The Connect2id server doesn't deal with user credentials directly. Instead, it delegates the task of user authentication via a web API to an external handler. An LDAP / Microsoft Active Directory authentication handler is available out of the box, or you can plug your own, leveraging existing infrastructure if necessary.
LDAP / Active Directory
Hardware tokens (OTP)
SQL / NoSQL database
Authentication factors can be added and upgraded on the fly, with zero disruption to sign-on service.
Never having to share passwords with the OpenID Connect server is good for security, according to the principles of "need to know" and minimising credential access. This reduces the potential vectors of attack and makes the job of IT security easier.
Enterprises are free to combine multiple factors for stronger authentication, for example LDAP credentials with hardware generators of one-time passwords (OTP tokens).
Two-factor authentication can be invoked on demand by a client application, or for users who require that.
The authentication strength and methods for a particular user session are advertised in the standard acr (Authentication Context Class Reference) and amr (Authentication Methods Reference) claims of identity tokens issued to applications.
Applications that need to step up authentication for a particular user or session can do so by making an OpenID authentication request with the optional acr_values parameter set to the desired ACR strength. On success the Connect2id server will return an ID token with the updated acr claim.
Authentication step-up is useful in cases such as updating personal information and credentials, making a payment, or some other sensitive operation.
The Connect2id server allows authentication to expire independently from a user's session (browser or device).
Just-in-time user provisioning
An important feature for consumer applications is the ability to issue an ID token for anonymous / unauthenticated users, or to allow users to create an account during the login flow.
Enterprises are free to define a pseudo identifier for anonymous / unauthenticated users, as well as an ACR value to indicate that to applications. If an application needs to authenticate the user at some point, it can make a step-up request to the Connect2id server.
The web API for plugging authentication factors allows the sign-in to paused until an account for the user is provisioned. This may involve the sending of a verification email or SMS, or some other action. Once the account is created the user may or may not be asked to authenticate. At the end if the sign-up is successful the Connect2id server will return a regular OpenID authentication response to the application.