We use a centralized authentication platform (IAM) to manage all our internal applications. Our talent do not know any of the passwords of the managed applications; they only know their own IAM passphrases. Once they log in to IAM, they can access the applications assigned to them.
Some of our IAM specifications and requirements are listed below:
We use passphrases instead of passwords (more information here).
We can only reuse previous passphrases after a 24 reset cycle.
We must set up multi-factor authentication (MFA) from mobile devices.
Our MFA uses OOB, a mechanism that transports all the MFA data through a different channel than the application's channel itself. Text messages and emails are examples of OOB. It reduces the risk in case a communication channel becomes compromised.
We use both SAML and Oauth2 for authentication. These two protocols allow us to log in to external applications with only our IAM active account. No passwords or users are needed.
In case a mobile phone supports biometric authentication, our IAM enforces its usage.
All successful sessions have a duration of 9 hours.
At Fluid Attacks, we check the internal rights for internal users on a monthly basis, complying with the following:
Authorizations for privileged access rights are reviewed at frequent intervals.
In order to prevent identity hijacking, all our source code repositories require developers to use a SSH digital signature that verifies the developer's identity on the Internet. The signatures can be found in the repository commit histories linked in the Open Source section.