HECVAT Category
Authentication, Authorization, and Account Management
Authentication, Authorization, and Account Management covers controls and questions related to that domain. It outlines expectations institutions typically require from vendors. The category helps assess risk posture and operational maturity. It provides structure for consistent evaluation during security reviews.
Assessment Questions
Does your solution support single sign-on (SSO) protocols for user and administrator authentication?
This question is asking whether your software solution supports Single Sign-On (SSO) protocols for both regular users and administrators. SSO is an authentication method that allows users to access multiple applications with one set of credentials. It eliminates the need for users to maintain and remember multiple passwords.
For customers not using SSO, does your solution support local authentication protocols for user and administrator authentication?
This question is asking whether your software solution supports local authentication methods for users and administrators when Single Sign-On (SSO) is not being used.
For customers not using SSO, can you enforce password/passphrase complexity requirements (provided by the institution)?
This question is asking whether your system can enforce custom password complexity requirements specified by the institution (customer) for users who are not using Single Sign-On (SSO).
For customers not using SSO, does the system have password complexity or length limitations and/or restrictions?
This question is asking whether your system imposes any limitations or restrictions on password complexity or length for users who are not using Single Sign-On (SSO).
For customers not using SSO, do you have documented password/passphrase reset procedures that are currently implemented in the system and/or customer support?
This question is asking whether your organization has documented procedures for resetting passwords or passphrases for users who are not using Single Sign-On (SSO).
Does your organization participate in InCommon or another eduGAIN-affiliated trust federation?
This question is asking whether your organization participates in identity federation systems specifically designed for educational and research institutions.
Are there any passwords/passphrases hard-coded into your systems or solutions?
This question is asking whether your software or systems contain any passwords or passphrases that are directly written (hard-coded) into the source code, configuration files, or other system components.
Are you storing any passwords in plaintext?
This question is asking whether your organization stores user passwords in their original, readable format (plaintext) rather than in a secure, encrypted form.
Are audit logs available that include AT LEAST all of the following: login, logout, actions performed, and source IP address?
This question is asking whether your system maintains comprehensive audit logs that track user activities within your application or system. Specifically, it's asking if your logs capture at least four critical elements:
Describe or provide a reference to the (a) system capability to log security/authorization changes, as well as user and administrator security events (i.e., physical or electronic), such as login failures, access denied, changes accepted; and (b) all requirements necessary to implement logging and monitoring on the system. Include (c) information about SIEM/log collector usage.*
This question is asking about your system's logging capabilities for security-related events and how you monitor these logs. It has three main parts:
Can you provide the institution documentation regarding the retention period for those logs, how logs are protected, and whether they are accessible to the customer (and if so, how)?
This question is asking about your organization's practices regarding authentication, authorization, and account management logs. Specifically, it wants to know:
For customers not using SSO, does your application support integration with other authentication and authorization systems?
This question is asking whether your application can integrate with authentication systems beyond Single Sign-On (SSO) and your own native authentication. Authentication systems verify user identity (who they are), while authorization systems determine what they can access.
Do you allow the customer to specify attribute mappings for any needed information beyond a user identifier? (e.g., Reference eduPerson, ePPA/ePPN/ePE)
This question is asking whether your service allows customers to customize how user attributes are mapped from their identity provider (IdP) to your service during authentication.
For customers not using SSO, does your application support directory integration for user accounts?
This question is asking whether your application can integrate with directory services (like Microsoft Active Directory, LDAP, etc.) for user account management when Single Sign-On (SSO) is not being used.
Does your solution support any of the following web SSO standards: SAML2 (with redirect flow), OIDC, CAS, or other?
This question is asking whether your software solution supports Single Sign-On (SSO) standards for web applications. SSO allows users to authenticate once and gain access to multiple systems without having to log in separately to each one.
Do you support differentiation between email address and user identifier?
This question is asking whether your system allows users to have a separate user identifier (username, user ID, etc.) that is different from their email address.
For customers not using SSO, does your application and/or user frontend/portal support multifactor authentication (e.g., Duo, Google Authenticator, OTP, etc.)?
This question is asking whether your application supports multi-factor authentication (MFA) for users who are not using Single Sign-On (SSO).
Does your application automatically lock the session or log out an account after a period of inactivity?
This question is asking whether your application has automatic session timeout functionality that either locks a user's session or logs them out completely after a period of inactivity.
ResponseHub is the product I wish I had when I was a CTO
Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.
As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!
I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.
