PingDirectory

Require strong authentication

There are several actions that you can and should take to help ensure that passwords are not compromised.

These include:

  • Use secure communication to prevent passwords (even encoded passwords) from being exposed to network observers.

  • Use password validators to help prevent users from choosing weak passwords.

  • Use delayed bind responses or account lockout to prevent online password guessing attacks.

  • Use strong password storage schemes to resist offline password guessing attacks.

  • Use data encryption, encrypted backups, and encrypted LDIF exports to ensure that encoded passwords are not accessible in the clear to anyone with access to server files.

However, using passwords as the only authentication factor might still constitute a security risk. No matter what password validation restrictions you impose, some users will still try to choose the simplest password they can get away with. There is also the risk that they will reuse passwords across multiple services, making their accounts vulnerable to credential stuffing attacks in the event of a data breach across any of those services. Phishing attacks can also trick users into revealing their passwords attackers.

To help further protect accounts in the event that their password becomes compromised, you should consider requiring strong authentication. The PingDirectory server provides three primary options for this:

  • Use a SASL mechanism that supports two-factor authentication. The UNBOUNDID-TOTP mechanism is a great one that doesn’t rely on interaction with any third-party service, and there are several free options to allow users to generate time-based one-time passwords. However, the UNBOUNDID-DELIVERED-OTP and UNBOUNDID-YUBIKEY-OTP mechanisms also provide much better security than just a password on its own.

    While two-factor authentication might not completely protect against phishing attacks, because the fake site can also ask the user to provide the one-time password in addition to the static password, it does at least prevent the password from being reused.

  • Consider certificate-based authentication, as with the EXTERNAL or UNBOUNDID-CERTIFICATE-PLUS-PASSWORD SASL mechanism. Certificates are much stronger than passwords when used as the only authentication factor, and requiring a certificate and password together provides the best of both worlds. Certificates are also not vulnerable to replay attacks in the way that passwords (and one-time passwords) are, and as long as clients take the proper steps to validate the authenticity of the certificate and perform hostname validation, they are much more resistant to phishing attacks.

  • If users are not directly communicating with the PingDirectory server itself, but are interacting with applications that use the server behind the scenes, then the application could obtain an OAuth token for that user, and then authenticate to the server using the OAUTHBEARER SASL mechanism. This enables support for additional authentication mechanisms that are typically not available to LDAP clients, like FIDO security keys.

Even if you cannot require strong authentication for all user accounts, you should at least require it for administrators.