Controlling Access to the Vault¶
Strong Authentication Mechanism¶
Access to the vault is primarily controlled in two ways. The vault can communicate with LDAP-compliant directory servers (Active Directory/Azure AD) for user onboarding, management, and authentication. It also communicates with SAML-based Single Sign-on solutions for authentication. Securden also leverages RADIUS authentication and Smartcard authentication too as the primary authentication mechanism.
Alternatively, the vault comes with its native authentication as part of which accounts are created for users locally.
How does AD authentication / Azure AD authentication work?¶
In this case, Securden doesn't store the passwords. Instead, it connects with the AD through SSL and authenticates against AD or Azure AD.
How secure is the native authentication?¶
Securden uses the bcrypt hash function, which is considered an advanced algorithm that could withstand bruteforce attacks, to create one way hash of the Securden user password. The hash is then encrypted using the AES-256 algorithm.
The Securden installation key (which is unique to every installation) is used as the encryption key. bcrypt enforces security best practices by requiring a salt as part of the hashing process. Hash when combined with salts guards against attacks.
Even if the database containing hashed values reaches a malicious user's hands, passwords cannot be deciphered in plain-text.
Security Reinforcement¶
An additional layer of security with MFA¶
As an additional layer of security, Securden helps enforce a second authentication factor to grant access to the vault. It integrates with a variety of MFA solutions to achieve this.
Token-based authentication for API access¶
The vault can be programmatically accessed using APls and Securden follows a token-based authentication. Authorized users need a URL and an Auth Token to access the permitted data.
Design Highlights
-
Primary Authentication
- Active Directory/ Azure AD authentication.
- RADIUS authentication.
- Smart card authentication.
- Securden's native authentication.
- SAML 2.0-based single sign-on
-
MFA Enforcement for Additional Security
- Any TOTP Authentication.
- Any RADIUS-based Authentication.
- Duo Security.
- Yubikey.
- OTP through email.
- Email-to-SMS gateway
-
API Access
- Token-based authentication for authorized users.
- Dynamic tokens.