Keep me signed in with OCI IAM
May 4, 2023 | 5 minute readIn our fast-paced digital world, we are constantly juggling multiple accounts and passwords for different services and applications. Remembering and entering credentials every time we use an application can be a time-consuming and frustrating experience. One assistance with this challenge is to enable the "Keep me signed in" feature at authentication time in some cases. As the name suggests, this feature allows app users to skip the username/password process for subsequent visits after the initial authentication succeeds.
The Keep me signed in feature is available from the Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) service. It allows end users to maintain their sessions and remain logged into their accounts even after they close the web browser. When the user returns to a protected application from the same device and browser, they are automatically admitted without having to reenter their credentials. This feature can be a convenient way to save time and effort, especially for frequent visitors.
Enabling the Keep me signed in feature
As an OCI IAM identity domain administrator, you can enable this feature for a given identity domain by navigating to identity domain settings and looking for the Session Settings page. Under Keep me signed in the settings, you can define settings, such as the number of days the session remains active, the number of inactive days that force reauthentication, and the number of sessions allowed per user. Enabling Keep me signed in makes the Keep me signed in option available for all users in the identity domain unless otherwise restricted in a sign-on policy as described in the Security Controls section of this post.
End-user experience
When you enable this feature in an identity domain, the sign-in screen shows the Keep me signed in checkbox. When end users select the Keep me signed in checkbox during sign-in, they are granted access on subsequent visits without being prompted to sign in unless the Keep me signed in duration or inactivity intervals have been exceeded or they explicitly choose to sign out.
this allows end users to save time by reducing the need to sign-in every time they want to access the protected application. With this convenience, the Keep me signed in feature can also help improve security when paired with strong password policies. By reducing the frequency of password use, users may be more willing to choose stronger, more complex, and unique passwords, and it may be more difficult for an observer to learn/copy the password.
Security considerations
From a security perspective, it might seem counter-intuitive to enable the Keep me signed in feature, and it’s certainly not appropriate in every scenario. For example, you might not want to enable Keep me signed in for OCI cloud administrators or other sensitive applications/use-cases. Using the feature introduces some risk. If an attacker gains access to a device while the owner is still signed in, they have access to that user’s account. You can partially mitigate this risk by ensuring that devices are secured with a strong password or PIN, are not left unattended, and explicitly logging out when using shared devices. In environments with predominantly shared devices the Keep me signed in feature would clearly not be appropriate.
In lower-risk situations, Keep me signed in improves the user experience and can help you foster a more positive relationship with your audiences. For example, a retail store might want to allow returning website visitors to access their site, browse, and make purchases without reauthenticating. The risk of fraud might be considered low because the shipping address is already established for the account, and we recognize the visitor’s device and location.
You might want to require reauthentication before allowing access to payment information or changing the shipping location. But Keep me signed in makes it fast and easy for a returning customer to purchase again . This ease of use can be the difference between losing a sale or even losing out on a customer if they have a better experience elsewhere.
Security controls
Keep me signed in is able to mitigate some of the risks associated with skipping username/password authentication. If the system identifies risks, such as changes to policies or settings, long periods of inactivity, or changes in a user’s risk score, it adapts and requires authentication. The following events force a user to reauthenticate even if a Keep me signed in session is active:
- The user's password policy is changed.
- The user's sign-on policy is changed.
- The user's risk score is increased to high.
- The user's password is expired, reset, or changed.
- The user account is locked or deactivated.
Keep me signed in has several other security controls so that administrators and end users have full control of the behavior and Keep me signed in tokens.
If you want to block the use of Keep me signed in or enforce a second factor for specific applications, you can use a sign-on policy to configure those conditions. Sign-on policies allow you to restrict which groups can use the Keep me signed in feature and to which applications it applies. For example, you might want to block administrators from using Keep me signed in for mission-critical applications.
As an administrator, you can also clear all open Keep me signed in sessions for a specific user or set of users.
End users can manage their own Keep me signed in sessions in their MyProfile pages. They can end any active Keep me signed in sessions by either logging out from that device or through the MyProfile pages.
Conclusion
The Keep me signed in feature is a convenient and time-saving option that can help improve security when used correctly. However, be aware of the potential risks outlined and take appropriate measures to ensure that your accounts remain secure. If you’re comfortable with the risks, using Keep me signed in can simplify daily application use and may help facilitate stronger customer relationships.
For more information on the concepts in this post, see the following resources:
- Signing In to Identity Domains
- Changing Session Settings
- Adding a Sign-On Policy
- Clearing All Keep Me Signed-In Sessions for a User
- Accessing Your Keep Me Signed-In Sessions
Atul Goyal
Senior Principal Product Manager
Atul Goyal is an experienced Identity and Access Management domain expert specialized in Consulting, Solution Architecture, Product Management, Product Evangelism and Program Management. He is a Senior Principal Product Manager at Oracle, leading a team of Product Managers with a goal of developing next generation Cloud IDM platform that can help customers address their identity and application security challenges in the new business landscape where Cloud, Mobile and Agility have become part of core business processes and creating greater security vulnerabilities. The objective of this team is to do market research, competitive analysis for defining the product strategy and work with different stakeholders throughout the entire product life cycle from inception to adoption. In this role Atul has worked with 100s of Oracle customers, SI partners and outsourced vendors to make Oracle IAM successfully adopted in the market.
Previous Post
Three steps to help automate Fusion SaaS security and auditing with Fusion Risk Management
Next Post