The authentication in our platform is based on a centralized Identity Server called Talentech ID. Talentech ID is built on IdentityServer4 which is an Open Source OpenID Connect and OAuth 2.0 framework for .NET. IdentityServer is OpenID Certified and part of the .NET Foundation.
What is authentication?
Authentication is the process that ensures and confirms a user's identity. This is an important process to make sure we can trust that the user is actually who they claim to be.
Types of authentication
Our identity platform support different methods of authentication. The default one is local user accounts in Talentech ID where the user authenticates via a username and password. Talentech ID also acts as a federation gateway allowing our customers to bring their own identity provider. Our preferred way to set up external identity providers is via OpenID Connect.
Earlier it was recommended to force periodic password resets, use complex password with numbers, special characters etc, but this is no longer considered to be a good practice. We recommend using a strong and unique password for Talentech ID with a minimum length of 8 characters. The password should not be re-used in any other service.
You can read more about good password practices here and here.
When setting a new password in Talentech ID, we give the user a warning if they try setting a password that is in a know password leak. This is done by using the Have I Been Pwned service as shown in the screenshot below.
To prevent brute force attacks on user accounts, we automatically lock accounts temporarily after too many failed login attempts. First it gets locked for a few minutes and then we permanently lock it.
Talentech ID is running on PaaS infrastructure in Microsoft Azure using the North Europe region as primary region and West Europe as secondary region. The infrastructure is set up with geo-redundancy both for the application servers and backend databases, so in the event of an outage in one of these data centers, Talentech ID will still be able to serve requests.
Network traffic between Talentech ID and clients is encrypted using TLS 1.2.
Passwords for local user accounts are hashed using the password hasher provided by ASP.NET Core.