Configure Sessions and Account Management

[abokov]

Session management capabilities allow you to configure how often your users need to provide sign-in credentials and whether they need to provide credentials after closing and reopening browsers-giving you fined-grained controls that can offer more security and flexibility in your environment. Account management refers to providing requirements around creating and maintaining user and special accounts.

All approaches for human authentication rely on at least one of the following:

• Something you know (eg. a password). This is the most common kind of authentication used for humans. We use passwords every day to access our systems. Unfortunately, something that you know can become something you just forgot. And if you write it down, then other people might find it.
• Something you have (eg. a smart card). This form of human authentication removes the problem of forgetting something you know, but some object now must be with you any time you want to be authenticated. And such an object might be stolen and then becomes something the attacker has.
• Something you are (eg. a fingerprint). Base authentication on something intrinsic to the principal being authenticated. It is much harder to lose a fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive and (at present) not very accurate.

Best Practices

• Block legacy authentication protocols.
• Manage and control access to corporate resources.
• Set up self-service password reset (SSPR) for your users.
• Extend cloud-based password policies to your on-premises infrastructure.