Authentication & Identity Federation

Last modified on January 3, 2024

General Security Settings

Timeouts

StrongDM allows customers to define timeouts for Client session length and Client and AdminUI idle periods to suit the customer’s specific needs.

Brute Force Attacks

There are countermeasures in place to combat brute force account attacks. A user’s account will be automatically locked after five failed authentication attempts. The lock is removed after five minutes, after which the user can attempt to log in again. This automatic lockout period greatly limits the efficacy of a brute force attack.

OIDC Federation & SSO

Multi-factor Authentication

StrongDM has multiple options for the enforcement of multi-factor authentication on StrongDM client sessions, including Duo Security and One-time Passwords.

Native Authentication

Password requirements

When using StrongDM’s native authentication, customer administrators can enforce minimum password requirements for all users.

Password Hashing

All user passwords are hashed using the bcrypt, with at least 13 rounds. Passwords are never stored or logged in plain text.

StrongDM regularly revisits the chosen hashing algorithm and number of rounds to ensure we are adhering to industry best practices.

Identity Federation

StrongDM allows customers to federate with a variety of Identity Providers to manage user identity and authentication.

OIDC SSO

In addition to offering integrations with a variety of SSO providers, StrongDM also allows the use of any OpenID Connect (OIDC)-compliant SSO service. Support for OIDC in general opens the door to many more providers than StrongDM would otherwise create and maintain specific integrations for, while not compromising on security.

User Provisioning

StrongDM integrates with Okta and Microsoft Entra ID (formerly Azure AD) to enable SCIM-based user provisioning, allowing customers to manage their users within their centralized Identity Provider.