Security

Authentication, authorization, and security best practices

  2 minute read  

Security Documentation

STING implements industry-leading security practices with passwordless authentication, WebAuthn, and advanced access controls.

🔑 Encryption & Key Management

New in v1.0: Encryption Key Management - Critical documentation for protecting user data. Always backup your encryption keys before upgrades!

Data Encryption

  • At-Rest Encryption: All user files encrypted with AES-256-GCM
  • Key Hierarchy: Master key → User keys → File keys
  • Vault Storage: Keys secured in HashiCorp Vault

Key Management Commands

msting encryption-keys status   # Check key status
msting encryption-keys backup   # Backup before upgrades
msting encryption-keys restore  # Restore from backup

Authentication

Passwordless Authentication

STING prioritizes passwordless authentication methods:

  • Passkeys: FIDO2/WebAuthn-based passkeys.
  • Biometric: Face ID, Touch ID, Windows Hello.
  • Platform authenticators: Built-in device security.

Multi-Factor Authentication

  • TOTP (Time-based One-Time Passwords).
  • SMS verification (optional).
  • Email verification.
  • Backup codes.

Kratos Integration

STING uses Ory Kratos for identity management:

  • Self-service registration and login.
  • Account recovery.
  • Email verification.
  • Profile management.
  • Session management.

WebAuthn Implementation

Features

  • Cross-platform passkey support.
  • Resident keys.
  • User verification.
  • Attestation.
  • Device management.

Configuration

  • RP ID setup.
  • Origin configuration.
  • Authenticator selection.
  • Credential management.

Security Architecture

Biometric-First Architecture

Prioritize biometric authentication while maintaining security:

  • AAL2 (Authentication Assurance Level 2).
  • Step-up authentication.
  • Conditional MFA.

Best practices for authentication assurance levels in enterprise deployments.

Access Control

Role-Based Access Control (RBAC)

  • User roles and permissions.
  • Resource-level permissions.
  • Honey Jar access controls.

Attribute-Based Access Control (ABAC)

Fine-grained access controls based on attributes (enterprise feature).

Security Best Practices

  • Regular security audits.
  • Credential rotation.
  • Session timeout configuration.
  • HTTPS enforcement.
  • CORS configuration.
  • CSP headers.
  • Encryption key backups (see Key Management)

Vulnerability Reporting

Found a security issue? Please report it responsibly:

  • Email: security@alphabytez.dev.
  • Do not open public issues for security vulnerabilities.
  • We aim to respond within 48 hours.
Encryption Key Management

Critical guide for managing encryption keys that protect user data in STING.

Custom AAL2 Approach

Custom AAL2 solution for passwordless WebAuthn authentication with biometric authenticators.

Email Verification Troubleshooting

Solutions for email verification issues in STING deployments.

Kratos Best Practices Solution

Alignment of STING authentication architecture with Kratos best practices.

Kratos Requirements

Specific requirements and configuration patterns for Ory Kratos v1.3.1 in STING.

Passkey Management Guide

Configure and manage passkey authentication in STING.

Password Change Flow

Implementation guide for password change flow allowing limited access for password updates.

Profile Kratos Sync

Architecture and strategy for synchronizing profile data between STING and Kratos.

Unified Login Implementation

Implementation of unified login flow that checks user existence before presenting authentication options.


Last updated: