User authentication
Pluggable authentication factors and logic
The Connect2id server comes with a flexible web API to plug the necessary authentication factors for your users and verify their presence. As an identity provider you are able to apply your own logic – which factors to invoke and when, based on criteria such as the requested access, and to steer the overall authentication journey of each user.
|
Passkey (FIDO2 / WebAuthn) |
LDAP / MS Active Directory |
OTP |
|
X.509 certificate |
Biometrics |
Risk based |
If need to plug in LDAP / Microsoft Active Directory authentication and attributes provisioning to your Connect2id server deployment, you can use the LdapAuth microservice.
Credential security
Decoupling the authentication factors from the core Connect2id server, within strong and well-defined API boundaries, enhances security. This matters, because while passkeys represent a positive advance, passwords are likely to remain in use for the foreseeable future. As a “something you know” factor, passwords are perceived to carry less risk of loss compared to “something you have” factors, giving users a greater sense of control.
Communicate the user authentication level to applications
The authentication strength for a user login or session is communicated to client applications through the standard acr (Authentication Context Class Reference) claim of ID tokens. The factors (also called methods) that used for the authentication can also be recorded and communicated, via the amr (Authentication Methods Reference) claim, using standard values.
Authentication step-up
Applications can step up the authentication for a given user or session by making an OpenID authentication request with the optional acr_values parameter set to the desired ACR level. On success the Connect2id server returns an ID token with the updated acr claim. Authentication step-up is useful in cases involving the update of personal information and credentials, transactions, and other sensitive operations.
The Connect2id server is able to expire authentication independently from the user’s browser or device session.
Just-in-time user provisioning
One useful feature for applications is the ability to issue an ID token for anonymous / unauthenticated users, or to allow users to create an account during login.
-
Connect2id deployments are able to define a pseudo identifier for anonymous / unauthenticated users and a suitable ACR value to indicate that to client applications. If an application needs to authenticate the user at some point, it makes a step-up request to the Connect2id server.
-
The sign-in can be put on hold until an account for the user is provisioned. This may involve the sending of a verification email or some other action. When the account is created the user may re-authenticate. Upon successful sign-up completion the Connect2id server returns a regular OpenID authentication response to the application.
Become a Microsoft EAM provider
The Connect2id server can act as an external authentication method (EAM) provider to Microsoft Entra. This can open up new opportunities for business if you are an authentication provider, by expanding your reach to large audiences and new applications.