Credential Management

Credential Registration

Introduction

KOBIL IAM provides various password policies that can be enabled through the Admin Console. By default, KOBIL IAM automatically applies the following policies to newly created realms if the prerequisites are met, add a Kobil_event to the master realm, for more detailed explanation refer to Events and ensure ENABLE_TENANT is set to TRUE in chart variable,

• Lowercase Characters: 1 (At least one lowercase character required)
• Digits: 1 (At least one numerical value required)
• Minimum Length: 8
• Uppercase Characters: 1 (At least one uppercase character required)

These policies ensure that users create passwords that meet certain security standards, making them more secure and suitable for production environments.

In general, more complex passwords are more secure. KOBIL IAM supports strong passwords with rules that require a mix of letters, numbers, uppercase, lowercase, and special characters. Your company's administrator sets these rules to make sure passwords are secure and to prevent security breaches.

How to configure

Step 1: Navigate to Authentication in the menu

Step 2: Select Policies tab

Step 3:Select Password policy

Step 4: Click on Add policy button

Password Policies

Password Policies	Description
Expire Password	You can set the number of days a password remains valid. After this period, the user must change their password.
Hashing Iteration	Defines how many times the password is hashed before it is stored or verified. More iterations make it harder for attackers to crack passwords. By default, the system uses the 27,500 iterations
Not Recently Used	Ensures that users cannot reuse their previous passwords. This prevents users from alternating between a small set of passwords.
Password Blacklist	Prevents users from using passwords that are listed in a blacklist file. This helps avoid common and easily guessable passwords.
Minimum Length	Sets the shortest length allowed for passwords. This ensures that passwords are not too short, enhancing security.
Regular Expression	Requires passwords to match specific patterns defined by regular expressions. This allows for complex rules like requiring at least one symbol, number, and uppercase letter.
Not Username	Prevents the user from setting their password to be the same as their username. This avoids easily guessable passwords.
Not Email	Prevents the user from setting their password to be the same as their email address ensuring security.
Special Characters	Specifies how many special characters (like @, #, $, etc.) must be included in the password. Special characters make passwords harder to guess.
Uppercase Characters	Specifies how many uppercase letters (A-Z) must be included in the password. This helps in creating complex passwords.
Lowercase Characters	Specifies how many lowercase letters (a-z) must be included in the password. This ensures a mix of character types in the password.
Digits	Specifies how many numerical digits (0-9) must be included in the password. Including digits increases password complexity.
Hashing Algorithm	Indicates the standard hashing algorithm used to hash passwords before they are stored or validated. By default, the system uses the SHA-256 algorithm
Maximum Length	Sets the longest length allowed for passwords. This ensures passwords are not excessively long, which could complicate management.

Credential Validation

Brute force Detection

Brute force detection is a security feature that monitors and prevents unauthorized access by blocking multiple login attemptss. It enhances security by effectively handling repeated failed login attempts and reducing the risk of unauthorized access. It can be configured to temporarily lock accounts after a certain number of failed login attempts, reducing the risk of unauthorized access.

How to configure

Step 1: Navigate to Realm settings in the menu

Step 2: Select Security defenses tab

Step 3:Select Brute force detection

parameters	Description
Max login failures	Set the maximum number of failed login attempts allowed before locking out the user.
Permanent lockout	Enable Permanent Lockout to permanently lock the user out after reaching the maximum number of failed login attempts.
Wait increment	Specify the Wait Increment to progressively increase the wait time after each failed login attempt.
Max wait	Define the Max Wait as the maximum wait time applied after multiple failed login attempts.
Failure reset time	Set the Failure Reset Time to determine the period after which the count of failed login attempts resets to zero.
Quick login check milliseconds	Configure the Quick Login Check Milliseconds to detect rapid, successive login attempts within a specified time window.
Minimum quick login wait	Establish the Minimum Quick Login Wait as the shortest required wait time between rapid, successive login attempts detected by the Quick Login Check.

Frequently asked Questions

1. Can my administrator see my credentials?

• The administrator cannot view your credentials because they are hashed.

2. Where and how are my username and password stored? Is my password secure?

• The system securely stores your username in the User Entity Table. Your password is hashed using the algorithm and iteration specified in the password policy. By default, the system uses the
  SHA-256 algorithm with 27,500 iterations.

3. How can an Admin enable Forgot Password?

• The admin must enable the Forgot Password feature to allow users to reset their login credentials if they forget their password.

• Steps to enable forget password:

  • Navigate to the Realm settings in the menu.
  • Click on the Login tab.
  • Toggle the Forgot Password option to ON. This makes the Forgot Password? link visible on the login page.
    • Forgot Password? link allows users to enter their Username or Email and receive an email with a link to reset their credentials.
    • Note: This is the default behavior in KOBIL IAM and can be customized based on requirements. For example, you could send an email-based OTP or a phone-based OTP instead of a reset link.