Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

Read the blog

Sign up

Login

Pricing

Jobs

Blog


![Recap of 2022 with people raising their glasses in the background](/blog/2022-12-29-best-of-zitadel-2022-00.png)

Another long year is slowly ending and it is almost time to drown our sorrows in champagne and turn a new page in life.
However, before we plunge too deeply into our fresh new year’s resolutions, we are taking a moment to reflect on the milestones we have reached this year and to express our gratitude for the overwhelming support we were given along the way. 

This brief recap showcases the most significant ways ZITADEL has improved in the year 2022. 

## We Raised $2.5 Million!
One of the most significant milestones in ZITADEL's development was the successful closing of our seed funding round led by [Nexus Venture Partners](https://nexusvp.com/).
Ever since the [big announcement](/blog/fundraising-nexus) saw the light in June, this generous grant has played a vital role in helping ZITADEL become the best open-source alternative for identity management needs. 

With this incredible achievement under our belts, we are beyond excited to see what else we can accomplish with our remarkable supporters and valued customers on our side.

## Introducing our next major release of ZITADEL
In August of 2022, ZITADEL underwent its most significant upgrade to date.
The new version introduced a [new selection of features and upgrades](https://github.com/zitadel/zitadel/releases/tag/v2.0.0) that ensure easier use, expanded compatibility, more value for your money and, as always, still the highest possible data security. 

The most significant changes brought on by V2.x include the following: 
- [New Virtual Instances](/blog/introducting-v2-0#:~:text=New%20Virtual%20Instances,by%20the%20platform.)
- Extended database compatibility to [PostgreSQL](/blog/postgresql-support)
- [More Social Logins](/blog/social-logins#:~:text=ZITADEL%20will%20support,for%20all%20users.) and
- [Easier Development](/blog/introducting-v2-0#:~:text=Easier%20to%20Develop,features%20more%20straightforward.)
- The implementation of [SAML 2.0](/blog/saml-support)

While the development team focused on new upgrades and implementations, the UI and UX department was responsible for enhancing ZITADEL's visual appeal and ease of use.
With the help of a reimagined navigation system, content filters, keyboard shortcuts, and [many more new features](https://github.com/zitadel/zitadel/issues/2944), the new console of ZITADEL is now easier to use than ever before.

## Relaunch Of Our Cloud Service
Concurrently with the release of  ZITADEL’s new version, we also relaunched our cloud service. Instead of being limited to single organizations, each of our customers can now set up new instances - an own logically separated setup of ZITADEL - from our customer portal. This also came with features to make ZITADEL Cloud invisible to your users, like using a custom domain for your login page and defining your own SMTP server for emails.

Given all of the improvements ZITADEL undertook this year, it was time for us to revisit our cloud pricing structure as well. We swiftly identified the path the adjustments should take concerning our core philosophy of not placing a premium on security features: 

To allow users to gradually expand the platform based on their organization’s specific needs, we have removed subscription tiers and their respective feature locks altogether.
With these changes implemented, our users are granted a platform that scales along the rest of your infrastructure requirements with [more features](/blog/pricing-updates-v2) to enjoy than ever.

Our pricing also differentiates us in the market and resembles the cost of infrastructure more closely than a per-seat cloud service. We are the best identity management platform for not only consumer identities but also your B2B customers/partners. With that, we wanted to create more reasonable pricing that works for all your identities, and you don’t have to worry about any unpredictable costs.

## New Findings With Pentest
As a team behind the platform handling sensitive data, we firmly believe that a transparent working process is essential for establishing trust in our project and cloud service. Accordingly, we highly prioritize publicizing the findings of our systemic security screenings. 

In November of 2022, we tested ZITADEL against the [OWASP Top Ten risks](https://owasp.org/www-project-top-ten/) and the configuration of our systems with the help of an external party.
With just one significant issue instantly resolved throughout the test, we were glad to find that the platform was assessed as confidential.
If you are interested in a more detailed overview of the results, feel free to [read the full report](/blog/2022-12-01-pentest-results-h2-2022-01.pdf).

As an additional effort to promote transparency, we have decided to reduce the number of sub-processors with access to customer data.
Our updated [Trust Center](/trust) displays a coherent list of every relevant provider and the specific data they have access to.

## Rising Blog Readership

Every week, our [ZITADEL Blog](/blog) is enriched with new stories, news, updates and opinions all about authentication and cybersecurity. While our articles have generally enjoyed an incredible rise in readership this year, three posts must be highlighted for drawing a particularly remarkable number of visitors.

Here are the TOP 3 articles from 2022 that you found most intriguing:

- [#3](/blog/smishing): Smishing - How to Recognize Dangerous Text Messages
- [#2](/blog/jwt-vs-opaque-tokens): JWT vs. Opaque Tokens
- [#1](/blog/magic-links): Magic Links - Are They Actually Outdated?

[![Thumbnail of our blog Are magic links outdated?](/blog/2022-06-22-magic-links-00.png)](/blog/magic-links)

## ZITADEL Beyond The Digital World
As a team working on a platform all about cybersecurity, it likely is not surprising that most of our work is done virtually. This year, however, we were granted some incredible opportunities that helped us expand our horizons and spread the word about ZITADEL beyond the digital world. 

These were the most notable events and conferences we visited in 2022:

- [Swiss Cybersecurity Days](https://swisscybersecuritydays.ch/) (SCSD): The largest cybersecurity convention in Switzerland, featuring world-renowned experts and politicians.
- [Gophercon UK](https://www.gophercon.co.uk/): A conference and workshop dedicated to Go programming information and training
- [Devoxx UK](https://www.devoxx.co.uk/): A conference for developers to learn, sharpen their skills and get hands-on experience with the latest tech
- [Websummit](https://websummit.com/): An event in Lisbon bringing together 70,000+ people to redefine the tech industry
- [Startup Nights](https://startup-nights.ch/): A convention in Winterthur with over 5’000 startups presenting their services and products

![Fabienne, Silvan, Max, and Florian in front of our ZITADEL booth at Websummit](/blog/2022-12-29-best-of-zitadel-2022-01.png)

## And Finally: A Thank You

While we are very proud of how far our authentication solution has come in 2022, it would be disingenuous for our team to take all the credit for this success. Our valued customers, supporters and anyone who takes time out of their day to interact with ZITADEL are all crucial factors in our growth as a startup. 

We are profoundly grateful for your trust in ZITADEL and look forward to seeing what more we can achieve together in the upcoming year and beyond.


This brief recap showcases the most significant ways ZITADEL has improved in the year 2022. We are profoundly grateful for your trust in ZITADEL!

The Best Of ZITADEL 2022

Since a single password only safeguards so much personal information, it is sadly unsurprising that some people take advantage of the flaws in this security technique to **access sensitive data**. While you might already be familiar with some of the most used hacking methods, such as phishing, malware and brute force attacks, researchers have recently shed light on an unexpectedly bizarre new attack alternative: **Thermal Attacks**.

One of the most common method of thermal tracking is called the "**Thermanator**". This somewhat strange name for the hacking method combines the title of the famous cyborg assassin “Terminator” with the prefix “therm” (meaning heat), thus accurately reflecting the attack's strategy: **using user-left heat signatures to exploit keyboards**.

This article discusses the phenomenon of thermal attacks and how we can avoid falling victim to them. 

## W﻿hat are Thermal Attacks?

If you have ever looked into a thermal camera, you might find **traces of human touch remain visible** on an object or surface in the form of fingerprints. This phenomenon also applies to common input devices such as phones and keyboards, which you may use to enter sacred credentials. Unfortunately, hackers are no strangers to this fact. 

While the prints fade after a while, there is always a window of time where **thermal energy measurements from input devices can be collected** to retrieve recently submitted information, which can range from a harmless text message to a password you use to access sensitive data. 

![Thermal Attacks use user-left heat signatures to exploit keyboards](/blog/2022-11-14-thermal-01.gif "How Thermal Attacks work")

I﻿mage Source: [SciencePhotoLibrary](https://www.sciencephoto.com/media/682484/view)

## The Thermanator

This hidden danger of seemingly harmless thermal residues was unveiled within the framework of an experiment carried out by [three scientists from the University of California, Irvine (UCI)](https://arxiv.org/pdf/1806.10189.pdf). The researchers analyzed a distinct type of insider attack they titled “thermanator,” which involves an **attacker exploiting the function of a thermal camera to reveal passwords** that have been entered on a keyboard. Astonishingly, this thermanator-experiment led the researchers to **correctly recall whole sets of key presses as late as 30 seconds** after the initial character was entered, following four simple steps:

> “**STEP 1**: The victim uses a keyboard to enter a genuine password as part of the log-in (or session unlock) procedure. 
>
> **STEP 2**: Shortly after that, the victim either: (1) willingly steps away or (2) gets drawn away from the workplace.
>
> **STEP 3**: Using thermal imaging (e.g., photos taken by a commodity FLIR camera), the adversary harvests thermal residues from the keyboard.
>
> **STEP 4**: Later, the adversary uses the “heat map” of the images to determine recently pressed keys. This can be done manually (i.e., via visual inspection) or automatically (i.e., via specialized software).
>
> **REPEAT**: The adversary can choose to repeat STEPS \[1-4] over multiple sessions.”

## ThermoSecure: The Thermanator gets an Upgrade

While the previously mentioned Thermanator attack already had a high success rate in guessing passwords with the help of thermal residues, it ultimately comes with the **handicap of a time limit**. For the attack to work, the attacker would have to take the picture with the thermal camera just thirty seconds after the first key was entered; accordingly, this practice might prove extremely hard to conduct in an everyday scenario.

However, thermal attacks do not admit defeat just yet. In a newer study for [ACM Transactions on Privacy and Security](https://dl.acm.org/doi/10.1145/3563693), the research team led by Dr. Khamis could astonishingly reveal that the **time limit and the accuracy of the guesses can be further expanded by leveraging deep learning techniques**. According to the team, due to machine learning becoming increasingly accessible, it is more and more likely that attackers will employ it to improve their thermal attacks.

This discovery of the **ThermoSecure** attack was made possible by the researchers' probabilistic training of an artificial intelligence model to efficiently scan the thermal photos and generate educated predictions about the passwords from the heat signature clues. Evidently, the help of an AI has significantly changed the success rate of this hacking method: Not only did **ThermoSecure guess passwords of an average length (8 characters) with 93% accuracy** within 20 seconds after they have been entered, but the attack could even reveal **long passwords of 16 characters with almost 70% accuracy**.

However, the biggest revelation lies in the technique’s capability of accurately revealing passwords, even if the thermal image was taken **over a minute after the keys were pressed**. The success rate of the AI guessing the secret code lies at 62% at the 60-second mark. 

## How to stay safe

As thermal cameras become cheaper and easier to access, the chance of misuse is correspondingly increasing as well. Fortunately, there are some factors that can significantly decrease the success rate of thermal attacks.

### Touch typing over Hunt-and-Peck

Despite using keyboards for the same ultimate purpose, surprisingly, the **technique by which people press the keys** has a significant effect on the quality of thermal imaging data. Generally, typists can be grouped into two main categories:

* **Hunt-and-Peck typists** - Keyboard users who do not rest their fingertips on the home row and usually spend more time looking for the key to press.
* **Fast / Touch typists** – They rest their fingers on (or lightly touch) the home row while typing.

It likely comes as no surprise that the former method, which involves the person only touching the keys included in the password, leaves little room for interpretation. Accordingly, **hunt-and-peck typists are more vulnerable to thermal attacks** than fast typists, with a success rate increase of around 10%.

### PBT keycaps

Even though typing behavior can influence the success rate of thermal attacks, there is another factor at play that is arguably even more relevant: the **interface of the keyboard in use**. While the material of the keycaps usually plays a lesser role in the purchase of a new keyboard for most people, in the context of thermal attacks, it becomes imperative.

Objects created out of a **material with a lower heat conductivity** can retain the thermal trace of human touch for a more extended period. This rule, of course, also applies to keyboards: As an example, **Polybutylene Terephthalate plastic (PBT) keycaps** are known to be significantly **less vulnerable to thermal attacks** than ones made out of Acrylonitrile Butadiene Styrene plastic (ABS) due to the faster fading of its heat traces. 

Regardless of the length of your password, using a PBT keyboard is a reasonably practical protection measure against thermal attacks. However, it is worth noting that higher durability comes with a higher price.

### The ultimate solution – Ditching passwords

While a thermal attack might seem like an unlikely crime to fall victim to, unfortunately, it is but one name on the **long list of cyber-attacks exploiting the simplicity of password-based authentication**.

The main reason behind the increasing vulnerability of passwords is evident: The paradox of it having to be **both complex and easily recallable**. This dilemma of choosing a password often leads people to either select a string of characters that could be hacked in seconds or one that they might forget the next day – a middle ground is increasingly harder to find. 

Fortunately, there are alternate authentication methods that are more effective in protecting you from attacks that prey on your password. One of the most notable examples is **[Multi-Factor Authentication (MFA)](https://zitadel.com/features#multifactor)**. MFA commonly **utilizes a passwordless factor** (such as Fingerprint, Face ID, or physical tokens) **in addition to the regular username-password login** method, providing a secondary layer of security for your data. While each method of MFA is significantly safer than a password alone, in the context of protecting yourself from a thermal attack, an **out-of-band or off device factor** would generally be most effective. Thus, even if an attacker manages to take a picture of your keyboard, they **could still not access your account without the additional authentication factor** sent to the other device.  

Alternatively, you can protect your data by authenticating yourself using a** [passwordless](https://zitadel.com/blog/passwordless) method**. This alternative **completely substitutes passwords with a passwordless factor**, whereas the formerly mentioned MFA operates using a combination of the two. Akin to the case of MFA, it is advised to authenticate yourself via an off device passwordless factor to minimze your chances of falling victim to a thermal attack.

While you might be familiar with common hacking methods, such as phishing and malware, researchers have discovered a bizarre new alternative: Thermal Attacks.

Thermal Attacks - How Heat From Fingertips Can Reveal Passwords


Silent-login and silent-refresh require the use of iFrames, which has to be allowed by ZITADEL.
This brings some disadvantages in terms of security.
You should be aware of the drawbacks and benefits, that is why we provide you with the basis for decision-making here.

### Where are iFrames needed?
There are a few use cases where an iFrame is reasonable and needed, e.g silent-login or silent-refresh.

#### Silent-login and Silent-refresh
Silent-login and -refresh assumes that the user is already logged in and the existing session can be reused.
The existing OpenID session should be reused for a new authentication request without the user noticing anything.
This requires the prompt= none in the authentication request.
To find out more about the possibilities of the request you can use the [OIDC Authentication Request Playground](https://zitadel.com/docs/apis/openidoauth/authrequest?prompt=none).
Silent-login is a general use case, regardless of the app type, whereas silent-refresh is mostly used in SPAs. The authentication request is usually triggered in an iFrame that the user won’t see.


### How does ZITADEL handle it?
To maximise the security during login and in the ZITADEL Console UI, ZITADEL follows security best practices by setting a Content-Security-Policy (CSP) and X-Frame-Options:

```
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: deny
```

These settings block the use of serving it in an iframe to prevent clickjacking attacks.

#### CSP
Content Security Policy (CSP) is a security standard that helps detect and mitigate certain types of attacks, including cross-site scripting (XSS), clickjacking and data injection attacks.

The policy is a string that contains the guidelines that describe your content security policy. The string can include a series of policy directives, each of which describes a certain resource type or area.

Relevant Examples:
```
Content-Security-Policy: default-src 'self'
```
All content should come from the site’s own origin (including subdomains).

```
Content-Security-Policy: default-src 'self' acme.com *.acme.com
```
Content from a trusted domain and its subdomains is allowed.

```
Content-Security-Policy: frame-ancestors ‘none’
```
“Frame ancestors” defines if it is allowed to embed the page. With none it is not allowed to embed the page.

```
Content-Security-Policy: frame-ancestors 'self' https://www.acme.com;
```
“Frame ancestors” defines if it is allowed to embed the page. The own site is allowed as well as https://www.acme.com

#### X-Frame-Options
The X-Frame-Options can be used to define if a browser is allowed to render a page in a ```<frame>```, ```<iframe>```, ```<embed>``` or ```<object>```.

X-Frame-Options:
DENY: It is not allowed to display the page in any frame
SAMEORIGIN: It is allowed if all ancestor frames are the same origin as the page itself.

### Enable iFrame use for your ZITADEL instance
The iFrame option is always enabled on your whole ZITADEL instance. Follow the steps below to apply the option:
Navigate to the instance settings in your ZITADEL Console
Click on the Security Policy tab
Enable the “Allow iFrame” and add the host(s) from which you load the iframe from

This will change the CSP of ZITADEL to the following:

```
Content-Security-Policy: frame-ancestors https://custom-domain.com
```
and remove the X-Frame-Options header.




It's important to secure the myriad of connections between the devices in an IoT network and the services they communicate with. This is where IoT authentication plays its vital role. In this article, you'll learn how authentication in IoT works and how you can achieve device authentication in an IoT system.

How to handle silent-login in ZITADEL?


