Hardening security for Safewhere Identify Administrator accounts

Overview

Once you create a new Safewhere Identify instance, an admin account is automatically generated. While you can set its password using the Identify Configurator, this default account can be vulnerable to various threats, such as brute force attempts. Although account lockout was introduced from version 5.5 to as a defense mechanism against these attacks, it's important to note that the default lockout period is set to 24 hours. This extended lockout period might cause inconvenience to users.

In this guide, we will show you best practices for securing administrator accounts:

  1. Avoid using the default Admin account: Instead, create separate user accounts for each administrator. This helps to maintain accountability and security.

  2. Avoid sharing Username & Password connections: Don't use the default Username & password connection for other applications. Keeping these credentials separate enhances security.

  3. Enable Multi-Factor Authentication (MFA): We strongly recommend enabling MFA for all administrator accounts. This adds an extra layer of protection.

This document will walk you through the steps to create additional user accounts and enable MFA to strengthen the security of your Safewhere Identify instance. Let's get started.

Explanation of the "Protected" field for the default administrator account

By default, when an Identify tenant is established, it comes with a default administrator account. The "Protected" field for this account is set to 1, indicating that it will never be deleted or overwrite data when importing user data from Identify Configurator.

rename-user-admin.png

Rename the default administrator account

By default, the administrator account is “admin”, you can change it to another name as follows:

  1. Login to Identify Admin with the default administrator account

  2. Go to the Users page

  3. Click on the “admin” user to edit

  4. Update the Name claim from “admin” to another name

  5. Click Save to update the default administrator account

rename-user-admin.png

Add a new administrator account

You will learn how to create additional administrator accounts for other people who need to manage your Identify instance.

The following steps to add a new administrator account:

  1. Log in to Identify Admin with your administrator account.

  2. Go to the Users page.

  3. Click on the "+" button to start adding a new user.

  4. Fill in the requried user details. Refer to Identify REST API role to assign appropriate roles to the user account.

  5. Click Save to complete the creation process.

By following these steps, you can easily add new administrators to Safewhere Identify, allowing them to assist in managing your instance effectively.

Enable MFA for the default Username & Password login

After creating a Safewhere Identify instance, a default Username & Password connection is automatically generated for logging into the Identify Admin site. In this section, we will guide you through enabling MFA for this login method.

We highly recommend creating a backup Username & Password connection before enabling MFA. This backup will come in handy if any misconfigurations occur during MFA setup, preventing you from accessing the Admin portal. With a backup connection, you will still be able to log in and fix the issues. After you've successfully configured MFA, you can safely remove the backup connection.

Note: If you plan to allow end users to authenticate other applications using the Username & Password method, it's important to create a separate connection. The default connection should exclusively be used for logging into the Identify Admin site.

Here are the steps to create a backup connection:

  1. Log in to the Identify Admin using your administrator account.

  2. Navigate to the Identity providers page.

  3. Click the "+" button and select Identity Database from the menu.

  4. Choose Username & Password to create an additional local authentication connection.

  5. In the General tab, provide a Name for the connection and click Save button to complete the process.

Once you've successfully created this backup connection, you can use it to log in to the Identify Admin site using your administrator account. This way, you're prepared for any issues that might arise during the MFA setup.

Create an OTP connection

This guide will help you create an OTP (One Time Password) connection in Safewhere Identify. Follow these steps:

  1. Log in to Identify Admin using your admin account.

  2. Go to the Identity Providers page.

  3. Click the "+" button and choose Enterprise from the menu.

  4. Select One Time Password to create a new local authentication connection.

  5. In the General tab, enter a name and click Save.

After the OTP connection is created successfully, the settings will be loaded, you can go to the Connection tab to update its settings:

  1. Choose the method(s) from Second factor method(s) dropdown and click "+" button to add.

  2. Update appropriate settings for each method following instructions:

    We recommend either TOTP Authenticator or WebAuthn.

    hardening-security-administrator-accounts-identify-admin-connection.png

  3. Click Save again to save settings update.

Next, you need to configure the second factor connection for the default Username & password connection using the following steps:

  1. Log in to the Identify Admin using your administrator account.

  2. Navigate to the Identity Providers page.

  3. Click on the default Username & Password connection to edit it.

    hardening-security-administrator-accounts-click-on-username-password

  4. Go to Second factor tab.

  5. In the Second factor dropdown, select the OTP connection created above.

hardening-security-administrator-accounts-select-otp.png

  1. Click Save button to save the update.

After successfully saving these changes, you can attempt to log in using the default Username & Password connection. This time, you will be prompted to register your second factor for enhanced security.

Delete the backup Username & Password connection

Once you have successfully registered two-factor authentication and confirmed that its functionality is working well for you, you can safely proceed to delete the backup connections. This ensures that only the default Username & Password connection remains for logging into the Identify Admin portal. Follow these steps to setup:

  1. Login to the Identify Admin using your administrator account.

  2. Go to the Applications page.

  3. Click on the Identify Admin connection (its name is the instance domain name and its Provider type is OpenID Connect) to edit it.

    hardening-security-administrator-accounts-identify-admin-connection.png

  4. Go to Identity providers tab, deactivate all other connections except the default Username & Password connection.

    hardening-security-administrator-accounts-identify-admin-connection-dependencies.png

  5. Click the Save button to complete the update.

Other security measures

You can also strengthen the security of MFA login as well as improve usability by considering the following options:

  • MFA policy script for trusted IPs: You can create an MFA policy script that does not require the second factor when users log in from trusted IP addresses, like those associated with a VPN or localhost. For more details, refer to this instruction.

  • Conditional access scripting (available from version 5.11): If you're using Safewhere Identify version 5.11 or later, utilize the Condition access tab in your OTP connection. This allows you to restrict MFA registration based on specific conditions, such as allowing MFA enrollment only from a designated IP range. Comprehensive scripting instructions can be found in the provided link above.

  • Policy script to block external IPs: Write a policy script that rejects logins from external IPs.

For example, to create a policy script that denies login attempts from external IP addresses this can be particularly useful to secure access to the Identify Admin portal. Here's a step-by-step guide to implement this measure:

  1. Login to the Identify Admin with your administrator account.

  2. Go to the Applications page.

  3. Click on the Identify Admin's connection to edit its settings.

  4. Access the Policy scripts tab.

  5. Fill the script in either the Authentication request authorization access policy or the Token issuance authorization access policy fields. If the script's result returns false, users attempting to log in from external IPs will be denied access. For detailed scripting instructions, consult this link.

hardening-security-administrator-accounts-identify-admin-connection-policy-script.png

Monitoring and Diagnostic tool

Our Monitoring and Diagnostic tool is designed to keep you informed about the security of your instance. It will raise a warning alert if your Safewhere Identify instance lacks second-factor authentication for the Username & Password connection used by the Identify Admin site.