Skip to main content

FAQ

How do you handle emergency cases where a user loses their security token?

There are several scenarios depending on the criticality of the target application (CIAM/IAM, administration, general public). We offer various recovery methods, including sending a reconfiguration link via email, push, or SMS. This action may or may not require administrator validation and can trigger a security alert depending on the scenarios. For example, for a critical application, the reset may require additional validation to ensure security.


How do you ensure compliance with GDPR and CNIL regulations for collected data?

Our solution complies with GDPR and CNIL regulations. Biometric data is stored locally on the user's device (computer or phone) without requiring any installed application. Authentication is validated through a cryptographic signature system, which allows us to meet the strong authentication requirements defined by ANSSI. This mechanism ensures that sensitive data remains protected and is never transferred or stored on remote servers. We go even further in terms of regulation with DORA, NIS2...


How does pseudonymization/anonymization of biometric data work in your solution?

We have developed AuthSezamSmartProxy solutions that significantly limit the data present in the target application. These techniques ensure that biometric information is pseudonymized or anonymized, thereby reducing the risk of data breaches. We will present these technologies in more detail at an upcoming Tech MeetUp.


How do you integrate legacy applications with your authentication system?

The integration of legacy applications is also facilitated by our AuthSezamSmartProxy technologies. This allows connecting existing systems without requiring heavy or complex modifications. We will address this topic in detail at an upcoming Tech MeetUp, where we will show how these integrations can be done smoothly and securely.


What MFA authentication scenarios can your solution handle?

There are many possible configurations. As we have seen, authentication using fingerprint sensors and facial recognition is already a 2FA system (proof of possession of the concerned device, in which the fingerprint is recorded, and proof of identity). It is also possible to consider the magic link as an additional factor, in comparison to other authentication methods that we have not presented here, whether within the AuthSezam product or external technologies like EntraID, which we can provide as an additional factor to confirm access to an external consultant's email, for example.


What security protocols are implemented to protect the data?

We do not store credential-type data. We store cryptographic traces (public key) to validate authentications. Furthermore, there are numerous mechanisms (session duration, number of requests, token validation duration) in place, as well as the use of modern protocols such as OIDC, allowing to link user sessions between AuthSezam and the application, enabling real action in case of a security anomaly. Additionally, we have Advanced Mathematics and ML technologies that strengthen initial authentication (OpenOnce) and offer continuous authentication (Always Auth). All our communications are, of course, encrypted (HTTPS). All our backup processes are also encrypted (crypt at rest).


What are your solution's update and maintenance processes?

Our clients benefit from a fully managed SaaS solution, making updates and maintenance completely transparent. We ensure that our infrastructure is always up to date with the latest security and functionality improvements.


What are the contingency plans and recovery mechanisms in case of an attack or failure of the authentication system?

All vital components of AuthSezam authentication are provided with an availability rate of 99.99% (SLA). Depending on your needs and security policy, we can implement specific strategies in line with your processes (multiple backup servers, high availability architectures, etc.). Finally, it is technically possible to have multiple OIDC authentication systems on the same application. This is one of our soft integration techniques: initially offering AuthSezam as an alternative authentication method, giving users time to get used to it, and gradually making the solution mandatory to make it 'default' over time. This technique allows for a very smooth, even transparent, user migration.