# Security

### <span class="mw-headline" id="bkmrk-authentication-1">Authentication</span>

Authentication is based on username/password.

Optionally 2-factor authentication can be set up using af mix of

- SMS sent to phone
- IP address of callers

#### <span id="bkmrk-"></span><span class="mw-headline" id="bkmrk-single-sign-on-%28opti-1">Single sign on (optional)</span>

Single sign on integration is included for

- ADFS
- LDAP (and AD)
- Google, Azure, Facebook, LinkedIn

A group membership synchronization exists for

- ADFS
- LDAP

#### <span id="bkmrk--1"></span><span class="mw-headline" id="bkmrk-anonymous-users-%28opt-1">Anonymous users (optional)</span>

External users can access data via the following methods

- Create new records: Public link 
    - Services can be protected by a CAPTCHA test
- Edit existing records: Specific link sent to user 
    - Links can expire after certain amount of time

### <span class="mw-headline" id="bkmrk-authorization-1">Authorization</span>

User permissions are granted via inheritable group membership

Authorization schemes

- Field level control
- State model
- Data ownership

Additionally special roles can be assigned

- Administrator (backend)
- Bulk operations

### <span class="mw-headline" id="bkmrk-encryption-1">Encryption</span>

Transport encryption is based on SSL via HTTPS policies

- Cloud hosting includes option for free SSL certificates

Storage encryption is best handled via operating system measures

- Linux: LUKS
- Windows: Bitlocker

Passwords are hashed using BCrypt algorithm.

### <span class="mw-headline" id="bkmrk-protection-1">Protection</span>

Platform complies with all requirements in OWASP level 2

- Hacking: SQL injection, XSS, CSRF
- Password policies