Authentication
Last modified on September 24, 2024
Overview
StrongDM supports three authentication models:
Additionally, you can find more information about authentication via SSO on the SSO Settings page and see a list of identity provider integrations if you wish to learn more about how to configure SSO authentication with StrongDM.
Delegated Authentication
The most common method of authenticating to StrongDM is via delegated authentication.
Authentication is commonly delegated to a directory (such as Microsoft Active Directory) or single sign-on provider (such as Okta or Google).
It is not necessary to delegate authentication but can be convenient to link existing tools with StrongDM.
Native Accounts
Native accounts are necessary for StrongDM administrative users.
Native accounts are also utilized in cases where a directory or single sign-on provider is not available.
Hybrid
The Hybrid authentication model employs a Directory or SSO provider, but also allows the StrongDM administrator to create accounts that are not SSO-linked. This can be useful in organizations where contractors or other non-SSO users require access to StrongDM.
Multi-factor Authentication
StrongDM supports the use of multi-factor authentication (MFA) challenges when a user authenticates with StrongDM or, through policies, when they access particular resources.
See the MFA section to learn how to use MFA to secure your StrongDM organization and to configure a supported MFA provider.
Passwords
Password requirements are set in the Admin UI in Settings > Security. You can force the passwords of your StrongDM users to be of higher strength. By default, the only password requirement is that the password be eight characters long.
Password strength requirements can be increased from “No minimum strength” to “Medium,” “Strong,” or “Excellent.” If you require higher password strength, users need to add complexity to their passwords until they grade at the higher rating you have set as the requirement.
The strength of a password can be difficult to determine. In this case, StrongDM uses the zxcvbn password strength method to test your password strength. This method discards arbitrary rules about characters and length. Instead, this method analyzes each suggested password and gives it a strength rating based on a number of factors, including length, dictionary checking, password matching, and so forth.
Independently of the password strength requirement, you can also set a minimum length requirement for your users’ passwords. You should not set this minimum length to be lower than the default minimum for the password strength requirement that you have set.
Enforce Single Sessions
The Enforce Single Sessions? setting lets you control whether or not users can have multiple active sessions of StrongDM open at the same time, where a session is a login to the Admin UI, CLI, or desktop app from any device. This setting may be enabled or disabled from the Admin UI in Settings > Security.
The Enforce Single Sessions? setting is disabled by default. When enabled (set to Yes), this setting disallows users from having multiple sessions in the Admin UI, desktop app, and/or CLI simultaneously. For example, when single sessions are enforced, if Bob is logged into the Admin UI on his personal computer at home and then logs into the Admin UI on his work laptop, his home session is logged out. As another example, when single sessions are enforced, if Bob logs in to the Admin UI in Chrome and then logs in to the Admin UI from Safari, he is logged out of his session in Chrome.
Single session enforcement applies only to logins for the same software type (that is, Admin UI, CLI, or desktop app). For example, if Alice is logged into the Admin UI from her computer at home, she can still log into the desktop app on her work laptop without being logged out of the Admin UI at home.
Timeouts
There are two types of authentication timeouts for StrongDM users: idle timeouts, which have to do with the idle time of an authenticated user; and session timeouts, which pertain to overall length of authenticated sessions. Note that these limitations are applied for human users, not service accounts.
Idle Timeout
Idle timeouts force users to log out of the client or Admin UI after a set amount of minutes of inactivity (that is, instances where no packets are received). For example:
- The client logs out users after 20 minutes of idleness.
- Admin UI logs out users after 20 minutes of idleness.
Note that idle timeouts may be triggered by blocked processes and long-running queries.
Session Timeout
The session timeout forces users to log out once their session reaches the predetermined time limit. For example:
- Users must re-authenticate every eight hours.
PCI Authentication Requirements
If you are subject to the requirements of PCI-DSS v4 and you are using StrongDM’s Native Accounts, please strongly consider using Multi-factor Authentication as a part of your access controls to the StrongDM Platform. In the event you choose not to use MFA with Native Accounts, the PCI Standards Council has mandated StrongDM advise you of the following points, per Requirement 8.3.10:
- You should require your users of the StrongDM Platform to periodically expire/change their passwords
- You should require users to change their passwords any time you or they suspect that password has been compromised, disclosed to an unauthorized party, or reused from another platform