salts guards against attacks.
Even if the database containing hashed values reaches a malicious user’s hands, passwords cannot be deciphered in plain text.
Security Reinforcement¶
An additional layer of security with MFA¶
As an additional layer of security, Securden helps enforce a second authentication factor to grant access to the vault. It integrates with a variety of MFA solutions to achieve this.
Token-based authentication for API access¶
The vault can be programmatically accessed using APIs and Securden follows a token-based authentication. Authorised users need a URL and an Auth Token to access the permitted data.
Design Highlights
- Primary authentication
- Securden’s native authentication
- Active Directory/Azure AD authentication
- Smart card authentication
- RADIUS authentication
- MFA enforcement for additional security
- Any TOTP authentication
- Any RADIUS-based authentication
- Duo Security
- Yubikey
- Email to SMS gateway
- OTP through email
- API Access
- Token-based authentication for authorised users
- Dynamic tokens