For more advanced authentication use cases, such as multi factor (MFA), configurable password policies, or authenticating with existing enterprise user accounts, Expert provides both OpenID Connect and SAML SSO identity provider services.
Expert requires that all Expert-powered websites are secured with TLS / SSL. All sign-in requests are sent as a web form HTTP POST via the HTTPS protocol.
User passwords can be assigned or reset by a site administrator or by the user themselves. We do not require passwords to be reset at regular intervals. Passwords must contain a combination of the following varieties:
- Lowercase alpha characters
- Uppercase alpha characters
- Non-word characters (symbols)
Passwords must also pass these additional checks:
- Password minimum length
- Password must not contain any words from a list of commonly used bad passwords
We do not store user passwords as plain text data. A passwords is cryptographically hashed and only used to validate incoming passwords upon sign-in request. Passwords are never displayed, sent in email, communicated by phone, or otherwise available for viewing.
Forgotten password reset
Users that have forgotten their sign in password can request the option to reset their password by email. The user must know their username as the sign in experience does not provide a username retrieval option. The password reset feature does not indicate whether or not a password reset email was actually sent, and does not expose the existence or non-existence of a particular user account associated with a username. The password reset email does not contain the user's original password or a new password, but rather a secure link that redirects the user to a password reset form, ensuring no password is transferred between email.
Mitigating brute force attacks
A possible attack vector for sign in forms without multi factor authentication is a flood of different passwords designed to eventually discover a valid username and password combination. Expert detects this type of attack and mitigates it by disabling the username that is under attack, allowing the site administrator to examine the situation and re-enable them if necessary. For more information see Why am I locked out?