The term [Internet of Things (IoT)](https://www.oracle.com/internet-of-things/what-is-iot/) refers to a group of things or objects that have sensors and software built into them in order to exchange data with each other over the internet and other networks. Nowadays, with IoT, you can connect almost any electronic object to the internet for seamless communication with other devices and humans. 

The *Things* in the Internet of Things can be anything as simple as a light bulb you can switch on or dim with your smartphone application, or as complex as cabin climate control devices in airplanes. IoT has already become one of the foremost technologies in the past few decades.

Because IoT is becoming an increasingly important aspect of our daily lives, there is growing concern in regard to security and privacy. It's important to secure the myriad of connections between the devices in an IoT network and the services they communicate with. This is where IoT authentication plays its vital role. In this article, you'll learn how authentication in IoT works and how you can achieve device authentication in an IoT system.

## Why You Need IoT

As you will see, IoT is important to individuals and businesses alike. The technology aims to help people live smarter and gain total control over many aspects of their daily lives. As a business, IoT enables you to have real-time insight into your processes and the performance of all your business domains and assets. With the automated and interconnected system that IoT provides, you can easily cut down waste, improve productivity, and preemptively develop strategies to address challenges before they even occur.

IoT is used by organizations across several industries to improve operational efficiency and derive more value from their decisions. In a typical IoT ecosystem, devices will have embedded sensors, processors, and other technologies that enable them to share and act on data acquired from their environment. 

Although [IoT, as an idea, has been in existence for a few decades](http://www.chetansharma.com/correcting-the-iot-history/), the technology was brought to life through the successes attained in the development and advancement of several technologies. Some of these are as follows:

* Access to affordable and low-power electronic sensors
* More efficient data transfer over a host of internet network protocols for cloud connection
* Advances in machine learning (ML) and data analytics to gather insights faster from real-time sensor data
* Breakthroughs in artificial intelligence (AI) that have made IoT devices more appealing to everyday users, with digital assistants, like Siri, Alexa, Google, and Cortana.

These technologies and many more facilitated the growth of IoT.

### Use Cases of IoT

There are many aspects of life—private or public—where the Internet of Things can be used. Following are some of these use cases:

#### Location Tracking

Location tracking is one of the most popular use cases of IoT where smart sensors that are capable of monitoring GPS location, detecting surrounding devices, and transmitting data over a network are incorporated into devices in several industries.

[Wearable technologies](https://en.wikipedia.org/wiki/Wearable_technology) have made it easy to track the location of humans, pets, and mobile equipment. This application of IoT has aided parents in tracking their children, farmers in tracking the location of their herds, healthcare companies in tracking the real-time location of their patients with electronic implants or patient-assistance tools, and industries in tracking products throughout their lifecycle, from the assembly line to retailers' shelves.

#### Fleet Management

IoT sensors installed on vehicles within a fleet help to manage the complexities associated with fleet management. Smart sensors connect to IoT networks that then collect fleet data for performance analysis, pollution reduction, geolocation, fuel savings, and telemetry. 

For example, key metrics such as total vehicle load, temperature of sensitive cargo, and fuel tank level can be monitored with IoT sensors and then transmitted for further processing. IoT enables the interconnectivity of vehicles, drivers, and fleet managers in real time, making it easier to improve operational efficiency.

In practice, a fleet manager can easily reroute trucks passing through a certain route with bad weather. Thanks to IoT, the trucks are equipped with sensors that can communicate over the internet.

#### Smart Farming

The increasing global population has called for constant innovations that assist humanity in meeting the increasing nutritional demands. IoT is an innovation that already holds great promise as a solution to improving the productivity of agriculture in the most cost-effective way.

Almost every stage of traditional agricultural processes can be improved and automated with IoT. Smart irrigation makes it easy to efficiently use water, as sensors in the soil send information about the status of the soil to the IoT network, triggering it to release water as needed. [Greenhouse](https://en.wikipedia.org/wiki/Greenhouse) sensors can help you maintain optimum conditions around-the-clock by monitoring temperature, moisture level, and carbon dioxide concentration. You can also conveniently track livestock on your farm to manage the key data for their growth.

## How IoT Authentication Works

IoT authentication is a vital part of the trust framework for IoT machines and devices to identify one another in their network with the goal of protecting data and controlling access. Strong authentication is required so that connected IoT devices and machines can trust each other and be protected against unidentified access. This means every device receiving information in the IoT network must be able to automatically verify the source of that information.

### Why You Need IoT Authentication

Security and privacy are major concerns with IoT. The billions of data points generated by billions of IoT devices connected to the internet make the technology highly vulnerable to cyberattacks. For example, in 2016, [Dyn](https://account.dyn.com/), the largest domain name system infrastructure provider, was hit with a [DDoS attack](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) that brought down popular websites like Twitter, Netflix, and CNN. At the time, it was tagged as the largest [DDoS attack the world has ever seen](https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet), and the attackers used poorly secured IoT devices to gain entry.

As a developer in your IoT-driven organization, you must consider IoT authentication as a key part of your security strategy. IoT poses a huge risk to your company's critical infrastructure, and bad actors tend to take advantage of the connectivity and entry points in the IoT network. For instance, unauthorized access can lead to data tampering which will possibly cause your team to make wrong decisions that could endanger machines and humans alike. Authentication helps you protect your devices and services from these unauthorized users and devices.

## How You Can Best Implement IoT Authentication

On a generic level, IoT developers and administrators register each device and deploy each one with [public key infrastructure (PKI)](https://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm) that is linked to public key certificates for device authentication. PKI helps the IoT network to establish the legitimacy of a device in a network.

Ultimately, your organization must choose the best authentication strategy that suits your IoT system, and you need to do this by considering the type of devices in the network, the location, and the nature of data to be transmitted or received.

There are several ways you can implement device authentication in an IoT system. However, every device should be able to verify the source of information in a system consisting of hundreds, or maybe even thousands, of devices that are sending large volumes of data in milliseconds. This is why it is essential to have a trusted platform that can automatically handle device identity verification. [ZITADEL](/iot) is one such platform:

<img
  className="hidden dark:block object-contain my-auto mx-0rounded-lg"
  src="/images/iot/iot-02-dark.svg"
  alt="Authentication with short lived tokens"
/>
<img
  className="block dark:hidden object-contain my-auto mx-0 rounded-lg"
  src="/images/iot/iot-02-light.svg"
  alt="Authentication with short lived tokens"
/>

ZITADEL lets devices authenticate themselves with a device key and then uses tokens to send data to a backend service. These backend services receive the short-lived keys and carry out validation independently. For more information about the different token types available and their benefits, check out [this ZITADEL blog](/blog/jwt-vs-opaque-tokens).

For example, assume you manage the IT infrastructure in a hydroelectric power generation dam that uses IoT water level sensors to automatically control a floodgate. The floodgate has to open or close at certain water levels as measured by the IoT sensor in real time. In such a high-risk operational situation, the floodgate controls must securely verify that the data being received is coming from your sensor. At first, the sensors will request an OAuth token from ZITADEL as a [service user](/docs/guides/integrate/serviceusers#authenticating-a-service-user:~:text=and%20machine%20users%20%22-,Service%20Users,-%22.) by first enrolling with the private-public key pair generated in Zitadel,and with this key, the sensor can create a JWT token that it can now exchange with an OAuth token. After this, the device will send the data with the requested tokens to the floodgate control system. Before the incoming water level sensor data is processed, the receiver automatically contacts ZITADEL to verify the device with the access token. If verification is successful, the floodgate control system processes the water level data and takes action accordingly.

As you can see, cryptographic keys, or tokens, form an essential part of IoT device authentication with ZITADEL. You must ensure that the generated keys for [authentication are securely stored](/iot#:~:text=How%20to%20securely%20manage%20cryptographic%20keys) such that if they were compromised, your IoT system would still be secure.

## Conclusion

Proper execution of IoT authentication is immensely beneficial to the security of your IoT system. Similarly, having a good understanding of how IoT authentication works is highly important for you as an IoT solutions developer, whether you're adopting an IoT authentication service or building a bespoke solution for your business.

In this article, you learned how the Internet of Things authentication works and how you can best execute it with ZITADEL.

[ZITADEL](/) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, secure Machine-to-Machine communication, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

*This article was contributed by [Idowu Odesanmi](https://portal.draft.dev/writers/recr2TiHgJUuws1iP).*

How Does the Internet of Things Authentication Work?


In the current IT ecosystem, it's not uncommon to see businesses and organizations relying on all kinds of software systems to address their unique business challenges. While these systems help organizations by providing their expected value, they introduce a security challenge where users have to manage their passwords for each system separately.

