Page Comparison

Although each realm can have variations in what information we collect., or what authentication policy is setup, there is a minimum set of recommendations that should be follow in each realm setup.

User registration fields

Information not collected:

• Country: not necessary, as the user will be on a real that

Policies

In general, we will setup keycloak Keycloak mirroring PSI’s authentication policy which can be summarized as follow:summarised as detailed below.

PSI’s Password policy

Status
colour Green title implemented june 2023

• 8 characters or more

• Never expires

• must include

  • one lower case,

  • one upper case,

    one number and

  • one special character

• Not user name

• Not email

PSI' 2FA

Status
colour Green title implemented June 2023

• Enrolment via FreeOTP, Google or Microsoft authenticator

• valid for 30 60 days per application/device

  • Example: if a user authenticates Firefox on a given laptop, and then uses Google Chrome on the same device, the user will need to authenticate again.

2FA optional

Status
title NOT IMPLEMENTED

• Geo-limit: if IP is > 500 miles from previous login, request 2FA

Additionally, PSI is due to implement OTP phone numbers for verification.

Keycloak policy - as implemented

...

Email verification

Status
colour Green title implemented June 2023

If a user list is imported, emails can be marked as verified.

If users self-register, they are expected to verify their email by following the link send at the time of account creation.

Phone Verification

Status
title NOT IMPLEMENTED

If a user list is imported, phones can be marked as verified.

If users self-register, they are expected to verify their phone by entering the SMS sent to them at the time of account creation.