Security information
Password Policy
We are using bcrypt to hash passwords and Blowfish encryption with salting key with 10 iterations to store user passwords.
On the user side we are asking complex passwords with customizable options admin can activate through the back-office. The default complexity asked is 8 characters length, with both lowercase and uppercase characters. In addition admins can increase minimum length and make numbers and special characters mandatory in the password.
Authentication methods
The default authentication method is Email/Password authentication. Admins can enable Single Sign-On (SSO) authentication methods using third party services.
Facebook, Google and LinkedIn
Anyone with an account can register and connect to the platform, no specific configuration is needed for the client.
Microsoft Entra (previously Microsoft Azure AD)
Our platform is only supporting OpenID Connect (OIDC) implementation.
Authentication Application Setup
Client’s team in charge of SSOs have to register a new application directly on Microsoft Entra Portal and select the following option: ID tokens (used for implicit and hybrid flows). Mandatory scope / API permissions: openid, email and profile.
Sign-in redirection URIs will be provided by BeMyApp to the client.
When the new application is created, the following information must be provided to BeMyApp in order for us to setup the integration on the platform:
identityMetadata(provided by the Microsoft Identity Portal)clientID(BeMyApp’s client ID in Microsoft Entra)clientSecret
A testing account can be helpfull to make sure the intregration is working as expected. If it’s not something that can be provided, make sure to give BeMyApp contact information of someone that will be able to test the integration.
Okta
Our platform is only supporting OpenID Connect (OIDC) implementation.
Authentication Application Setup
Client’s team in charge of SSOs have to register a new application directly on Microsoft Entra Portal and select the following options: OpenID Connect and Web Application. Mandatory scope / API permissions: openid, email and profile.
Sign-in redirection URIs will be provided by BeMyApp to the client.
When the new application is created, the following information must be provided to BeMyApp in order for us to setup the integration on the platform:
To setup the integration, the following information must be provided by the customer to BeMyApp:
- Client’s Okta Domain
- Public Okta Application Client Credentials (also known as
clientID) - Private Okta Application Client Credentials (also known as
clientSecret) - Identity Provider (optional)
A testing account can be helpfull to make sure the intregration is working as expected. If it’s not something that can be provided, make sure to give BeMyApp contact information of someone that will be able to test the integration.
Additional Authentication options
The platform also offer multiple options related to authentication:
Multiple Factor Authentication (MFA) for admins
When activated, all admins accounts need to fill a 8-digit code received by email in order to login.
Sign Up - Allowlist
When activated, only allowed email domain(s) can register on the platform.
Sign Up - Blocklist
When activated, user can not register with blocked email domains.
Active session limitation
When activated, this limits any user to one active session, which prevent them to be connected on different browser/device at the same time with the same account.
Disable Email/Password authentication
It is possible to disable the ability to login with email/password only if at least one SSO method is enabled.
Even with this option enabled, BeMyApp staff are still able to login to the platform using email/password.
Client admins could being given the ability to login using email/password if needed.
IP Filter
This feature is meant to limit platform access to allowed IP or range of IPs. Users with an IP outside authorized ones are not able to see the platform and are prompted with a 403 error.
Be sure to have at least one of your IP allowed before enabling the feature, otherwise you won’t be able to access the platform anymore waiting for our intervention.
We recommend making sure your IPs aren’t dynamic to prevent losing access to the platform unexpectedly during your event.
Our different offices are in the allowlist by default and will keep access to the platform if this feature is activated.
Content Security Policy WIP
The platform uses Content Security Policy (CSP) to limit domains whose content can interact with the platform.