Having a lot of passwords causes all sorts of problems, including increased customer support tickets to reset passwords, degraded user experience when logging into each system separately, and management challenges for corporate users if they have to be added or removed from multiple systems in the organization.

This is where [single sign-on (SSO)](https://encyclopedia.kaspersky.com/glossary/single-sign-on-sso/) comes to the rescue. SSO enables you to delegate the users' account creation and management to a central authentication server. Instead of separately managing a username and password for each application in your organization, your applications delegate the authentication to a trusted SSO server.

In this tutorial, you'll learn what benefits SSO brings to the table. You'll learn how to delegate access from a self-hosted [Nextcloud](https://nextcloud.com/about/) service to
[ZITADEL](https://zitadel.com/) as an SSO provider utilizing the [OpenID Connect (OIDC)](https://openid.net/connect/) protocol.

## Key Benefits of SSO

SSO is beneficial because it provides a better user experience. For instance, SSO makes it seamless for the user to access multiple systems smoothly and quickly without being interrupted by password logins. A side effect of this benefit is an increased software adoption rate, as onboarding any new software application will be a matter of integrating it with the SSO server.

In addition, password reset tickets are a [significant support cost](https://bioconnect.com/2021/12/08/are-password-resets-costing-your-company/).
By reducing the number of systems that require separate passwords, you'll decrease the number of password reset tickets (which, in turn, reduces cost).

SSO also provides higher security. Storing user accounts and passwords centrally enables you to harden them in one place—the SSO server. Moreover, you'll be able to easily revoke or grant users access by managing them from a single system rather than multiple scattered systems.

This is why you'll see SSO being widely used both internally on corporations and externally on software-as-a-service (SaaS) systems like [Slack](https://slack.com) (which uses Google as an SSO provider).

## How to Integrate ZITADEL SSO OIDC with Self-Hosted Nextcloud

Now that you know what SSO is and why you would want to use it, it's time to implement it using ZITADEL and the Nextcloud self-hosted service. The final architecture will look like this:

<div className="dark:hidden">
  <img
    src="/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-01-light.png"
    alt="Final architecture courtesy of Mohammed Osman"
  ></img>
</div>
<div className="hidden dark:block">
  <img
    src="/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-01-dark.png"
    alt="Final architecture courtesy of Mohammed Osman"
  ></img>
</div>

There are two major stages in this tutorial: creating a ZITADEL account and configuring Nextcloud as an OIDC client, and then creating a self-hosted Nextcloud container and integrating that into ZITADEL.

## Create a ZITADEL Account and Configure Nextcloud as an OIDC Client

To begin, you’ll need to set up your self-hosted ZITADEL instance. Fortunately, you can do this easily using Docker.

To begin, use [ZITADEL's Docker Compose guide](/docs/guides/deploy/compose) to set up Docker. During the set up, you should receive another email from ZITADEL. Open the email and click **Finish Initialization**. You'll receive a prompt to create a new password for your ZITADEL instance. Create it and then select **Next**.

> **Please note:** The password you created earlier differs from the password you just created. The password you specified earlier in this tutorial is for the ZITADEL customer portal, and the password you just created here is for the ZITADEL instance.

Select **Skip** to skip creating multifactor authentication and navigate back to the instance overview page.

In the instance UI console, click on the **Projects** tab. Then click **Create New Project** to set up a new OIDC provider:

![Projects menu](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-01.png)

Give your project a name (here, it's "my-first-zitadel-project") and click **Continue**. ZITADEL will now create your project and redirect you to the project settings page.

After you've created your ZITADEL project, you'll need to create an OIDC client app for the Nextcloud app you'll create later. In ZITADEL, an application represents a software that initiates the authorization flow, such as web and mobile apps. To start, click **New** to create a new application and fill in your application details. Here, the name is "cloud-next-app", and the application type is "Web" since Nextcloud runs as a web application.

Once filled out, select **Continue**. You'll be prompted to choose an authentication method: select **CODE**. PKCE is recommended for mobile and static clients. Then select **Continue**.

Now you need to define the redirect URLs for the Nextcloud application (which you'll configure later).

For **Redirect URIs**, put `<http://localhost:6060/apps/sociallogin/custom_oidc/ZITADEL>` and select **+**. For **Post Logout URIs**, put `<http://localhost:6060/>`; then hit **+** > **Continue**. You should see a confirmation screen with your options. Review them and click **Create**:

![Project settings confirmation](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-02.png)

At this point, you'll be presented with a **ClientId** and **ClientSecret**. Please take note of them as you'll need them later:

![ClientId and ClientSecret](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-03.png)

Once noted, select **Close** and then **Redirect Settings** on the left-hand side of your screen.

Since you'll deploy Nextcloud locally on a [Docker](https://www.docker.com/) container without HTTPS, you need to indicate to ZITADEL that this configuration is meant for development mode. Enable the **Development Mode** and click **Save**:

![Enable **Development Mode**](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-04.png)

> ** Please note:** In a real production scenario, you should not use this. Your application should be hosted using HTTPS.

In the final step of this stage, you need to copy the base address of your ZITADEL
instance. This address will be used by the OIDC client (Nextcloud, in
this case) to perform the authentication.

Click **Urls** on the left of the current page and take note of the **authServiceUrl**. In this instance, it's `https://my-first-zitadel-instance-l8ehm3.zitadel.cloud`.

At this point, you've successfully set up ZITADEL as your OIDC server.

### Create a Self-Hosted Nextcloud Container and Integrate to ZITADEL

In order to create a self-hosted Nextcloud container and integrate it with ZITADEL, you need to install Nextcloud as a hosted Docker container and set up your admin user.

To do this, go to [**Get Docker**](https://docs.docker.com/get-docker/) to download and install Docker according to your current operating system. Please refer to the official [Docker documentation](https://www.docker.com/get-started/) for more information. If you already have Docker installed, you can skip this step.

> ** Please note:** In a real production scenario, you'll host the Nextcloud container in a cloud provider, [Kubernetes](https://kubernetes.io/) cluster, or any production-grade deployment.

In the command terminal, type `docker run -d -p 6060:80 nextcloud` to download and run the Nextcloud Docker image. This will map port 6060 in your computer to port 80 Nextcloud Docker container, where the web application runs.

In the command terminal, type `docker container ls` to verify that the Docker container is running. You should see something like this:

![Nextcloud Docker container running](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-05.png)

Open a browser window and navigate to [http://localhost:6060/](http://localhost:6060/) to access Nextcloud. Since this is a first-time setup, you need to create an admin username and password. Fill out these details and scroll down and click **Install**. Nextcloud will take a few seconds to prepare your application.

You should receive a prompt asking if you want to add some recommended apps to Nextcloud. Go ahead and click **Cancel**. Then an introductory splash window to Nextcloud will pop up. Close it by clicking **X** at the top right inside the browser window. Then you should see the Nextcloud dashboard.

Since an OIDC login isn't available by default in Nextcloud, you need to add an app to your self-hosted Nextcloud service in order to enable it. You can think of apps in Nextcloud similar to extensions in Chrome since they add additional functionalities to your application.

Click the icon in the top-right corner of your dashboard and then click **+ Apps**:

![Access apps in Nextcloud](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-06.png)

In the left menu, click **Social & communication** to find apps in that category. From there, search for an app called Social login, click **Download**, and then click **Enable**. In a few seconds, this action installs the Social login app in your Nextcloud self-hosted instance and enables Nextcloud to log in via OIDC.

Click on the top-right icon in the dashboard and then click **Settings**.

On the left of the screen, you should see a **Social login** tab under the **Administration section**. This means that the Social login app was successfully installed to your Nextcloud instance:

![Social login app added](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-07.jpg.jpg)

After you've added the **Social login** application to your Nextcloud instance, it's time to configure it to use ZITADEL as an OIDC provider. Click on **Social login**; then next to **Custom OpenID Connect**, click the **+** sign. This will enable you to add a custom OIDC provider (which, in this case, is ZITADEL).

Fill in the following details and leave any unmentioned field as it is:

- **Internal name:** This is the internal provider's name within Nextcloud, and it's not visible externally (in this example, ZITADEL was used).
- **Title:** This is the provider name exposed externally during the login process (again, ZITADEL was used).
- **Authorize url:** This represents the authorization endpoint URL. It consists of the ZITADEL instance URL you noted earlier with `/oauth/v2/authorize` (`https://my-first-zitadel-instance-l8ehm3.zitadel.cloud/oauth/v2/authorize`).
- **Token url:** This represents the token endpoint URL. It consists of the ZITADEL instance URL you noted with the `/oauth/v2/token` (here, it's `https://my-first-zitadel-instance-l8ehm3.zitadel.cloud/oauth/v2/token`).
- **Client Id:** This is the OIDC client ID you noted previously.
- **Client Secret:** This is the OIDC client secret you also noted earlier.
- **Scope:** Type "openid" to indicate that it is an OIDC protocol.
- **Default group:** Select **admin**. This means that the authenticated user from ZITADEL will have admin permissions. In a real-world scenario, you'd assign the authenticated users less powerful permission.

![Sample OIDC settings](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-08.jpg.jpg)

Then hit **Save**.

After configuring ZITADEL as an OIDC provider, it's time to test it. In the Nextcloud dashboard, click the icon in the top-right corner and then click **Log out** to log out from the current admin user session, and you'll be automatically redirected to the login page.

You should now see a new button that says **Log in with ZITADEL**. Click on it and enter the ZITADEL login name you noted previously; then click **Next**.

Next, enter the ZITADEL instance password (not the customer portal password) and click **Next**. ZITADEL should redirect you to the Nextcloud dashboard.

Congratulations! You've managed to access your self-hosted Nextcloud instance using ZITADEL as an OIDC provider.

## Conclusion

In this tutorial, you learned what an SSO is and how it benefits businesses by improving user experience, reducing costs, and contributing to IT security. You also learned how to set up your self-hosted ZITADEL instance as an OIDC provider. Then, you learned how to set up a Nextcloud self-hosted instance, and you delegated its access to ZITADEL.

[ZITADEL](/) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

_This article was contributed by [Mohammed Osman](https://portal.draft.dev/writers/recvOT7Hsq96gfwnR)._


In this tutorial, you'll learn what benefits SSO brings to the table. You'll learn how to delegate access from a self-hosted Nextcloud service to ZITADEL as an SSO provider

Use ZITADEL as SSO provider for self-hosting


At ZITADEL we believe that working transparently creates trust in our project and cloud service. With this mantra as one of the cornerstones of ZITADEL we actively and regularly engage with external security testers to test different scopes of our offerings.

As always we tested ZITADEL against the [OWASP Top Ten](https://owasp.org/www-project-top-ten/) risks. Besides that we instructed our testers to assess our cloud provider’s configuration to reduce the risk of problematic settings, since we run the majority of our infrastructure on Google Cloud Checkout our [trust center](/trust) if you are interested in what services and providers we use.

## TL;DR

The overall result was rated good with only one high issue, which was mitigated during the test. Other issues were minor but nonetheless important for us and were fixed within a few days.

## Findings

In the following section I will give you a short summary and comment on the highest ranked issues. [You can download the full report here.](/blog/2022-12-01-pentest-results-h2-2022-01.pdf) Findings with a low criticality will be mitigated, if needed, during our regular security operations.

## 5.1 Privilege Escalation by Actions

> “The Actions feature allows an authorized user with the role “Organization Owner” to add a grant to a new external user for a project within another organization's scope. An attacker can utilize this vulnerability to create/escalate its privileges on another organization’s projects.”

During the test it was brought to our attention that the tester was able to use a ZITADEL Action to elevate access rights inside a ZITADEL Instance. Even though this vulnerability only could be exploited if access was granted to deploy new Actions, we decided to [publish a CVE](https://github.com/zitadel/zitadel/security/advisories/GHSA-c8fj-4pm8-mp2c) and create a mitigation instantly.

Exactly these types of findings are the reason why we think working with external testers is an important part of the integral security of a project.

## 5.2 Missing Logging for Firewall

> “Logging for existing Firewall rules is deactivated. Policy violations will not be logged and thus cannot be monitored.”

We use the Google Cloud Firewall to policy traffic from different networks. Especially traffic flowing from our Google Cloud Run deployment to the VPC Interconnected CockroachDB Dedicated Cluster.

To improve our observability of violations we activated the logging and integrated the information into our monitoring platform.

## 5.3 Insufficient Monitoring

> “No policies were defined in the Google Cloud Platform to be informed about possible changes or security-relevant incidents. An attacker can apply unnoticed changes or perform attacks on the ZITADEL services.”

In the past we mainly used the Google Cloud Monitoring Suite to observe and alert behaviors of our service. After doing this test we revised our standpoint and created an umbrella monitoring platform to ingest all the observability data from many different systems and services we rely on. To specifically address this issue we also incorporated the Google Cloud Audit log.

We will follow-up with an upcoming blog about how we observe and monitor ZITADEL Cloud in more detail.

## 5.4 Basic Roles in Use / 5.5 Service Account with Admin Privileges

> “Basic Google Cloud Platform roles are assigned, this does not follow security best practices as these roles can have extensive permissions.”

> “Custom service accounts have administrative privileges assigned. A compromised service account would have extensive permissions on the assigned services.”

Some users had broad permissions for their needs. After highlighting this during the test we removed overarching permissions and integrated the permissions management into our Terraform process where a four-eye process is required for all changes. 
To keep everything auditable we store our terraform files in a Git repository and we ingest the Google Cloud Audit Events into our monitoring platform.


A security analysis of ZITADEL was conducted with an external specialist. Learn more about the scope and results.

Pentest Results H2 / 2022


<a href="https://micromate.ai" target="_blank" rel="noreferrer">
  <img
    height="150px"
    width="150px"
    style={{ margin: "0 auto 2rem auto" }}
    src="/blog/2022-11-24-success-story-micromate-01.png"
    alt="Logo of Mircomate"
  />
</a>

[Micromate](https://micromate.ai) offers a time-efficient, sustainable, and fun way to encourage learning. Companies and public institutions of various sizes use the learning assistant to bring everyone’s knowledge to the next level. Micromate presents learning content in a personalized conversational form and integrates in your Messenger application, learning tool or Website.

## Key outcomes

- Highly flexible user management across organizations for a seamless user experience
- Less time spent on developing user and access features, more time for core value
- All data is stored and processed only in Switzerland

## Challenge

Micromate is used by many different companies and organizations to help their employees learn in a more meaningful way. Learning users can interact with Micromate through chat applications like Microsoft Teams or via a web-based application. As a cloud-based software-as-a-service created and hosted in Switzerland, Micromate can offer a truly GDPR/DSVGO compliant solution.
The staff members in charge of learning and development have special permission to access an administrative portal to manage the learning content as well as review the learning progress.

Each company or organization within Micromate requires an own logical tenant for managing their individual content, users, and configuration. One of the biggest challenges of the team was enabling users to be part of multiple tenants with different roles. Accordingly, the platform’s goal included allowing a single user to be the content editor for a company's compliance training module and simultaneously be enrolled in a university program that uses Micromate to deliver spaced learning lessons tailored to the student’s needs.

To access their accounts, all users should be able to sign into Micromate via SSO (single-sign-on) by using their organization‘s login method, such as AzureAD, Moodle account, or social logins. Once logged in, users should be able to switch seamlessly between the different learning modules and tenants.

<figure>
  <img
    src="/blog/2022-11-24-success-story-micromate-04.png"
    width="100%"
    alt="Microsoft teams showing a Mircomate chat"
  />
  <figcaption>
    Micromate conversation integrated with Microsoft Teams
  </figcaption>
</figure>

## Solution

Since building an authentication server from scratch is generally risky, costly and time-consuming, the startup team behind Micromate found that the identity & access management (IAM) solution of ZITADEL would suit their need for organization, flexibility and scalability. The selected SaaS version of ZITADEL offers a pre-configured public cloud service that manages scaling and resource allocation, allowing Micromate’s time and effort to be spent on developing and optimizing their main product. When choosing a region to house their data, the team has found that the region of Switzerland best fits their deployment preferences .

<figure>
  <img
    src="/blog/2022-11-24-success-story-micromate-02.png"
    width="100%"
    alt="Diagram showing Micromate and User Organization with Grants to different Tenants"
  />
  <figcaption>
    Micromate application is granted to multiple organizations. All users are
    being stored in one organization and can be granted to multiple
    organizations. The receiving organization can allocate different roles in
    self-service.
  </figcaption>
</figure>

With the help of a multi-tenant architecture, both in their business logic and the IAM they were able to map complex organizational structures that can collaborate with each other and to which they can assign individuals with different permissions for a given context.
All the client applications, base configuration, and access roles were set up in a main Micromate organization, which only staff has access to. When a new customer signs up to Micromate, a new organization is created via the ZITADEL APIs.
This newly implemented organization receives an automatic project grant from Micromate to enable it to use the applications and roles.

<figure>
  <img
    src="/blog/2022-11-24-success-story-micromate-03.png"
    width="100%"
    alt="Micromate admin website showing organization picker"
  />
  <figcaption>Switching organizations</figcaption>
</figure>

In order to ensure even greater flexibility, Micromate stores its users in an independent organization and creates individual user grants for the establishments to which they wish to gain access. With the help of this pattern, users are enabled to be part of various different tenants with varying assigned roles (eg, Learner, Content editor, Analytics, etc.). This seamless switch between tenants is available to the user without the need to sign-in again.

As ZITADEL Cloud allows all features to be used in the free tier, the team was allowed to test several architecture and solution options quickly to determine the best fit.

## Result

Through the use of ZITADEL, Micromate was able to focus on their business logic and use a highly flexible identity management to handle their multi-tenancy access, secure login, and self-service needs. Thus, their users can enjoy a streamlined user experience where they can seamlessly switch between their learning content. The time saved by not having to develop a multi-tenancy access management themselves, resulted in a fast time to market, while the security and complexity remains invisible to the users.

<figure>
  <img
    src="/blog/2022-11-24-success-story-micromate-05.png"
    width="100%"
    alt="ZITADEL Login screen branded with Micromate Logo, Colors, and domain"
  />
  <figcaption>
    Login screen branded with Micromate Logo, colors, and custom domain
  </figcaption>
</figure>

By choosing the data region Switzerland, all user data remains in Switzerland all the time together with trusting a Swiss provider, Micromate can offer a fully GDPR compliant cloud solution.

## Future Plans

Looking into the future, the team behind Micromate has one key aim in mind: Continuously improving their platform to ensure that it is always up to the highest standards of the market and their individual users alike. Naturally, this aspiration has noteworthy stepping stones on its way, which represent the major leaps the application can take toward its goal. Some of the innovations they wish to realize include a new voice-recognition feature, a virtual market for studying materials, and the expansion of the bots' communication capabilities.

## Testimonials

<img
  src="/blog/2022-11-24-success-story-micromate-06.jpg"
  width="200px"
  alt="Portrait picture of Christoph Süess in a blue suit and white shirt."
/>
“Mapping complex, collaborative organization structures requires a flexible identity
management system like ZITADEL” - Christoph Süess, Founder

## About the Micromate

[Micromate](https://micromate.ai) is a modern learning assistant platform that imparts knowledge in a time-efficient, sustainable and fun way. With the help of chatbot integration into various established messengers, the application aims to monitor and enhance users' learning processes and assist them in setting new study objectives.

Learn more about Micromate:  
[https://micromate.ai](https://micromate.ai)


Companies and public institutions of various sizes use the learning assistant to bring everyone’s knowledge to the next level with the power of ZITADEL.

How the learning assistant Micromate profits from the multi-tenancy power of ZITADEL


Delegated access management lets you offer increased flexibility over the services you provide. 
In this self-service model, your clients can grant rights to their users independently of your interaction, benefiting them and you.

Allowing business customers to handle role management themselves lets them work faster with less of your support. They don't need you to approve individual users on their behalf.

However, granting access is complex, and delegating it needs to be done safely. There are all kinds of pitfalls to worry about if you attempt to do it yourself. Bringing in external expertise is one way to ensure you get it right. In this guide, you'll learn how to simplify delegated access management and self-service.

## Why You Need Delegated Access Management and Self-Service

Delegating access management and providing self-service to your clients can help you in several situations. For example, often, you need highly granular role management, with permissions granted for specific projects and specific types of action. If you're working with staff in another organization, you can't easily manage this yourself.

If that organization has to go through your company every time it wants to change someone’s role or the data they have access to, it will take them time and slow their onboarding procedures, ultimately making working with you less attractive.

Delegating access management also helps mitigate insider threats. Farming out permissions may seem like a security risk, but you're really reducing the number of people that deal with any particular set of permissions. In addition, you're giving control to those that use them.

By reducing the amount of communication and the number of people involved, there's less chance for someone to leak information or act maliciously. And as your client base increases, so does the amount of admin involved in communication. The more you can automate or pass off to your clients, the better.

## How to Simplify Delegated Access Management and Self-Service with ZITADEL

There are several things to think about, when implementing delegated access management and providing self-service capabilities to your users, including roles and permissions, delegated role management, and service consolidation. 

ZITADEL allows you to do all of this and more, handling most of the heavy lifting for you. It makes delegated access management and self service simple. Its APIs integrate with your business processes letting you automate your clients services.

Let's take a more in-depth look at how it can help you:

### Roles and Permissions

There are many types of permission users need. In addition to viewing files or other resources, users may be allowed to create or edit documents or delete files. Furthermore, some users are allowed to grant these permissions to others. Any of these permissions can be limited to specific resource sets. 

To reduce complexity, permissions are often grouped into roles. Roles are a means of managing user access rights and usually come with a default set of permissions. Instead of figuring out exactly which permissions to give an individual, you can grant them a role instead. Your apps then associate permissions with roles, rather than individuals.
Authorizations state which users have which roles and are often referred to as user grants.



Though users are typically human, they can also include machine agents, known as service users. For example, if you use a service to sync databases, the service might access databases on another domain by logging in as a service user.

[ZITADEL](https://zitadel.com/docs/guides/manage/console/projects#grant-a-project) lets you grant selected roles to an organization. The organization can then create authorizations for its users independently, and this is referred to as self-service.

### Delegated Role Management

Delegating role management means you grant another group permission to assign or change roles. You don't need to grant all the permissions you have, but a limited selection allows you to create hierarchical relationships that don't require your involvement to administer.

A simple example of this role delegation would be in blogging software. Everyone has permission to view the blog. Editors get permission to make changes and grant rights to writers. Writers have permission to edit the documents they are assigned by the editors.

In this setup, there's no need to directly set people's individual permissions; you just assign them a role, and everything is taken care of by the software. Without roles, you’d have to select the specific actions available to each staff member.

However, if you're hosting blogging software for someone else, you need to provide them with permission to hand the roles to users. That could look something like the following:

<div className="dark:hidden">
  <img src="/blog/2022-11-24-delegated-access-management-and-self-service-01-light.png" alt="Image showing the relationship between the host company and blogging team, which gets delegated rights to grant users blog access courtesy of James Konik"></img>
</div>
<div className="hidden dark:block">
  <img src="/blog/2022-11-24-delegated-access-management-and-self-service-01-dark.png" alt="Image showing the relationship between the host company and blogging team, which gets delegated rights to grant users blog access courtesy of James Konik"></img>
</div>

Here, your client is granted rights to assign user roles and can create as many users as they like without having to go through you. You can grant whatever rights you want, granting more or less control depending on your use case.

### Managing Access Providers

There are many services providing authorization and authentication services. It can be hard to manage them all. With ZITADEL, you can enable and configure different services for each organization you work with.

With ZITADEL, you can implement [Auth0](https://auth0.com), [OmniAuth](/docs/guides/integrate/services/gitlab-self-hosted), and other kinds of access methods, such as [Keycloak](https://www.keycloak.org), [Azure Active Directory (Azure AD)](https://azure.microsoft.com/en-us/services/active-directory/), and Google through a single self-service platform.

You can enable single sign-on (SSO), too. SSO lets you access multiple services using a single login. ZITADEL lets you use protocols like [OpenID Connect](https://openid.net/connect/) to provide this functionality.

These options make ZITADEL an ideal way to bring your own identity (BYOI) capabilities to your customers. Combining service consolidation with delegate access management like ZITADEL ensures that your users have the flexibility they need when setting up their organization access rules.

Going through ZITADEL takes away the difficulty of managing multiple services, and the consistent interface means your users don't have to figure out all the different login types.

### Branding and Experience Customization

When dealing with [relationships between multiple organizations](/docs/guides/solution-scenarios/b2b), you need to decide how logins are handled. Do you use a default login screen or redirect users to one with a specific organization's branding?

With ZITADEL, you can configure these relationships on a case-by-case basis for different roles and companies. You can also easily create branding and add logos for each client. And of course, you can adjust it all without having to redevelop your site.

ZITADEL's [multi-tenancy support](/usecases) means you can sell your services to different companies and deliver the specific features they need. These can be tailored to their needs and perhaps support different service tiers that you offer.

As well as branding, different organizations can then use different rules, such as their password policies and multi-authentication requirements. It's easy to customize these using a centralized service provider.

### Benefits of Experience

Without experience in security, it's hard to keep up with the ever-changing technical and regulatory requirements. Given how risky mistakes are, it makes sense to bring in outside help.

Implementing delegated access management and self service is complex. When developing such services, it's easy to overlook this complexity. Many services implement authorization and authentication themselves, but as the scope widens to include delegated access management, this becomes an increasingly bad idea.

For nonspecialists, the chances of making a mistake are significant. The investment and maintenance requirements are also high and easy to underestimate.

By using an experienced service provider to handle these areas, you can focus on business logic and deliver a better product.

### Security Dangers

Small mistakes in authentication and authorization services can have dire consequences. Access control, identification, and authentication are all prominent in the [Open Web Application Security Project (OWASP)](https://owasp.org/www-project-top-ten/) top ten security risks. Hackers are getting ever more sophisticated, and a successful attack can be catastrophic for a business on the receiving end.

To try and prevent attacks as well as develop a secure system in the first place, you have to continually update it as new threats emerge.

You also have to deal with the evolution of your wider platform. Every time you add or change a feature, you risk undermining your existing security measures and opening up a vector of attack.

Using an external service to provide authentication and authorization means you have dedicated experts continually updating their platform to deal with the latest vulnerabilities.

Plugging into a mature system via an API lets you deliver an up-to-date, secure service without the need for continual development investment.

And there are even more issues to think about, including setting up security policies, limiting the impact of [DDoS attacks](https://www.geeksforgeeks.org/what-is-ddos-mitigation/), and configuring the various types of encryption needed to authenticate users. None of these are easy to do.

With authentication and authorization handled for you, your developers are free to focus on your core product. You can concentrate on providing features and evolving your own platform without the added overhead of providing auth to external organizations.

### Scaling

Scaling can create issues, as additional users and support for new platforms put your infrastructure under pressure. ZITADEL supports unlimited users and projects, meaning it won't become a bottleneck.

Simplifying your services through delegated access management means you can use specialized tools to handle authorization and authentication, and these dedicated services can be chosen with scaling in mind.

They also prevent your codebase from getting out of hand as the range of clients, roles, and permissions you handle grows. Carefully partitioning it into a separate service keeps yours leaner and easy to work with.

### Additional Features

Login policies are another way to give your clients control. These can be easily defined from ZITADEL's console. Login policies allow you to set authentication methods for your users and can be changed as your clients' needs evolve. They can do that without having to make code changes. You can also do this on an organizational level. For example, a SaaS provider can set different policies.

You can learn more about ZITADEL's feature set [on its website](/features).

## Conclusion

Access management is a complex topic. Managing permissions and granting access to the right people are enough of a challenge, but the changing security landscape and ever-increasing feature sets make it even harder to keep up.

Fortunately, there are alternatives to doing everything yourself. With the right support, you can provide your clients with self-service capability. In return, they get a wide range of features along with cutting-edge security. They also reduce their costs, letting them focus on what they do best.

[ZITADEL](/) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

*This article was contributed by [James Konik](https://portal.draft.dev/writers/recYmhitHbB1gDQDA).*

Granting access is complex, and delegating it needs to be done safely. In this guide, you'll learn how to simplify delegated access management and self-service.

Simplify Delegated Access Management and Self-Service

When building a software program, the **technique of user authentication** is one of the crucial elements that developers must consider. Given the growing inclination of end users to validate their identity via an existing social account, it is unsurprising that an **increasing number of applications are incorporating the social login authentication** mechanism. However, since the preferred social network likely differs from user to user, and SSO provider likely differs from company to company, it is crucial for the app in question to **provide a broad selection of identity providers and authentication methods**. Unfortunately, doing so usually implies that the provider must individually integrate and manage every integration and contract, several times over.

Integrating multiple Identity Providers directly within your applications is **complex to maintain, time-consuming to set up, and hinders single sign-on of users** – In other words, **it does not scale**. Luckily, this problem can be easily solved with the help of an **Identity Broker**.

This article tackles the definition of an identity broker and what identity brokering looks like in practice.

## What does an Identity Broker do?

The term Identity Broker (IB) describes a web application that **facilitates authentication between service providers and their configured Identity Providers**.  By acting as a trusted intermediary service, an IB connects projects with different identity providers, so that **developers do not have to bother with integrating them individually** into their apps. With the help of its centralized way of managing identities, end-users have the option to create a new account by **using the identity data acquired from several identity sources** (such as Google, Facebook, Twitter, etc.). An IB may also allow you to link multiple external identity providers to one user account. Thus, the implementation of social logins, other alternate authentication methods and the configuration of individual login policies are made easier than ever.

It is common for organizations to integrate their applications with a **cloud-based identity management platform** (such as ZITADEL), which can broker to many different identity providers out of the box, usually based on protocols such as [SAML, OIDC](https://zitadel.com/blog/saml-vs-oidc) and OAuth. By relying on the identity provided by such pre-configured services, you have ensured a **robust trust anchor** for all your applications and devices.

## Identity Brokering in Practice

With the theory out of the way, it is useful to see how identity brokering functions in practice.

Identity Brokering is generally used in both **Business-to-Customer (B2C, CIAM) and Business-to-Business (B2B)** use cases. For B2C businesses it is vital for vendors to **offer different social identity providers, authentication methods and login policies** to best fit the needs of their end-users. Vendors of B2B software may need to provide enterprise SSO by allowing login with the customer’s identity provider (eg, Azure AD) and tailor security policies to fit their customer’s requirements. 

Alternatively, Identity Brokering can be used in **Government-to-Business (G2B) as well as Government-to-Citizen (G2C) cases**. The principle in these cases is the same as in the Business-to-X context, the **role of the business is simply replaced with a government institution/agency** (such as banks, legislatures, etc.). For instance, Australian users with a registered MyGovID may use this identity to access a range of government online services (such as student and health data portals), instead of having to rely on usernames and passwords.

Regardless of the use case, the process of identity brokering follows the same simple steps. As an example, let us imagine **an organization called “Gladix” that uses ZITADEL as a broker**:



![](/blog/2022-09-10-ib-01.png)

The application of Gladix has Google pre-configured as an identity provider. Accordingly, their end-users will get the **option to link their existing or new ZITADEL account with their Google account** by clicking on the “Google” symbol on ZITADEL’s login screen. Upon doing so, ZITADEL will **redirect the end-user to the login screen of Google** where they must authenticate themselves and then, if successful, they are directed back to the previous page. Following this authorization, the **end-user will be able to login into ZITADEL, and subsequently Gladix’s application, by using their Google identity**.

Integrating multiple Identity Providers directly within applications is complex to maintain, time-consuming to set up, and hinders single sign-on of users. Luckily, this problem can be easily solved with the help of an Identity Broker.

What is an Identity Broker? - Everything you need to know 

In this article, you'll learn how to secure your full stack Java application with OIDC. Here, you'll create two simple Spring apps

How to secure your Java application with OpenID Connect

If you have ever been uncertain whether a word is spelled correctly, a feature that automatically detects typos can be a lifesaver. Whereas a seemingly innocent spell-checking tool might not raise any red flags, **convenience and confidentiality are regrettably not always compatible online**.

This unpleasant side of spellchecking tools was exposed by a **recent incident involving Google Chrome and Microsoft Edge**. Both browsers’ enhanced spell-check features **send any data that is entered into form fields to Google and Microsoft**. Accordingly, the exposed information might include your **name, phone number, address and even your password**.

This article explains the privacy shortcomings of Chrome’s Enhanced Spellcheck and Edge’s MS Editor and what you can do to keep your data safe.

## The risks of these tools

You may already be familiar with Chrome and Edge's basic spell-checking tools, which are enabled by default and often go unnoticed by users. Luckily, **these built-in tools are nothing to worry about**. However, **both browsers offer "enhanced" spell-checking alternatives** that can identify misspelled words more accurately, thanks to the significantly higher amount of data they have at their disposal. While this statement about the tool’s higher accuracy may be true, it does beg the question of **where all this additional data comes from**. The answer is simple: from **everyone who has Enhanced Spellcheck, or MS Editor enabled**.

By enabling these features, **you simultaneously authorize the browsers to transmit the information you enter into form fields to their respective companies** (Google and Microsoft). Although this transmission of your data is a well-intended function of these tools, it still raises concerns about the fate of the forwarded information and how safe this practice is.

These worries were proven legitimate when [Otto Javascript Security (otto-js)](https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords) recently exposed the concerning extent of information these spell-check functions extract from their users: The tools have the **potential to reveal personally identifiable information (PII)** from some of the most popular platforms and applications (such as Office 365, Google Cloud and Alibaba). Therefore, this phenomenon, often called **spelljacking**, **offers a severe security risk to your sacred data**, including your full name, date of birth, social security number, payment details, and passwords.

## How to protect your data

While a person exposing your data without your consent is frightening, **luckily, there are some measures you can take to protect yourself from spelljacking**.

### Disable Enhanced Spellcheck and MS Editor

While a specialized spellchecker is a handy tool for writing all kinds of texts, **given the security flaws discovered in Enhanced Spellcheck and MS Editor, it is** **recommended to use an alternative instead**, at least until the developers figure out a way to address these issues.

Thus, one of the most obvious ways to protect yourself from having your personal information sent to Microsoft and Google is to **disable the Enhanced Spellchecker**. Luckily, this is an effortless procedure that can be done via Chrome’s settings. Simply navigate to chrome://settings/syncSetup and uncheck the box labeled “Enhanced Spellcheck.”

![](/blog/2022-10-10-enhanced-spellcheck-01.gif)

**Uninstalling MS Editor on Microsoft Edge is equally simple**. By navigating to the [tool’s page on Edge-Add-Ons](https://microsoftedge.microsoft.com/addons/detail/microsofteditor-rechtsc/hokifickgkhplphjiodbggjmoafhignh), you can easily remove it by clicking on the blue button next to its name.

## Use passwordless login methods to protect your account

The most foolproof way of protecting your password is simply not having one. Accordingly, it is strongly advised to **confirm your identity via a passwordless method** (such as Biometrics, a physical token, or a One-time-password) whenever a platform allows you to do so. While this measure alone does not keep the enhanced spell-checking tools from transmitting all the other information you enter into form fields, at least your account remains safe from unwanted access.

Whereas a seemingly innocent spellchecker might not raise any red flags, convenience and confidentiality are regrettably not always compatible online. This article explains the privacy shortcomings of Chrome’s Enhanced Spellcheck and Edge’s MS Editor and what you can do to keep your data safe.

Your Spellchecker Might Have Leaked Your Passwords

*“In what city were you born? What was your first job? Where did you meet your spouse?”* Every person who has an online account to use services or apps **has inevitably had to come up with answers to security questions**.

![](/blog/2022-09-29-security-questions-01.gif)

In theory, they seem to be a great invention: Before you request a new password for your account, the platform must **confirm your identity by asking you to recall the answer to a confidential question you have configured upon registration**. There is, however, a significant hole in the logic of this security measure: Generally, the questions are **ridiculously shallow**.

Obviously, you know your mother’s maiden name - but so do your family members, friends, old teachers, ex-partners, and even the staff at your birth hospital. This ironic genericness of these supposedly confidential security questions prompts a reasonable thought: If a **random word or name used as a password already takes hackers less than a minute to guess**, what does that tell us about the safety of a **keyword that is not even random, but a direct answer to a simply searchable question**?

This article discusses the **shortcomings of security questions as a protection measure and what you can do to make them stronger**.  

## The risks of security questions

If you have ever heard of the **dangers of simple and reused passwords**, you might find that common security questions pose a threat for eerily similar reasons: Sometimes, **one lucky guess is all it takes for your data to fall into the wrong hands**. Upon gaining access to your account, the criminal is free to **exploit your sensitive information in any way they see fit**: Whether the attacker intends to commit identity theft, obtain your payment information, or hijack your account, any attack on your account could lead to devastating consequences.

In the following few paragraphs, we elaborate on the most important reasons why these questions are deemed unfit for protecting your data.

### Easy to guess

One of the most common criticisms security questions face is the false promise that they inquire about confidential information. In reality, they are nothing short of **vague and generic facts** that are even likely to be **identical amongst multiple users**.

According to research by Google, just a **single estimate could accurately predict an English-speaking user’s favorite** **food** with 20% accuracy. Similarly easy to deduce are the parents' middle names of Spanish-speaking users and the cities of birth of Korean users. Furthermore, the rates of accurate guesses **increase significantly for questions with only a few plausible answers**, such as “who is your favorite superhero” or “what is your favorite color?”.

At first glance, these probability rates might not seem too alarming, but remember that the previously mentioned statistics only apply to the success rate of a single guess. Accordingly, these numbers **exponentially increase with each additional guess** the platform allows. Ultimately, **most questions can be cracked in [10 attempts or less](https://www.engadget.com/2015-05-25-google-security-question-study.htmlhttps://www.engadget.com/2015-05-25-google-security-question-study.html)**.

### Easy to look up

It might surprise you how much information you can discover about someone by simply **scrolling through their social media profile**; their hometown, old elementary school, pet’s name – all of which are **coincidentally the subjects of the most common security questions**. While a seemingly obvious solution to this problem would be to keep our data private on social networks, unfortunately, inference attacks allow approximating sensitive information from a user’s friends.

Moreover, social media is not the only platform where your information may be accessible: As an example, [at least 30%](https://research.google.com/pubs/pub43783.html) of Texas citizens' mothers' maiden names may be inferred from **public birth and marriage records**.

### Social Engineering

Another common method attackers may use to get a hold of the answers to your security questions is to **simply ask you**. Of course, this manipulative exploitation technique, also known as social engineering, does not involve the criminal literally asking you to give them access to your sacred information: In reality, this process is often **so subtle, that you might not even notice the malicious intent behind the conversation**.

But how is this possible? Simply put, **humans are naturally inclined to trust people** they deem harmless, which is unfortunately a trait ill-wishers can easily use to their advantage. Accordingly, when engaging in casual banter with a nice person you matched with on a dating app, it might not seem out of the ordinary if they ask you where you are from. However, what you do not know is that this **small piece of information might have just been the key the hacker needed** to gain access to your networks and accounts.

Additionally, it is worth mentioning that the malicious method of social engineering is **not limited to the cyber-world** either; evidently, people might be even less vary of a seemingly harmless converation, when the second party is standing right in front of them. 

Whether the attack is carried out within the framework of a face-to-face interaction or online, the conclusion always remains the same: **The victim shares the needed information or exposes themselves to malware.** 

### Obtainable via a data breach

Sometimes, accessing the answer to your security question **does not require a tactical guess or lengthy research**; akin to passwords, phone numbers, and other personal information, security questions can get stolen within the framework of a data breach.

An attacker obtaining your security answers is especially a risky, since **thousands of platforms are known to recycle the same couple questions with little to no variety**. Thus, answering the same questions across multiple social identities may allow attackers to seamlessly access every account with an identical pre-configured query. 

## Making security questions safer

### Fake Answer

A seemingly obvious solution to the searchability issue is simply using a **made-up answer** to your selected security question, **which other people cannot verify**. Whether you want to type out the alphabet as your phone number or give your mother a fake name, **the level of obscurity is yours to pick**.

However, it is worth noting that **this method only works if you can actually remember the fake answer you came up with**. Given that [40%](https://www.securityweek.com/security-questions-dont-offer-much-protection-web-users-may-hope-research) of English-speaking U.S. users could not even recall their truthful question answers on demand, it is safe to assume that **remembering a made-up one would be even less convenient**.

Furthermore, made-up answers sometimes ironically end up being equally easy to guess since **many individuals** **attempt "harden" their responses in a predictable manner**. This phenomenon is primarily a result of individuals being forced to think of a random word on the fly, which usually ends up being **a common term they have frequently heard.** Thus, merely switching from "red" to "blue" as your favorite color will not be worthwhile.

### Honest Answer - With a twist

To reduce the probability of you forgetting a fake answer, you could instead just **add some little tweaks to a genuine one** – similar to what you would do with a weak password. For example, instead of your favorite food simply being “pizza,” it could be “Pizza123!”. While this answer is undoubtedly harder to crack, you must **still make an effort to remember the extra characters you added** to make this protection measure effective.

### Custom question

If the platform allows you to do so, **writing your own security question** can be a viable way to make your account more secure. Provided that the self-written query is less generic than the selectable ones, of course.

To make sure your custom security question fulfills its duty, it is **recommended for them to meet the following five [criteria](https://goodsecurityquestions.com/):**  

* Safe: cannot be guessed or researched
* Stable: does not change over time (f.e. your favorite song)
* Memorable: something you can easily recall
* Simple: is precise, easy, consistent
* Many: has many possible answers

### Ditching security questions completely

Whether you get your account hacked because your question was too simple or you cannot access your own account anymore because you forgot the made-up answer, using security questions is not exactly the pinnacle of user experience. Fortunately, **more and more platforms are starting to realize the flaws of this outdated protection mechanism**.  

While security questions are slowly becoming obsolete, **the concept of secure account recovery is still as crucial as ever**. Hence, more and more superior alternatives are emerging that can replace not only security questions but also knowledge factor-reliant authentication systems (f.e. passwords) altogether. To ensure more robust protection of your account, you might want to **consider using one of the following [passwordless](https://zitadel.com/blog/passwordless) options for authentication or account recovery** whenever they are available:

* **Possession factors:** An object, such as USB Devices (FIDO2-compliant keys), physical tokens, or your smartphone
* **Biometrics:** Physical traits (f.e. Fingerprint scanning or Face-ID) or other characteristics, such as voice recognition
* **One-Time-Passwords:** A code sent via text message or an authentication app

Discussing the shortcomings of security questions as a protection measure and what you can do to make them stronger.

Blog.