REL-ID for MobileREL-ID APIsREL-ID for Web
Guides
Start typing to search…

Notes

⚠️ Critical Authentication Behaviors

🔒 Blocked User Handling

  • Cooling Period Users: Users serving cooling period see explicit error message
  • Time Remaining: Clear indication of how long user must wait
  • Status Display: "Cooling period time/message" or "blocked status" shown
  • No Authentication: User cannot proceed with authentication during lockout

✅ Normal User Processing

  • Standard Flow: Users not in blocked status proceed through normal authentication
  • No Status Disclosure: System doesn't reveal actual user status during normal flow
  • Security Measure: Prevents information disclosure about user account status
  • Consistent Experience: All users see same authentication flow regardless of internal status

🔧 System Behavior Patterns

🛡️ Security Through Obscurity

  • Status Concealment: System doesn't reveal user account status during normal authentication
  • Error Generalization: Authentication errors kept generic to prevent information leakage
  • Attack Prevention: Reduces ability for attackers to enumerate valid usernames
  • Consistent Response: Same authentication flow for all users regardless of account status

📊 Error Message Strategy

  • Specific When Blocked: Clear messages when user is explicitly blocked or in cooling period
  • Generic Otherwise: Vague error messages for authentication failures to prevent enumeration
  • User-Friendly: Balance between security and usability in error messaging
  • Support Guidance: Clear paths to support when users experience persistent issues

🔄 Authentication Flow Variations

🌐 Remember Me Impact

  • Flow Alteration: Remember Me selection significantly changes subsequent authentication flows
  • Duration Management: Remembered status has configurable lifetime
  • Security Trade-off: Convenience versus security consideration for organizations
  • User Control: Users can manage remembered browsers through User Portal

👤 User Type Dependencies

  • REL-ID Mobile Users: Have additional authentication options (Push, TOTP)
  • Web-Only Users: Limited to web-registered factors (Password, SMS, Email)
  • Hybrid Users: Can utilize both mobile and web authentication factors
  • Dynamic Options: Available authentication methods change based on user profile

🔧 Configuration Dependencies

⚙️ Administrator Control Points

  • Factor Availability: allowed.auth.factors configuration controls available options
  • Registration Control: allowed.reg.factors affects user setup capabilities
  • Policy Enforcement: Various configurations impact authentication flow behavior
  • System Integration: Configuration changes may require service restarts

🔄 Dynamic Configuration Impact

  • Real-time Changes: Some configuration changes take effect immediately
  • Service Restart Required: Major configuration changes require service restart
  • User Impact: Configuration changes can affect user authentication experience
  • Testing Requirements: Configuration changes should be tested before production deployment

📊 Performance and Scalability Notes

🚀 Session Management

  • Session Storage: Authentication sessions maintained securely
  • Timeout Handling: Sessions have configurable timeout periods
  • Concurrent Sessions: System supports multiple concurrent sessions per user
  • Resource Management: Session cleanup processes prevent resource exhaustion

📈 Load Considerations

  • Authentication Volume: System designed to handle high authentication volumes
  • Factor Verification: Different factors have different performance characteristics
  • Mobile Integration: Push notifications and TOTP have different latency profiles
  • Communication Dependencies: SMS and Email factors depend on external services

🛠️ Integration Considerations

🔗 RP Integration

  • Callback Handling: RPs must properly handle authentication callbacks
  • Error Processing: RPs should handle authentication errors gracefully
  • Token Management: Proper token exchange and validation required
  • User Experience: RPs should provide smooth transitions to/from authentication

📱 Mobile App Coordination

  • Synchronization: Web and mobile authentication must remain synchronized
  • Factor Consistency: Same user factors available across platforms
  • Policy Alignment: Security policies consistent between web and mobile
  • Cross-Platform Support: Users can switch between web and mobile seamlessly

Updated 15 days ago