Risk-based and Multi-factor Authentication (RBA and MFA)
Gigya clients can add additional authentication steps to flows based on risk factors such as a customer’s device, current location or a blacklisted location. The second factor can be a one-time code sent via SMS text or email, a CAPTCHA test, or even account lockout. It’s also possible to add a second layer of security when customers authenticate from new devices by requiring a second factor authentication in the form of a one-time password sent via text message or voice call. Finally, clients can lock a customer account, block a particular IP, or present a CAPTCHA test after a specified number of failed login attempts.
From Gigya’s Admin Console, clients can determine password strength requirements for customers, such as length or complexity, and also add requirements for customers to regularly change their passwords and not reuse old ones. Gigya supports multiple password reset flows, including reset by email or security questions and answers, and a custom flow using a rest password token generated via API call. All customer passwords are stored using the NIST-approved PBKDF2 hash, using a difficulty of 3000 rounds, 256-bit hashes and 256-bit random-generated salts.
Gigya clients can configure and send automated emails to verify user accounts, welcome users, trigger a password reset flow, and confirm that a customer has reset a password or deleted an account. These email templates are completely customizable using standard HTML and can be specified for multiple languages.
Account Harvesting Prevention
Gigya helps clients prevent login identifier harvesting by allowing them to surface a generic error message if a customer attempts to register with an existing email or username, rather than notifying him or her that it already exists.
Secure Digital Signatures
To prevent malicious activity during the social login process, Gigya uses HMAC-SHA1 digital signatures to prevent tampering with user IDs (UIDs) and enables clients to validate signatures before logging users in.
Advanced Key Management
Gigya provides a “secret key” to all clients, in the form of a cryptographic random number between client-side applications and Gigya’s system. Clients may also leverage user or application keys to enable validation of UIDs by third-party plugins.