Security information

Password Policy

We are using bcrypt to hash passwords and Blowfish encryption with salting key with 10 iterations to store user passwords.

On the user side we are asking complex passwords with customizable options admin can activate through the back-office. The default complexity asked is 8 characters length, with both lowercase and uppercase characters. In addition admins can increase minimum length and make numbers and special characters mandatory in the password.

Authentication methods

The default authentication method is Email/Password authentication. Admins can enable Single Sign-On (SSO) authentication methods using third party services.

Facebook, Google and LinkedIn

Anyone with an account can register and connect to the platform, no specific configuration is needed for the client.

Microsoft Entra (previously Microsoft Azure AD)

Our platform is only supporting OpenID Connect (OIDC) implementation.

Authentication Application Setup

Client’s team in charge of SSOs have to register a new application directly on Microsoft Entra Portal and select the following option: ID tokens (used for implicit and hybrid flows). Mandatory scope / API permissions: openid, email and profile.

Sign-in redirection URIs will be provided by BeMyApp to the client.

When the new application is created, the following information must be provided to BeMyApp in order for us to setup the integration on the platform:

  • identityMetadata (provided by the Microsoft Identity Portal)
  • clientID (BeMyApp’s client ID in Microsoft Entra)
  • clientSecret

A testing account can be helpfull to make sure the intregration is working as expected. If this connot be provided, make sure to give BeMyApp contact information of someone that will be able to test the integration.

Okta

Our platform is only supporting OpenID Connect (OIDC) implementation.

Authentication Application Setup

Client’s team in charge of SSOs have to register a new application directly on Microsoft Entra Portal and select the following options: OpenID Connect and Web Application. Mandatory scope / API permissions: openid, email and profile.

Sign-in redirection URIs will be provided by BeMyApp to the client.

When the new application is created, the following information must be provided to BeMyApp in order for us to setup the integration on the platform:

To setup the integration, the following information must be provided by the customer to BeMyApp:

  • Client’s Okta Domain
  • Public Okta Application Client Credentials (also known as clientID)
  • Private Okta Application Client Credentials (also known as clientSecret)
  • Identity Provider (optional)

A testing account can be helpfull to make sure the intregration is working as expected. If this connot be provided, make sure to give BeMyApp contact information of someone that will be able to test the integration.

Additional Authentication options

The platform also offer multiple options related to authentication:

Multiple Factor Authentication (MFA) for admins

When activated, all admins accounts need to fill a 8-digit code received by email in order to login.

Sign Up - Allowlist

When activated, only allowed email domain(s) can register on the platform.

Sign Up - Blocklist

When activated, user can not register with blocked email domains.

Active session limitation

When activated, this limits any user to one active session, which prevent them to be connected on different browser/device at the same time with the same account.

Disable Email/Password authentication

It is possible to disable the ability to login with email/password only if at least one SSO method is enabled.

Even with this option enabled, BeMyApp staff are still able to login to the platform using email/password.

Client admins could being given the ability to login using email/password if needed.

IP Filter

This feature is meant to limit platform access to allowed IP or range of IPs. Users with an IP outside authorized ones are not able to see the platform and are prompted with a 403 error.

Be sure to have at least one of your IP allowed before enabling the feature, otherwise you won’t be able to access the platform anymore waiting for our intervention.

We recommend making sure your IPs aren’t dynamic to prevent losing access to the platform unexpectedly during your event.

Our different offices are in the allowlist by default and will keep access to the platform if this feature is activated.

Content Security Policy WIP

We are using Content Security Policy (CSP) to limit domains whose content can interact with the platform.

< Technical Requirements
Third Party Services >