Account security documentation

Support
1

I am currently using SquidEx in an environment with strict security requirements, and was looking for documentation around security features that SquidEx offers.

  1. does SquidEx lock out accounts automatically on authentication failure / how is the account lock timeout configured?
  2. Is there two-factor authentication support in SquidEx?

Thanks

2

Hi,

we use ASP.NET Identity and Identity Server for security. Our general goal is that you should not use username and password authentication if not really needed. A lot of orgs have existing login servers like identity server or azure identity (don’t remember the name) and I recommend to connect to them. Must support the OIDC protocol. Keycloak or Auth0 is just another example.

There are a few settings that ASP.NET Core identity provides by default, that are not configurable yet:

Property Description Default
AllowedForNewUsers Determines if a new user can be locked out. true
DefaultLockoutTimeSpan The amount of time a user is locked out when a lockout occurs. 5 minutes
MaxFailedAccessAttempts The number of failed access attempts until a user is locked out, if lockout is enabled. 5

Furthermore we also have strict password requirements:

The password requirements are:

  1. Passwords must be at least 6 characters.
  2. Passwords must have at least one non alphanumeric character.
  3. Passwords must have at least one digit (‘0’-‘9’).
  4. Passwords must have at least one lowercase (‘a’-‘z’).
  5. Passwords must not have been appeared in a data breach before: https://haveibeenpwned.com/

2 factor auth is not implemented (but supported from ASP.NET Core Identity) and also not stuff like password recovery. It would not be a big deal to implement that, but our recommendation is to use your own identity server if you have one.

3

Thanks for the information! Very helpful.