Add Authentication policies

[cedricfrancoys]

Authentication policies

When a connection request is made (AuthManager), we check

1. the Authentication Policy (specified in the config via the name AUTH_POLICY)
   Verification of the type of authentication. If it is a risk-based strategy, the risk level is assessed (execution of Auth controls).
   This mechanism only applies when an authentication request is made.
   Authentication policies are managed by the AuthenticationManager service.

Authentication Policy

Determines the choice of authentication type.

• name
• is_direct
• auth_type (selection: "simple", "mfa")
• auth_controls_ids
• low_limit
• mod_limit
• high_limit
• crit_limit
• low_auth_type (selection: "simple", "mfa", "deny", "lock")
• mod_auth_type (selection: "simple", "mfa", "deny", "lock")
• high_auth_type (selection: "simple", "mfa", "deny", "lock")
• crit_auth_type (selection: "simple", "mfa", "deny", "lock")

If is_direct is false, it is a risk-based Policy.
For "risk-based" auth policy, the type of authentication is determined based on a list of controls that assess the risk level.

Each risk control returns a result based on the detection of specific risks.
If there is no alert, the value 0 is returned, otherwise, the value 1 is returned.
The risk score (percentage) is: (sum of results / number of tests)

The score is compared to the _limit values
and the type of authentication used is the one that corresponds to the highest limit reached or exceeded.

Examples:

• auth_simple

is_direct: true
auth_type: simple

• auth_mfa

is_direct: true
auth_type: mfa

• auth_risk_1

is_direct: false
auth_controls_ids
low_limit: 0.1
mod_limit: 0.25
high_limit: 0.5
crit_limit: 0.75
low_auth_type:  "simple"
mod_auth_type:  "mfa"
high_auth_type: "deny"
crit_auth_type: "lock"

Authentication Control

• risk_factor (selection)
• duration (period for the control)

Examples:

risk_factor: Device-based
duration: 3 months

risk_factor: IP-based
duration : 1 month

risk_factor: Location-based
duration: 3 months

risk_factor: Attempts-based
duration: 24h

risk_factor: Auth-based
duration: 7 days

risk_factor: Account-based 
duration: 14 days

Selection authentication_type

• simple: password-based
• mfa (multi-factor auth): MFA & passkeys
• deny: deny the auth for the moment
• lock: deny auth and lock account

Selection risk_factor

These are possible control (risk evaluation) choices to check the risk level.
The calculation logic is fixed, but the tests are performed with the current context (user_id, auth mode [binary mask: jwt, csrf], IP address) and the period (duration) provided by the Auth Control

• Device-based
  Risk level based on the history of user device signatures (unusual device = higher risk)
  measure: device signature not used during the period

• IP-based control
  Risk level based on the history of user IP addresses (unusual IP = higher risk)
  measure: IP address not used during the period

• Location-based
  Risk level based on the history of the user's geographical locations (unusual location = higher risk)
  measure: connection location not used during the period

• Attempts-based
  Risk level based on the number of unsuccessful access attempts
  measure: at least one unsuccessful access attempt during the period

• Auth-based
  Risk level based on the history of how the user attempts to authenticate (direct API or via APP CSRF)
  measure: authentication mode (JWT without CSFR) already used during the period

• Account-based
  Risk level based on the recent history of the user account (account age, last account activity, recent profile changes)
  measure: newer account or account modified or inactive account during the period