Passwords
Passwords are salted then stored in a hashed format using the PBKDF2 algorithm. This means that the password is never stored in plain text and is not reversible. When a user logs in, the password they provide is salted, hashed and compared to the stored hash. If they match, the user is authenticated.
The password policy enforces the following criteria: It must contain between 10 and 64 characters, at least a digit, a lowercase, an uppercase, and a special character.
We do not support password expiration, as this can lead to users choosing weaker passwords (see NIST SP 800-63b).
MFA
Wildmoka supports Multi-Factor Authentication (MFA) using TOTP (Time-based One-Time Password) sent by email. This policy can be either enforced in case of suspicious IP address detected or for all login attempts. Users who log in via SSO are not subject to MFA as it is expected that the SSO Identity Provider already has enforced MFA for the user.
SSO
Wildmoka supports SSO (Single Sign-On) using SAML 2.0. Users who log in via SAML are authenticated by their Identity Provider (IdP) and do not have a password stored in Wildmoka. When a user who doesn't exist in Wildmoka logs in via SAML, a new user is created with the information provided by the IdP and is assigned default permissions. Users who log in via SSO are not subject to MFA as it is expected that the SSO Identity Provider already has enforced MFA for the user. We do not support SCIM (System for Cross-domain Identity Management) at this time.