Questions tagged [identity-management]

49 questions
20
votes
6 answers

What extra security does a 2-step website login process with a PIN provide?

I am currently working on a web application with a significant security risk attached to its function. We're using Microsoft Identity Framework to handle user logins, with the system forcing strong passwords and registration having the extra layer…
Bob Tway
  • 549
  • 1
  • 4
  • 12
16
votes
4 answers

How is SAML solving the cross domain single sign-on problem?

Let's say I have two websites that live on separate domains, and their service providers both talk to the same identity provider on a third domain. I log into the first website and authenticate, and now I decide to visit the second website. The…
user3127
9
votes
2 answers

What are best practices for implementing ACL

I have a website that has certain menu items that need to be hidden from end users. The web site has PHP in the front-end and Java and Spring in the back-end, deployed on a Linux OS in a VM infrastructure, although the full technology stack isn't…
bliss
  • 111
  • 1
  • 4
8
votes
2 answers

Using multiple oAuth identity services simultaneously

This question is somewhat acedemic in nature. While educating myself about the topic of Security via a Bearer Tokens for a back-end service that I am working on, and specifically about oAuth2, a few questions came up in my mind: If you were to…
Johan
  • 491
  • 5
  • 16
7
votes
6 answers

Are there any objective reasons to use dedicated user/password instead of identity providers within a large organization?

I work for a large organization (thousands of employees + maybe tens of thousands of external users that have partial access to a fraction of internal information) and many of these people authenticate using username/password (which expires…
Alexei
  • 2,183
  • 3
  • 9
  • 23
6
votes
2 answers

Combining capability-based access control with SAML

I have been looking into various research on identity, PKI and access control trying to boil it down to a simplified methodology for IAM (Identity & Access Management). One thing which pops up in lots of places is capability-based access control, as…
6
votes
1 answer

Why should I trust a JSON Web Token (JWT)?

In the SAML and Kerberos authentication models, there is an explicit understanding of what authority has authenticated the user and issued the credential to be trusted by downstream systems. For purposes of identity propagation, the rights of the…
JaimeCastells
  • 1,156
  • 1
  • 9
  • 16
5
votes
4 answers

How can I verify the identity of a US | UK -based person and prevent *fake identities* from being accepted?

Given that it's possible to fake ID cards and fake social security numbers are created, I need to ensure that all users of my site are US or UK based citizens, and don't have more than one account. A few examples where one human may have more than…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
5
votes
1 answer

Are there risks of using the same OpenID provider for sites with different security levels?

I always use the same OpenID provider (Google, with a strong unique pw and 2-factor auth) in every site that supports it, without thinking twice. It's my understanding that, as long as the provider is safe, it doesn't matter if one or more of these…
mgibsonbr
  • 2,905
  • 2
  • 20
  • 35
5
votes
1 answer

How to get better IAM understanding

I'm getting interested in Identity and Access Management (IAM), but I find it hard to find complete and understandable explanations that suit me, surely because I started wrong. I began with Wikipedia and followed discussions here and there…
Bytemare
  • 143
  • 5
5
votes
3 answers

What personal information is safe to share publicly?

What personal information is safe to share publicly (online)? I have a CV online with my email address, mobile number, land line number, ID number and year of birth (not date of birth). I live in South Africa where there is a lot of physical crime,…
ahorn
  • 151
  • 4
4
votes
1 answer

Pros and cons of having two identity providers

My company has applications on cloud and intranet. Also, we have various roles such as employee, customers, partners etc. We would like ID federation between services hosted on public cloud and internal applications. Following scenarios are…
Jimm
  • 141
  • 4
4
votes
1 answer

Open challenges in Identity management for Internet of things

I am concerned with how identities are managed in the context of Internet of Things. How can IoT devices(e.g., RFID tag or smart vehicles) be able to authenticate with another. Is there any practical solution specifically geared towards IoT given…
picolo
  • 177
  • 3
3
votes
2 answers

Best practice for identity management methods with regards to confirming user existence

I'm working on a new site that uses asp.net identity to register users. I'm making use of email addresses as usernames and the email address has to be confirmed before the user can log in. I've been working according to the spec and our…
Carel
  • 133
  • 4
3
votes
1 answer

Access rights management in large companies

I'm wondering how large companies with tens / hundred of applications are handling access-rights for their users. From what I've seen, it's a nightmare that never ends, and it requires full-time resources for a poor result. I'm not looking for…
ack__
  • 2,728
  • 14
  • 25
1
2 3 4