AAAI-02

For customers not using SSO, does your solution support local authentication protocols for user and administrator authentication?

Explanation

This question is asking whether your software solution supports local authentication methods for users and administrators when Single Sign-On (SSO) is not being used. Local authentication refers to authentication mechanisms that are managed directly within your application rather than delegated to an external identity provider. Examples include username/password combinations stored in your application's database, multi-factor authentication managed by your application, or other built-in authentication protocols. This question is being asked in a security assessment because organizations need to understand all available authentication options for your solution. While SSO is often preferred for enterprise environments (as it centralizes identity management), many organizations may not have SSO capabilities or may need alternative authentication methods for certain scenarios. Security assessors want to ensure that even when local authentication is used, it follows security best practices. To best answer this question, you should: 1. Clearly state whether your solution supports local authentication when SSO is not used 2. Describe the specific local authentication protocols supported (e.g., username/password, multi-factor authentication, etc.) 3. Mention any security features implemented for these local authentication methods (password complexity requirements, account lockout policies, etc.) 4. Explain how administrator authentication differs from regular user authentication, if applicable 5. Note any compliance standards your local authentication methods adhere to

Example Responses

Example Response 1

Yes, our solution supports robust local authentication protocols when SSO is not utilized For standard users, we offer username/password authentication with enforced password complexity requirements (minimum 12 characters, upper/lowercase, numbers, and special characters), and optional multi-factor authentication via email, SMS, or authenticator apps For administrators, we require multi-factor authentication by default and implement stricter password policies All passwords are stored using bcrypt with appropriate salt values, and we enforce account lockout after 5 failed attempts with a 30-minute lockout period Our local authentication methods comply with NIST 800-63B guidelines for Authentication and Lifecycle Management.

Example Response 2

Yes, our platform supports local authentication when SSO is not available We implement a role-based authentication system where both users and administrators authenticate using email addresses and passwords All passwords must meet complexity requirements (8+ characters with a mix of character types) We support TOTP-based multi-factor authentication through Google Authenticator or similar apps, which is optional for standard users but mandatory for administrator accounts Password hashing uses Argon2id with appropriate work factors, and we implement progressive delays after failed login attempts rather than hard lockouts Authentication logs are maintained for all login attempts, successful or failed, and are available for review in the admin console.

Example Response 3

No, our solution does not currently support local authentication protocols Our authentication system is designed exclusively around SSO integration with major identity providers (Microsoft Azure AD, Okta, Google Workspace, etc.) to ensure centralized identity management and security control This architectural decision was made to enhance security by eliminating password storage within our application and leveraging the robust security features of enterprise identity providers For customers without SSO capabilities, we recommend setting up a lightweight identity provider like Auth0 or Okta's free tier, which can then connect to our application We recognize this limitation may impact some potential customers, and we have local authentication on our product roadmap for future development.

Context

Tab
Product
Category
Authentication, Authorization, and Account Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron