Authentication¶
Authentication in eQual ensures secure and scalable user identification. This section covers the key aspects of authentication, including token management, assurance levels, and supported methods.
Access Token Management¶
eQual uses JWT (JSON Web Tokens) for authentication. Tokens are exchanged as HttpOnly cookies and have a validity period defined by the AUTH_ACCESS_TOKEN_VALIDITY parameter. Each valid session token extends its validity upon user activity.
CLI Authentication
In the Command-Line Interface (CLI) context, the user is identified as root with full privileges, bypassing authentication mechanisms.
Token Example¶
{
"id": "...",
"exp": 1672531200,
"amr": [
{
"auth_type": "passkey",
"exp": 1672534800
}
]
}
Authentication Levels¶
eQual supports three Authentication Assurance Levels (AALs). These levels allow the system to enforce stricter security requirements based on the sensitivity of the resource being accessed.
| Level | Description | Methods |
|---|---|---|
| AAL1 | Basic: Single-factor authentication. | pwd, email, sms, pin |
| AAL2 | Moderate: Multi-Factor Authentication (MFA) required. | otp, smsotp, push, qrcode, passkey (Software) |
| AAL3 | High: MFA with hardware or biometric factors. | hwk, fingerprint, face, eye, voice, passkey (Hardware) |
Supported Authentication Methods¶
The framework supports a variety of authentication methods to suit different security and usability needs:
| Method | Description |
|---|---|
pwd |
Traditional password authentication. |
email |
One-time code or unique link sent via email. |
sms |
Code sent via SMS to the user's registered number. |
pin |
Short numeric code defined by the user. |
otp |
One-time password generated by an app or device. |
smsotp |
OTP sent via SMS. |
push |
Push notification for approval via a trusted device. |
qrcode |
QR code scanned by a trusted application. |
hwk |
Secure hardware key (e.g., YubiKey). |
fingerprint |
Biometric authentication using fingerprints. |
face |
Biometric authentication using facial recognition. |
eye |
Biometric authentication using iris or eye scans. |
voice |
Biometric authentication using voice recognition. |
sc |
Smartcard-based authentication requiring a specific reader. |
passkey |
Password-less authentication using FIDO2/WebAuthn cryptographic keys. |
Multi-Factor Authentication (MFA)¶
Multi-Factor Authentication (MFA) enhances security by requiring additional verification steps beyond a simple password. Supported strategies include:
-
Email Authentication: Sends a validation email for session escalation.
-
Passkeys: Uses FIDO2/WebAuthn cryptographic keys for secure, password-less authentication.
For detailed information on configuring and using passkeys, please refer to the Passkeys documentation.