Authentication and Authorization
Passwords
Passwords are stored in a hashed format using the PBKDF2 algorithm. This means that the password is never stored in plain text and is not reversible. When a user logs in, the password they provide is hashed and compared to the stored hash. If they match, the user is authenticated.
Customers can enforce password policies such as minimum length, complexity, and expiration (see documentation).
We do not support password expiration, as this can lead to users choosing weaker passwords (see NIST SP 800-63b).
iconik also has a list of well-known passwords that are not allowed to be used. This list is updated regularly.
MFA
iconik supports Multi-Factor Authentication (MFA) using TOTP (Time-based One-Time Password) and Mail 2SV (Two-Step Verification). Customers can enforce MFA for all users in their domain (see settings).
SSO
iconik supports SSO (Single Sign-On) using SAML 2.0. Users who log in via SAML are authenticated by their Identity Provider (IdP) and do not have a password stored in iconik. When a user who doesn't exist in iconik logs in via SAML, a new user is created with the information provided by the IdP. We do not support SCIM (System for Cross-domain Identity Management) at this time. (see settings)