Credential Intelligence
Overview
Credential Intelligence is a project template that provides a set of pre-configured patterns to help you build a credential intelligence solution. This solution is designed to help you detect and respond to credential leaks and breaches in your identity managment.
Getting Started
To get started with the Credential Intelligence project template, follow these steps:
Navigate to nevisAdmin4 -> Resources -> Project Templates.
Select the Credential Intelligence Integration project template.
Choose a name for the project and click Create.
The project template
The Credential Intelligence Project Template has the following patterns:
Credential Intelligence
The Credential intelligence label shows the following set of configured patterns:
| Pattern Name | Type | Description |
|---|---|---|
| auth_done | Authentication Done | The very last step of the authentication, marks the flows end. |
| Credential Intelligence (Login) | Credential Intelligence Integration | This pattern is connected on the login flow. It checks compromised passwords during login |
| Credential Intelligence (Registration) | Credential Intelligence Integration | This pattern is connected on the registration flow. It checks compromised passwords during registration |
| nevisIDM Change Credential (Registration) | nevisIDM Change Password State | If compromised password is detected, when pressing "Change Password" button, this allows the user to alter it. |
| nevisIDM Change Credential (Login) | nevisIDM Change Password State | If compromised password is detected, when pressing "Change Password" button, this allows the user to alter it. |
Self Registration flow for IDM
For more details on setting up a self-registration flow for IDM, refer to the Simple Sign-Up/Sign-In Project Template.
Other labelled components
For more core setup related information refer to the Configuration Guide documentation.
What does this pattern do?
This document provides a brief overview of how this integration works.
- Password Hashing:
- The script takes the user's password and hashes it using the SHA-1 hashing algorithm.
- API Call:
- The script sends the first five characters of the generated SHA-1 hash to a public API.
- API Response:
- The API responds with a list of 300 passwords that have the same first five characters as the SHA-1 hash.
- Remainder Check:
- The script checks the remaining characters of the SHA-1 hash against the list of 300 passwords.
- User Alert:
- If the remaining hash is found in the response, the script triggers a GUI that warns the user that their password might be unsafe.
- Authentication Flow Continuation:
- If no match is found, the script allows the authentication process to continue as usual.
Error Handling
In case of error: script execution will be stopped and the default action of the pattern will trigger to avoid any break in the authentication flow.
You can change the default timeout value in the pattern's advanced settings to match your requirements.
In case of outage, and if the user set a compromised password the user will be prompted on the next login, when the API is back online.
API information
The api is provided by Have I Been Pwned.