We use a centralized authentication platform (IAM) to manage all our internal applications. Our employees do not know any of the passwords of the managed applications; they only know their own IAM passphrase. Once they log in to IAM, they can access applications assigned to them.
Some of our IAM specifications and requirements are listed below:
Previous passphrases can only be reused after a 24 reset cycle.
Multi-factor authentication (MFA) from a mobile device must be set.
Our MFA uses OOB, a mechanism that transports all the MFA data through a different channel than the application’s channel itself. Text messages and emails are examples of OOB. It reduces the risk in case a communication channel becomes compromised.
In case a mobile phone supports biometric authentication, our IAM enforces its usage.
All successful sessions have a duration of 9 hours.
In order to avoid identity hijacking, all our source code repositories require developers to use a GPG digital signature that verifies the developer’s identity on the Internet. Signatures can be found on the repository commit histories linked in the Open Source section.