The authentication in our platform is based on a centralized Identity Server called Talentech ID. Talentech ID is built on Duende IdentityServer which is an extensible OpenID Connect and OAuth 2.0 framework for .NET. IdentityServer is OpenID Certified and part of the .NET Foundation.
What is authentication?
Authentication is the process that ensures and confirms a user's identity. This is an important process to make sure we can trust that the user is actually who they claim to be.
Types of authentication
Our identity platform support different methods of authentication. The default one is local user accounts in Talentech ID where the user authenticates via a username and password. Talentech ID also acts as a federation gateway allowing our customers to bring their own identity provider. Our preferred way to set up external identity providers is via OpenID Connect.
Local user accounts
The default authentication and the easiest to get started with, is local Talentech ID user accounts with username and password. Passwords for local user accounts are hashed using the password hasher provided by ASP.NET Core.
Earlier it was recommended to force periodic password resets, use complex password with numbers, special characters etc, but this is no longer considered to be a good practice. We recommend using a strong and unique password for Talentech ID with a minimum length of 8 characters. The password should not be re-used in any other service.
You can read more about good password practices here and here.
When setting a new password in Talentech ID, we give the user a warning if they try setting a password that is in a know password leak. This is done by using the Have I Been Pwned service as shown in the screenshot below.
To prevent brute force attacks on user accounts, we automatically lock accounts temporarily after too many failed login attempts. First it gets locked for a few minutes and then we permanently lock it.
To add an extra layer of security for local accounts, we offer two-step verification, also known as two factor authentication. We support two step authentication via email and one time passwords via authenticator apps. If you are using single sign on, you will be able to configure two-step verification on your side.
Single Sign On
We offer several ways to configure single sign on. This allows you to authenticate users with your existing identity provider like Azure AD or similar. We use known industry standards like Open ID Connect for federated authentication.
Talentech ID is running on PaaS infrastructure in Microsoft Azure using the North Europe region as primary region and West Europe as secondary region. The infrastructure is set up with geo-redundancy both for the application servers and backend databases, so in the event of an outage in one of these data centers, Talentech ID will still be able to serve requests.
Network traffic between Talentech ID and clients is encrypted using TLS 1.2.