Describe how users authenticate to your application. Do you support MFA and SSO? What SSO protocols are supported (SAML, OIDC)?

Explanation & Context

Understanding the Question

This question is asking you to detail the methods your application uses to verify the identity of its users. Authentication is the process of confirming that a user is who they claim to be. The question specifically wants to know if your application supports Multi-Factor Authentication (MFA) and Single Sign-On (SSO). MFA requires users to provide two or more verification factors to gain access, adding an extra layer of security. SSO allows users to authenticate once and gain access to multiple applications without needing to log in again. The question also asks which SSO protocols your application supports, such as Security Assertion Markup Language (SAML) or OpenID Connect (OIDC). These protocols are standards for secure authentication.

Why It Matters

Understanding how users authenticate to your application is crucial for assessing its security posture. MFA significantly reduces the risk of unauthorized access because even if an attacker obtains a user's password, they would still need additional verification factors. SSO enhances user experience by simplifying the login process while maintaining security through standardized protocols like SAML and OIDC. These protocols ensure that authentication data is securely transmitted and verified across different systems.

Example of Evidence

To demonstrate fulfillment of this question, you might provide documentation or configuration settings that show your application supports MFA and SSO. For instance, you could show configuration files or screenshots from your authentication system that list supported protocols (SAML, OIDC) and describe the MFA methods available (e.g., SMS codes, authenticator apps). Additionally, you might include logs or reports that show MFA and SSO usage statistics, indicating that these features are actively being used by your users.

Example Responses

Example Response 1

Users authenticate to our application via email and password. We support Multi-Factor Authentication (MFA) through authenticator apps and SMS codes. Our application integrates with Single Sign-On (SSO) providers using the OpenID Connect (OIDC) protocol.

Example Response 2

Our application utilizes a combination of email/password and SSO for user authentication. We enforce Multi-Factor Authentication (MFA) for all users, supporting authenticator apps, SMS, and hardware tokens. We support Single Sign-On (SSO) through both Security Assertion Markup Language (SAML) and OpenID Connect (OIDC) protocols, enabling seamless integration with various identity providers.

Example Response 3

Our software is deployed on-premises and does not require user authentication through external services. Therefore, Multi-Factor Authentication (MFA) and Single Sign-On (SSO) are not applicable in this context. Users access the application using local credentials managed by the organization.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron