Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

About Us

Jobs

Contact

Company

Read the blog

Sign up

Login

Pricing

Blog


The term [Internet of Things (IoT)](https://www.oracle.com/internet-of-things/what-is-iot/) refers to a group of things or objects that have sensors and software built into them in order to exchange data with each other over the internet and other networks. Nowadays, with IoT, you can connect almost any electronic object to the internet for seamless communication with other devices and humans. 

The *Things* in the Internet of Things can be anything as simple as a light bulb you can switch on or dim with your smartphone application, or as complex as cabin climate control devices in airplanes. IoT has already become one of the foremost technologies in the past few decades.

Because IoT is becoming an increasingly important aspect of our daily lives, there is growing concern in regard to security and privacy. It's important to secure the myriad of connections between the devices in an IoT network and the services they communicate with. This is where IoT authentication plays its vital role. In this article, you'll learn how authentication in IoT works and how you can achieve device authentication in an IoT system.

## Why You Need IoT

As you will see, IoT is important to individuals and businesses alike. The technology aims to help people live smarter and gain total control over many aspects of their daily lives. As a business, IoT enables you to have real-time insight into your processes and the performance of all your business domains and assets. With the automated and interconnected system that IoT provides, you can easily cut down waste, improve productivity, and preemptively develop strategies to address challenges before they even occur.

IoT is used by organizations across several industries to improve operational efficiency and derive more value from their decisions. In a typical IoT ecosystem, devices will have embedded sensors, processors, and other technologies that enable them to share and act on data acquired from their environment. 

Although [IoT, as an idea, has been in existence for a few decades](http://www.chetansharma.com/correcting-the-iot-history/), the technology was brought to life through the successes attained in the development and advancement of several technologies. Some of these are as follows:

* Access to affordable and low-power electronic sensors
* More efficient data transfer over a host of internet network protocols for cloud connection
* Advances in machine learning (ML) and data analytics to gather insights faster from real-time sensor data
* Breakthroughs in artificial intelligence (AI) that have made IoT devices more appealing to everyday users, with digital assistants, like Siri, Alexa, Google, and Cortana.

These technologies and many more facilitated the growth of IoT.

### Use Cases of IoT

There are many aspects of life—private or public—where the Internet of Things can be used. Following are some of these use cases:

#### Location Tracking

Location tracking is one of the most popular use cases of IoT where smart sensors that are capable of monitoring GPS location, detecting surrounding devices, and transmitting data over a network are incorporated into devices in several industries.

[Wearable technologies](https://en.wikipedia.org/wiki/Wearable_technology) have made it easy to track the location of humans, pets, and mobile equipment. This application of IoT has aided parents in tracking their children, farmers in tracking the location of their herds, healthcare companies in tracking the real-time location of their patients with electronic implants or patient-assistance tools, and industries in tracking products throughout their lifecycle, from the assembly line to retailers' shelves.

#### Fleet Management

IoT sensors installed on vehicles within a fleet help to manage the complexities associated with fleet management. Smart sensors connect to IoT networks that then collect fleet data for performance analysis, pollution reduction, geolocation, fuel savings, and telemetry. 

For example, key metrics such as total vehicle load, temperature of sensitive cargo, and fuel tank level can be monitored with IoT sensors and then transmitted for further processing. IoT enables the interconnectivity of vehicles, drivers, and fleet managers in real time, making it easier to improve operational efficiency.

In practice, a fleet manager can easily reroute trucks passing through a certain route with bad weather. Thanks to IoT, the trucks are equipped with sensors that can communicate over the internet.

#### Smart Farming

The increasing global population has called for constant innovations that assist humanity in meeting the increasing nutritional demands. IoT is an innovation that already holds great promise as a solution to improving the productivity of agriculture in the most cost-effective way.

Almost every stage of traditional agricultural processes can be improved and automated with IoT. Smart irrigation makes it easy to efficiently use water, as sensors in the soil send information about the status of the soil to the IoT network, triggering it to release water as needed. [Greenhouse](https://en.wikipedia.org/wiki/Greenhouse) sensors can help you maintain optimum conditions around-the-clock by monitoring temperature, moisture level, and carbon dioxide concentration. You can also conveniently track livestock on your farm to manage the key data for their growth.

## How IoT Authentication Works

IoT authentication is a vital part of the trust framework for IoT machines and devices to identify one another in their network with the goal of protecting data and controlling access. Strong authentication is required so that connected IoT devices and machines can trust each other and be protected against unidentified access. This means every device receiving information in the IoT network must be able to automatically verify the source of that information.

### Why You Need IoT Authentication

Security and privacy are major concerns with IoT. The billions of data points generated by billions of IoT devices connected to the internet make the technology highly vulnerable to cyberattacks. For example, in 2016, [Dyn](https://account.dyn.com/), the largest domain name system infrastructure provider, was hit with a [DDoS attack](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) that brought down popular websites like Twitter, Netflix, and CNN. At the time, it was tagged as the largest [DDoS attack the world has ever seen](https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet), and the attackers used poorly secured IoT devices to gain entry.

As a developer in your IoT-driven organization, you must consider IoT authentication as a key part of your security strategy. IoT poses a huge risk to your company's critical infrastructure, and bad actors tend to take advantage of the connectivity and entry points in the IoT network. For instance, unauthorized access can lead to data tampering which will possibly cause your team to make wrong decisions that could endanger machines and humans alike. Authentication helps you protect your devices and services from these unauthorized users and devices.

## How You Can Best Implement IoT Authentication

On a generic level, IoT developers and administrators register each device and deploy each one with [public key infrastructure (PKI)](https://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm) that is linked to public key certificates for device authentication. PKI helps the IoT network to establish the legitimacy of a device in a network.

Ultimately, your organization must choose the best authentication strategy that suits your IoT system, and you need to do this by considering the type of devices in the network, the location, and the nature of data to be transmitted or received.

There are several ways you can implement device authentication in an IoT system. However, every device should be able to verify the source of information in a system consisting of hundreds, or maybe even thousands, of devices that are sending large volumes of data in milliseconds. This is why it is essential to have a trusted platform that can automatically handle device identity verification. [ZITADEL](/iot) is one such platform:

<img
  className="hidden dark:block object-contain my-auto mx-0rounded-lg"
  src="/images/iot/iot-02-dark.svg"
  alt="Authentication with short lived tokens"
/>
<img
  className="block dark:hidden object-contain my-auto mx-0 rounded-lg"
  src="/images/iot/iot-02-light.svg"
  alt="Authentication with short lived tokens"
/>

ZITADEL lets devices authenticate themselves with a device key and then uses tokens to send data to a backend service. These backend services receive the short-lived keys and carry out validation independently. For more information about the different token types available and their benefits, check out [this ZITADEL blog](/blog/jwt-vs-opaque-tokens).

For example, assume you manage the IT infrastructure in a hydroelectric power generation dam that uses IoT water level sensors to automatically control a floodgate. The floodgate has to open or close at certain water levels as measured by the IoT sensor in real time. In such a high-risk operational situation, the floodgate controls must securely verify that the data being received is coming from your sensor. At first, the sensors will request an OAuth token from ZITADEL as a [service user](/docs/guides/integrate/serviceusers#authenticating-a-service-user:~:text=and%20machine%20users%20%22-,Service%20Users,-%22.) by first enrolling with the private-public key pair generated in Zitadel,and with this key, the sensor can create a JWT token that it can now exchange with an OAuth token. After this, the device will send the data with the requested tokens to the floodgate control system. Before the incoming water level sensor data is processed, the receiver automatically contacts ZITADEL to verify the device with the access token. If verification is successful, the floodgate control system processes the water level data and takes action accordingly.

As you can see, cryptographic keys, or tokens, form an essential part of IoT device authentication with ZITADEL. You must ensure that the generated keys for [authentication are securely stored](/iot#:~:text=How%20to%20securely%20manage%20cryptographic%20keys) such that if they were compromised, your IoT system would still be secure.

## Conclusion

Proper execution of IoT authentication is immensely beneficial to the security of your IoT system. Similarly, having a good understanding of how IoT authentication works is highly important for you as an IoT solutions developer, whether you're adopting an IoT authentication service or building a bespoke solution for your business.

In this article, you learned how the Internet of Things authentication works and how you can best execute it with ZITADEL.

[ZITADEL](/) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, secure Machine-to-Machine communication, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

*This article was contributed by [Idowu Odesanmi](https://portal.draft.dev/writers/recr2TiHgJUuws1iP).*

It's important to secure the myriad of connections between the devices in an IoT network and the services they communicate with. This is where IoT authentication plays its vital role. In this article, you'll learn how authentication in IoT works and how you can achieve device authentication in an IoT system.

How Does the Internet of Things Authentication Work?


In the current IT ecosystem, it's not uncommon to see businesses and organizations relying on all kinds of software systems to address their unique business challenges. While these systems help organizations by providing their expected value, they introduce a security challenge where users have to manage their passwords for each system separately.

Having a lot of passwords causes all sorts of problems, including increased customer support tickets to reset passwords, degraded user experience when logging into each system separately, and management challenges for corporate users if they have to be added or removed from multiple systems in the organization.

This is where [single sign-on (SSO)](https://encyclopedia.kaspersky.com/glossary/single-sign-on-sso/) comes to the rescue. SSO enables you to delegate the users' account creation and management to a central authentication server. Instead of separately managing a username and password for each application in your organization, your applications delegate the authentication to a trusted SSO server.

In this tutorial, you'll learn what benefits SSO brings to the table. You'll learn how to delegate access from a self-hosted [Nextcloud](https://nextcloud.com/about/) service to
[ZITADEL](https://zitadel.com/) as an SSO provider utilizing the [OpenID Connect (OIDC)](https://openid.net/connect/) protocol.

## Key Benefits of SSO

SSO is beneficial because it provides a better user experience. For instance, SSO makes it seamless for the user to access multiple systems smoothly and quickly without being interrupted by password logins. A side effect of this benefit is an increased software adoption rate, as onboarding any new software application will be a matter of integrating it with the SSO server.

In addition, password reset tickets are a [significant support cost](https://bioconnect.com/2021/12/08/are-password-resets-costing-your-company/).
By reducing the number of systems that require separate passwords, you'll decrease the number of password reset tickets (which, in turn, reduces cost).

SSO also provides higher security. Storing user accounts and passwords centrally enables you to harden them in one place—the SSO server. Moreover, you'll be able to easily revoke or grant users access by managing them from a single system rather than multiple scattered systems.

This is why you'll see SSO being widely used both internally on corporations and externally on software-as-a-service (SaaS) systems like [Slack](https://slack.com) (which uses Google as an SSO provider).

## How to Integrate ZITADEL SSO OIDC with Self-Hosted Nextcloud

Now that you know what SSO is and why you would want to use it, it's time to implement it using ZITADEL and the Nextcloud self-hosted service. The final architecture will look like this:

<div className="dark:hidden">
  <img
    src="/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-01-light.png"
    alt="Final architecture courtesy of Mohammed Osman"
  ></img>
</div>
<div className="hidden dark:block">
  <img
    src="/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-01-dark.png"
    alt="Final architecture courtesy of Mohammed Osman"
  ></img>
</div>

There are two major stages in this tutorial: creating a ZITADEL account and configuring Nextcloud as an OIDC client, and then creating a self-hosted Nextcloud container and integrating that into ZITADEL.

## Create a ZITADEL Account and Configure Nextcloud as an OIDC Client

To begin, you’ll need to set up your self-hosted ZITADEL instance. Fortunately, you can do this easily using Docker.

To begin, use [ZITADEL's Docker Compose guide](/docs/guides/deploy/compose) to set up Docker. During the set up, you should receive another email from ZITADEL. Open the email and click **Finish Initialization**. You'll receive a prompt to create a new password for your ZITADEL instance. Create it and then select **Next**.

> **Please note:** The password you created earlier differs from the password you just created. The password you specified earlier in this tutorial is for the ZITADEL customer portal, and the password you just created here is for the ZITADEL instance.

Select **Skip** to skip creating multifactor authentication and navigate back to the instance overview page.

In the instance UI console, click on the **Projects** tab. Then click **Create New Project** to set up a new OIDC provider:

![Projects menu](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-01.png)

Give your project a name (here, it's "my-first-zitadel-project") and click **Continue**. ZITADEL will now create your project and redirect you to the project settings page.

After you've created your ZITADEL project, you'll need to create an OIDC client app for the Nextcloud app you'll create later. In ZITADEL, an application represents a software that initiates the authorization flow, such as web and mobile apps. To start, click **New** to create a new application and fill in your application details. Here, the name is "cloud-next-app", and the application type is "Web" since Nextcloud runs as a web application.

Once filled out, select **Continue**. You'll be prompted to choose an authentication method: select **CODE**. PKCE is recommended for mobile and static clients. Then select **Continue**.

Now you need to define the redirect URLs for the Nextcloud application (which you'll configure later).

For **Redirect URIs**, put `<http://localhost:6060/apps/sociallogin/custom_oidc/ZITADEL>` and select **+**. For **Post Logout URIs**, put `<http://localhost:6060/>`; then hit **+** > **Continue**. You should see a confirmation screen with your options. Review them and click **Create**:

![Project settings confirmation](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-02.png)

At this point, you'll be presented with a **ClientId** and **ClientSecret**. Please take note of them as you'll need them later:

![ClientId and ClientSecret](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-03.png)

Once noted, select **Close** and then **Redirect Settings** on the left-hand side of your screen.

Since you'll deploy Nextcloud locally on a [Docker](https://www.docker.com/) container without HTTPS, you need to indicate to ZITADEL that this configuration is meant for development mode. Enable the **Development Mode** and click **Save**:

![Enable **Development Mode**](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-04.png)

> ** Please note:** In a real production scenario, you should not use this. Your application should be hosted using HTTPS.

In the final step of this stage, you need to copy the base address of your ZITADEL
instance. This address will be used by the OIDC client (Nextcloud, in
this case) to perform the authentication.

Click **Urls** on the left of the current page and take note of the **authServiceUrl**. In this instance, it's `https://my-first-zitadel-instance-l8ehm3.zitadel.cloud`.

At this point, you've successfully set up ZITADEL as your OIDC server.

### Create a Self-Hosted Nextcloud Container and Integrate to ZITADEL

In order to create a self-hosted Nextcloud container and integrate it with ZITADEL, you need to install Nextcloud as a hosted Docker container and set up your admin user.

To do this, go to [**Get Docker**](https://docs.docker.com/get-docker/) to download and install Docker according to your current operating system. Please refer to the official [Docker documentation](https://www.docker.com/get-started/) for more information. If you already have Docker installed, you can skip this step.

> ** Please note:** In a real production scenario, you'll host the Nextcloud container in a cloud provider, [Kubernetes](https://kubernetes.io/) cluster, or any production-grade deployment.

In the command terminal, type `docker run -d -p 6060:80 nextcloud` to download and run the Nextcloud Docker image. This will map port 6060 in your computer to port 80 Nextcloud Docker container, where the web application runs.

In the command terminal, type `docker container ls` to verify that the Docker container is running. You should see something like this:

![Nextcloud Docker container running](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-05.png)

Open a browser window and navigate to [http://localhost:6060/](http://localhost:6060/) to access Nextcloud. Since this is a first-time setup, you need to create an admin username and password. Fill out these details and scroll down and click **Install**. Nextcloud will take a few seconds to prepare your application.

You should receive a prompt asking if you want to add some recommended apps to Nextcloud. Go ahead and click **Cancel**. Then an introductory splash window to Nextcloud will pop up. Close it by clicking **X** at the top right inside the browser window. Then you should see the Nextcloud dashboard.

Since an OIDC login isn't available by default in Nextcloud, you need to add an app to your self-hosted Nextcloud service in order to enable it. You can think of apps in Nextcloud similar to extensions in Chrome since they add additional functionalities to your application.

Click the icon in the top-right corner of your dashboard and then click **+ Apps**:

![Access apps in Nextcloud](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-06.png)

In the left menu, click **Social & communication** to find apps in that category. From there, search for an app called Social login, click **Download**, and then click **Enable**. In a few seconds, this action installs the Social login app in your Nextcloud self-hosted instance and enables Nextcloud to log in via OIDC.

Click on the top-right icon in the dashboard and then click **Settings**.

On the left of the screen, you should see a **Social login** tab under the **Administration section**. This means that the Social login app was successfully installed to your Nextcloud instance:

![Social login app added](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-07.jpg.jpg)

After you've added the **Social login** application to your Nextcloud instance, it's time to configure it to use ZITADEL as an OIDC provider. Click on **Social login**; then next to **Custom OpenID Connect**, click the **+** sign. This will enable you to add a custom OIDC provider (which, in this case, is ZITADEL).

Fill in the following details and leave any unmentioned field as it is:

- **Internal name:** This is the internal provider's name within Nextcloud, and it's not visible externally (in this example, ZITADEL was used).
- **Title:** This is the provider name exposed externally during the login process (again, ZITADEL was used).
- **Authorize url:** This represents the authorization endpoint URL. It consists of the ZITADEL instance URL you noted earlier with `/oauth/v2/authorize` (`https://my-first-zitadel-instance-l8ehm3.zitadel.cloud/oauth/v2/authorize`).
- **Token url:** This represents the token endpoint URL. It consists of the ZITADEL instance URL you noted with the `/oauth/v2/token` (here, it's `https://my-first-zitadel-instance-l8ehm3.zitadel.cloud/oauth/v2/token`).
- **Client Id:** This is the OIDC client ID you noted previously.
- **Client Secret:** This is the OIDC client secret you also noted earlier.
- **Scope:** Type "openid" to indicate that it is an OIDC protocol.
- **Default group:** Select **admin**. This means that the authenticated user from ZITADEL will have admin permissions. In a real-world scenario, you'd assign the authenticated users less powerful permission.

![Sample OIDC settings](/blog/2022-12-08-zitadel-as-sso-provider-for-selfhosting-08.jpg.jpg)

Then hit **Save**.

After configuring ZITADEL as an OIDC provider, it's time to test it. In the Nextcloud dashboard, click the icon in the top-right corner and then click **Log out** to log out from the current admin user session, and you'll be automatically redirected to the login page.

You should now see a new button that says **Log in with ZITADEL**. Click on it and enter the ZITADEL login name you noted previously; then click **Next**.

Next, enter the ZITADEL instance password (not the customer portal password) and click **Next**. ZITADEL should redirect you to the Nextcloud dashboard.

Congratulations! You've managed to access your self-hosted Nextcloud instance using ZITADEL as an OIDC provider.

## Conclusion

In this tutorial, you learned what an SSO is and how it benefits businesses by improving user experience, reducing costs, and contributing to IT security. You also learned how to set up your self-hosted ZITADEL instance as an OIDC provider. Then, you learned how to set up a Nextcloud self-hosted instance, and you delegated its access to ZITADEL.

[ZITADEL](/) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

_This article was contributed by [Mohammed Osman](https://portal.draft.dev/writers/recvOT7Hsq96gfwnR)._


In this tutorial, you'll learn what benefits SSO brings to the table. You'll learn how to delegate access from a self-hosted Nextcloud service to ZITADEL as an SSO provider

Use ZITADEL as SSO provider for self-hosting


Delegated access management lets you offer increased flexibility over the services you provide. 
In this self-service model, your clients can grant rights to their users independently of your interaction, benefiting them and you.

Allowing business customers to handle role management themselves lets them work faster with less of your support. They don't need you to approve individual users on their behalf.

However, granting access is complex, and delegating it needs to be done safely. There are all kinds of pitfalls to worry about if you attempt to do it yourself. Bringing in external expertise is one way to ensure you get it right. In this guide, you'll learn how to simplify delegated access management and self-service.

## Why You Need Delegated Access Management and Self-Service

Delegating access management and providing self-service to your clients can help you in several situations. For example, often, you need highly granular role management, with permissions granted for specific projects and specific types of action. If you're working with staff in another organization, you can't easily manage this yourself.

If that organization has to go through your company every time it wants to change someone’s role or the data they have access to, it will take them time and slow their onboarding procedures, ultimately making working with you less attractive.

Delegating access management also helps mitigate insider threats. Farming out permissions may seem like a security risk, but you're really reducing the number of people that deal with any particular set of permissions. In addition, you're giving control to those that use them.

By reducing the amount of communication and the number of people involved, there's less chance for someone to leak information or act maliciously. And as your client base increases, so does the amount of admin involved in communication. The more you can automate or pass off to your clients, the better.

## How to Simplify Delegated Access Management and Self-Service with ZITADEL

There are several things to think about, when implementing delegated access management and providing self-service capabilities to your users, including roles and permissions, delegated role management, and service consolidation. 

ZITADEL allows you to do all of this and more, handling most of the heavy lifting for you. It makes delegated access management and self service simple. Its APIs integrate with your business processes letting you automate your clients services.

Let's take a more in-depth look at how it can help you:

### Roles and Permissions

There are many types of permission users need. In addition to viewing files or other resources, users may be allowed to create or edit documents or delete files. Furthermore, some users are allowed to grant these permissions to others. Any of these permissions can be limited to specific resource sets. 

To reduce complexity, permissions are often grouped into roles. Roles are a means of managing user access rights and usually come with a default set of permissions. Instead of figuring out exactly which permissions to give an individual, you can grant them a role instead. Your apps then associate permissions with roles, rather than individuals.
Authorizations state which users have which roles and are often referred to as user grants.



Though users are typically human, they can also include machine agents, known as service users. For example, if you use a service to sync databases, the service might access databases on another domain by logging in as a service user.

[ZITADEL](https://zitadel.com/docs/guides/manage/console/projects#grant-a-project) lets you grant selected roles to an organization. The organization can then create authorizations for its users independently, and this is referred to as self-service.

### Delegated Role Management

Delegating role management means you grant another group permission to assign or change roles. You don't need to grant all the permissions you have, but a limited selection allows you to create hierarchical relationships that don't require your involvement to administer.

A simple example of this role delegation would be in blogging software. Everyone has permission to view the blog. Editors get permission to make changes and grant rights to writers. Writers have permission to edit the documents they are assigned by the editors.

In this setup, there's no need to directly set people's individual permissions; you just assign them a role, and everything is taken care of by the software. Without roles, you’d have to select the specific actions available to each staff member.

However, if you're hosting blogging software for someone else, you need to provide them with permission to hand the roles to users. That could look something like the following:

<div className="dark:hidden">
  <img src="/blog/2022-11-24-delegated-access-management-and-self-service-01-light.png" alt="Image showing the relationship between the host company and blogging team, which gets delegated rights to grant users blog access courtesy of James Konik"></img>
</div>
<div className="hidden dark:block">
  <img src="/blog/2022-11-24-delegated-access-management-and-self-service-01-dark.png" alt="Image showing the relationship between the host company and blogging team, which gets delegated rights to grant users blog access courtesy of James Konik"></img>
</div>

Here, your client is granted rights to assign user roles and can create as many users as they like without having to go through you. You can grant whatever rights you want, granting more or less control depending on your use case.

### Managing Access Providers

There are many services providing authorization and authentication services. It can be hard to manage them all. With ZITADEL, you can enable and configure different services for each organization you work with.

With ZITADEL, you can implement [Auth0](https://auth0.com), [OmniAuth](/docs/guides/integrate/services/gitlab-self-hosted), and other kinds of access methods, such as [Keycloak](https://www.keycloak.org), [Azure Active Directory (Azure AD)](https://azure.microsoft.com/en-us/services/active-directory/), and Google through a single self-service platform.

You can enable single sign-on (SSO), too. SSO lets you access multiple services using a single login. ZITADEL lets you use protocols like [OpenID Connect](https://openid.net/connect/) to provide this functionality.

These options make ZITADEL an ideal way to bring your own identity (BYOI) capabilities to your customers. Combining service consolidation with delegate access management like ZITADEL ensures that your users have the flexibility they need when setting up their organization access rules.

Going through ZITADEL takes away the difficulty of managing multiple services, and the consistent interface means your users don't have to figure out all the different login types.

### Branding and Experience Customization

When dealing with [relationships between multiple organizations](/docs/guides/solution-scenarios/b2b), you need to decide how logins are handled. Do you use a default login screen or redirect users to one with a specific organization's branding?

With ZITADEL, you can configure these relationships on a case-by-case basis for different roles and companies. You can also easily create branding and add logos for each client. And of course, you can adjust it all without having to redevelop your site.

ZITADEL's [multi-tenancy support](/usecases) means you can sell your services to different companies and deliver the specific features they need. These can be tailored to their needs and perhaps support different service tiers that you offer.

As well as branding, different organizations can then use different rules, such as their password policies and multi-authentication requirements. It's easy to customize these using a centralized service provider.

### Benefits of Experience

Without experience in security, it's hard to keep up with the ever-changing technical and regulatory requirements. Given how risky mistakes are, it makes sense to bring in outside help.

Implementing delegated access management and self service is complex. When developing such services, it's easy to overlook this complexity. Many services implement authorization and authentication themselves, but as the scope widens to include delegated access management, this becomes an increasingly bad idea.

For nonspecialists, the chances of making a mistake are significant. The investment and maintenance requirements are also high and easy to underestimate.

By using an experienced service provider to handle these areas, you can focus on business logic and deliver a better product.

### Security Dangers

Small mistakes in authentication and authorization services can have dire consequences. Access control, identification, and authentication are all prominent in the [Open Web Application Security Project (OWASP)](https://owasp.org/www-project-top-ten/) top ten security risks. Hackers are getting ever more sophisticated, and a successful attack can be catastrophic for a business on the receiving end.

To try and prevent attacks as well as develop a secure system in the first place, you have to continually update it as new threats emerge.

You also have to deal with the evolution of your wider platform. Every time you add or change a feature, you risk undermining your existing security measures and opening up a vector of attack.

Using an external service to provide authentication and authorization means you have dedicated experts continually updating their platform to deal with the latest vulnerabilities.

Plugging into a mature system via an API lets you deliver an up-to-date, secure service without the need for continual development investment.

And there are even more issues to think about, including setting up security policies, limiting the impact of [DDoS attacks](https://www.geeksforgeeks.org/what-is-ddos-mitigation/), and configuring the various types of encryption needed to authenticate users. None of these are easy to do.

With authentication and authorization handled for you, your developers are free to focus on your core product. You can concentrate on providing features and evolving your own platform without the added overhead of providing auth to external organizations.

### Scaling

Scaling can create issues, as additional users and support for new platforms put your infrastructure under pressure. ZITADEL supports unlimited users and projects, meaning it won't become a bottleneck.

Simplifying your services through delegated access management means you can use specialized tools to handle authorization and authentication, and these dedicated services can be chosen with scaling in mind.

They also prevent your codebase from getting out of hand as the range of clients, roles, and permissions you handle grows. Carefully partitioning it into a separate service keeps yours leaner and easy to work with.

### Additional Features

Login policies are another way to give your clients control. These can be easily defined from ZITADEL's console. Login policies allow you to set authentication methods for your users and can be changed as your clients' needs evolve. They can do that without having to make code changes. You can also do this on an organizational level. For example, a SaaS provider can set different policies.

You can learn more about ZITADEL's feature set [on its website](/features).

## Conclusion

Access management is a complex topic. Managing permissions and granting access to the right people are enough of a challenge, but the changing security landscape and ever-increasing feature sets make it even harder to keep up.

Fortunately, there are alternatives to doing everything yourself. With the right support, you can provide your clients with self-service capability. In return, they get a wide range of features along with cutting-edge security. They also reduce their costs, letting them focus on what they do best.

[ZITADEL](/) is an open source identity management platform that provides you with a wide range of features like OpenID Connect, SAML 2.0, OAuth 2, FIDO2, OTP, and an unlimited audit trail. With ZITADEL, you can solve all your authentication and authorization needs. Check out our repo and give us a [GitHub star](https://github.com/zitadel/zitadel). We appreciate the feedback.

*This article was contributed by [James Konik](https://portal.draft.dev/writers/recYmhitHbB1gDQDA).*

Granting access is complex, and delegating it needs to be done safely. In this guide, you'll learn how to simplify delegated access management and self-service.

Simplify Delegated Access Management and Self-Service

When building a software program, the **technique of user authentication** is one of the crucial elements that developers must consider. Given the growing inclination of end users to validate their identity via an existing social account, it is unsurprising that an **increasing number of applications are incorporating the social login authentication** mechanism. However, since the preferred social network likely differs from user to user, and SSO provider likely differs from company to company, it is crucial for the app in question to **provide a broad selection of identity providers and authentication methods**. Unfortunately, doing so usually implies that the provider must individually integrate and manage every integration and contract, several times over.

Integrating multiple Identity Providers directly within your applications is **complex to maintain, time-consuming to set up, and hinders single sign-on of users** – In other words, **it does not scale**. Luckily, this problem can be easily solved with the help of an **Identity Broker**.

This article tackles the definition of an identity broker and what identity brokering looks like in practice.

## What does an Identity Broker do?

The term Identity Broker (IB) describes a web application that **facilitates authentication between service providers and their configured Identity Providers**.  By acting as a trusted intermediary service, an IB connects projects with different identity providers, so that **developers do not have to bother with integrating them individually** into their apps. With the help of its centralized way of managing identities, end-users have the option to create a new account by **using the identity data acquired from several identity sources** (such as Google, Facebook, Twitter, etc.). An IB may also allow you to link multiple external identity providers to one user account. Thus, the implementation of social logins, other alternate authentication methods and the configuration of individual login policies are made easier than ever.

It is common for organizations to integrate their applications with a **cloud-based identity management platform** (such as ZITADEL), which can broker to many different identity providers out of the box, usually based on protocols such as [SAML, OIDC](https://zitadel.com/blog/saml-vs-oidc) and OAuth. By relying on the identity provided by such pre-configured services, you have ensured a **robust trust anchor** for all your applications and devices.

## Identity Brokering in Practice

With the theory out of the way, it is useful to see how identity brokering functions in practice.

Identity Brokering is generally used in both **Business-to-Customer (B2C, CIAM) and Business-to-Business (B2B)** use cases. For B2C businesses it is vital for vendors to **offer different social identity providers, authentication methods and login policies** to best fit the needs of their end-users. Vendors of B2B software may need to provide enterprise SSO by allowing login with the customer’s identity provider (eg, Azure AD) and tailor security policies to fit their customer’s requirements. 

Alternatively, Identity Brokering can be used in **Government-to-Business (G2B) as well as Government-to-Citizen (G2C) cases**. The principle in these cases is the same as in the Business-to-X context, the **role of the business is simply replaced with a government institution/agency** (such as banks, legislatures, etc.). For instance, Australian users with a registered MyGovID may use this identity to access a range of government online services (such as student and health data portals), instead of having to rely on usernames and passwords.

Regardless of the use case, the process of identity brokering follows the same simple steps. As an example, let us imagine **an organization called “Gladix” that uses ZITADEL as a broker**:



![](/blog/2022-09-10-ib-01.png)

The application of Gladix has Google pre-configured as an identity provider. Accordingly, their end-users will get the **option to link their existing or new ZITADEL account with their Google account** by clicking on the “Google” symbol on ZITADEL’s login screen. Upon doing so, ZITADEL will **redirect the end-user to the login screen of Google** where they must authenticate themselves and then, if successful, they are directed back to the previous page. Following this authorization, the **end-user will be able to login into ZITADEL, and subsequently Gladix’s application, by using their Google identity**.

Integrating multiple Identity Providers directly within applications is complex to maintain, time-consuming to set up, and hinders single sign-on of users. Luckily, this problem can be easily solved with the help of an Identity Broker.

What is an Identity Broker? - Everything you need to know 

If you have ever been uncertain whether a word is spelled correctly, a feature that automatically detects typos can be a lifesaver. Whereas a seemingly innocent spell-checking tool might not raise any red flags, **convenience and confidentiality are regrettably not always compatible online**.

This unpleasant side of spellchecking tools was exposed by a **recent incident involving Google Chrome and Microsoft Edge**. Both browsers’ enhanced spell-check features **send any data that is entered into form fields to Google and Microsoft**. Accordingly, the exposed information might include your **name, phone number, address and even your password**.

This article explains the privacy shortcomings of Chrome’s Enhanced Spellcheck and Edge’s MS Editor and what you can do to keep your data safe.

## The risks of these tools

You may already be familiar with Chrome and Edge's basic spell-checking tools, which are enabled by default and often go unnoticed by users. Luckily, **these built-in tools are nothing to worry about**. However, **both browsers offer "enhanced" spell-checking alternatives** that can identify misspelled words more accurately, thanks to the significantly higher amount of data they have at their disposal. While this statement about the tool’s higher accuracy may be true, it does beg the question of **where all this additional data comes from**. The answer is simple: from **everyone who has Enhanced Spellcheck, or MS Editor enabled**.

By enabling these features, **you simultaneously authorize the browsers to transmit the information you enter into form fields to their respective companies** (Google and Microsoft). Although this transmission of your data is a well-intended function of these tools, it still raises concerns about the fate of the forwarded information and how safe this practice is.

These worries were proven legitimate when [Otto Javascript Security (otto-js)](https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords) recently exposed the concerning extent of information these spell-check functions extract from their users: The tools have the **potential to reveal personally identifiable information (PII)** from some of the most popular platforms and applications (such as Office 365, Google Cloud and Alibaba). Therefore, this phenomenon, often called **spelljacking**, **offers a severe security risk to your sacred data**, including your full name, date of birth, social security number, payment details, and passwords.

## How to protect your data

While a person exposing your data without your consent is frightening, **luckily, there are some measures you can take to protect yourself from spelljacking**.

### Disable Enhanced Spellcheck and MS Editor

While a specialized spellchecker is a handy tool for writing all kinds of texts, **given the security flaws discovered in Enhanced Spellcheck and MS Editor, it is** **recommended to use an alternative instead**, at least until the developers figure out a way to address these issues.

Thus, one of the most obvious ways to protect yourself from having your personal information sent to Microsoft and Google is to **disable the Enhanced Spellchecker**. Luckily, this is an effortless procedure that can be done via Chrome’s settings. Simply navigate to chrome://settings/syncSetup and uncheck the box labeled “Enhanced Spellcheck.”

![](/blog/2022-10-10-enhanced-spellcheck-01.gif)

**Uninstalling MS Editor on Microsoft Edge is equally simple**. By navigating to the [tool’s page on Edge-Add-Ons](https://microsoftedge.microsoft.com/addons/detail/microsofteditor-rechtsc/hokifickgkhplphjiodbggjmoafhignh), you can easily remove it by clicking on the blue button next to its name.

## Use passwordless login methods to protect your account

The most foolproof way of protecting your password is simply not having one. Accordingly, it is strongly advised to **confirm your identity via a passwordless method** (such as Biometrics, a physical token, or a One-time-password) whenever a platform allows you to do so. While this measure alone does not keep the enhanced spell-checking tools from transmitting all the other information you enter into form fields, at least your account remains safe from unwanted access.

Whereas a seemingly innocent spellchecker might not raise any red flags, convenience and confidentiality are regrettably not always compatible online. This article explains the privacy shortcomings of Chrome’s Enhanced Spellcheck and Edge’s MS Editor and what you can do to keep your data safe.

Your Spellchecker Might Have Leaked Your Passwords

*“In what city were you born? What was your first job? Where did you meet your spouse?”* Every person who has an online account to use services or apps **has inevitably had to come up with answers to security questions**.

![](/blog/2022-09-29-security-questions-01.gif)

In theory, they seem to be a great invention: Before you request a new password for your account, the platform must **confirm your identity by asking you to recall the answer to a confidential question you have configured upon registration**. There is, however, a significant hole in the logic of this security measure: Generally, the questions are **ridiculously shallow**.

Obviously, you know your mother’s maiden name - but so do your family members, friends, old teachers, ex-partners, and even the staff at your birth hospital. This ironic genericness of these supposedly confidential security questions prompts a reasonable thought: If a **random word or name used as a password already takes hackers less than a minute to guess**, what does that tell us about the safety of a **keyword that is not even random, but a direct answer to a simply searchable question**?

This article discusses the **shortcomings of security questions as a protection measure and what you can do to make them stronger**.  

## The risks of security questions

If you have ever heard of the **dangers of simple and reused passwords**, you might find that common security questions pose a threat for eerily similar reasons: Sometimes, **one lucky guess is all it takes for your data to fall into the wrong hands**. Upon gaining access to your account, the criminal is free to **exploit your sensitive information in any way they see fit**: Whether the attacker intends to commit identity theft, obtain your payment information, or hijack your account, any attack on your account could lead to devastating consequences.

In the following few paragraphs, we elaborate on the most important reasons why these questions are deemed unfit for protecting your data.

### Easy to guess

One of the most common criticisms security questions face is the false promise that they inquire about confidential information. In reality, they are nothing short of **vague and generic facts** that are even likely to be **identical amongst multiple users**.

According to research by Google, just a **single estimate could accurately predict an English-speaking user’s favorite** **food** with 20% accuracy. Similarly easy to deduce are the parents' middle names of Spanish-speaking users and the cities of birth of Korean users. Furthermore, the rates of accurate guesses **increase significantly for questions with only a few plausible answers**, such as “who is your favorite superhero” or “what is your favorite color?”.

At first glance, these probability rates might not seem too alarming, but remember that the previously mentioned statistics only apply to the success rate of a single guess. Accordingly, these numbers **exponentially increase with each additional guess** the platform allows. Ultimately, **most questions can be cracked in [10 attempts or less](https://www.engadget.com/2015-05-25-google-security-question-study.htmlhttps://www.engadget.com/2015-05-25-google-security-question-study.html)**.

### Easy to look up

It might surprise you how much information you can discover about someone by simply **scrolling through their social media profile**; their hometown, old elementary school, pet’s name – all of which are **coincidentally the subjects of the most common security questions**. While a seemingly obvious solution to this problem would be to keep our data private on social networks, unfortunately, inference attacks allow approximating sensitive information from a user’s friends.

Moreover, social media is not the only platform where your information may be accessible: As an example, [at least 30%](https://research.google.com/pubs/pub43783.html) of Texas citizens' mothers' maiden names may be inferred from **public birth and marriage records**.

### Social Engineering

Another common method attackers may use to get a hold of the answers to your security questions is to **simply ask you**. Of course, this manipulative exploitation technique, also known as social engineering, does not involve the criminal literally asking you to give them access to your sacred information: In reality, this process is often **so subtle, that you might not even notice the malicious intent behind the conversation**.

But how is this possible? Simply put, **humans are naturally inclined to trust people** they deem harmless, which is unfortunately a trait ill-wishers can easily use to their advantage. Accordingly, when engaging in casual banter with a nice person you matched with on a dating app, it might not seem out of the ordinary if they ask you where you are from. However, what you do not know is that this **small piece of information might have just been the key the hacker needed** to gain access to your networks and accounts.

Additionally, it is worth mentioning that the malicious method of social engineering is **not limited to the cyber-world** either; evidently, people might be even less vary of a seemingly harmless converation, when the second party is standing right in front of them. 

Whether the attack is carried out within the framework of a face-to-face interaction or online, the conclusion always remains the same: **The victim shares the needed information or exposes themselves to malware.** 

### Obtainable via a data breach

Sometimes, accessing the answer to your security question **does not require a tactical guess or lengthy research**; akin to passwords, phone numbers, and other personal information, security questions can get stolen within the framework of a data breach.

An attacker obtaining your security answers is especially a risky, since **thousands of platforms are known to recycle the same couple questions with little to no variety**. Thus, answering the same questions across multiple social identities may allow attackers to seamlessly access every account with an identical pre-configured query. 

## Making security questions safer

### Fake Answer

A seemingly obvious solution to the searchability issue is simply using a **made-up answer** to your selected security question, **which other people cannot verify**. Whether you want to type out the alphabet as your phone number or give your mother a fake name, **the level of obscurity is yours to pick**.

However, it is worth noting that **this method only works if you can actually remember the fake answer you came up with**. Given that [40%](https://www.securityweek.com/security-questions-dont-offer-much-protection-web-users-may-hope-research) of English-speaking U.S. users could not even recall their truthful question answers on demand, it is safe to assume that **remembering a made-up one would be even less convenient**.

Furthermore, made-up answers sometimes ironically end up being equally easy to guess since **many individuals** **attempt "harden" their responses in a predictable manner**. This phenomenon is primarily a result of individuals being forced to think of a random word on the fly, which usually ends up being **a common term they have frequently heard.** Thus, merely switching from "red" to "blue" as your favorite color will not be worthwhile.

### Honest Answer - With a twist

To reduce the probability of you forgetting a fake answer, you could instead just **add some little tweaks to a genuine one** – similar to what you would do with a weak password. For example, instead of your favorite food simply being “pizza,” it could be “Pizza123!”. While this answer is undoubtedly harder to crack, you must **still make an effort to remember the extra characters you added** to make this protection measure effective.

### Custom question

If the platform allows you to do so, **writing your own security question** can be a viable way to make your account more secure. Provided that the self-written query is less generic than the selectable ones, of course.

To make sure your custom security question fulfills its duty, it is **recommended for them to meet the following five [criteria](https://goodsecurityquestions.com/):**  

* Safe: cannot be guessed or researched
* Stable: does not change over time (f.e. your favorite song)
* Memorable: something you can easily recall
* Simple: is precise, easy, consistent
* Many: has many possible answers

### Ditching security questions completely

Whether you get your account hacked because your question was too simple or you cannot access your own account anymore because you forgot the made-up answer, using security questions is not exactly the pinnacle of user experience. Fortunately, **more and more platforms are starting to realize the flaws of this outdated protection mechanism**.  

While security questions are slowly becoming obsolete, **the concept of secure account recovery is still as crucial as ever**. Hence, more and more superior alternatives are emerging that can replace not only security questions but also knowledge factor-reliant authentication systems (f.e. passwords) altogether. To ensure more robust protection of your account, you might want to **consider using one of the following [passwordless](https://zitadel.com/blog/passwordless) options for authentication or account recovery** whenever they are available:

* **Possession factors:** An object, such as USB Devices (FIDO2-compliant keys), physical tokens, or your smartphone
* **Biometrics:** Physical traits (f.e. Fingerprint scanning or Face-ID) or other characteristics, such as voice recognition
* **One-Time-Passwords:** A code sent via text message or an authentication app

Discussing the shortcomings of security questions as a protection measure and what you can do to make them stronger.

Why Security Questions Are Useless And Unsafe

The words "free Wi-Fi" displayed in public spaces are always welcome additions to the place's core function, regardless of whether it's a restaurant, coffee shop or train station. Even though surfing away free of charge in exchange for just entering a short password or your e-mail address might seem convenient, **this simple accessibility also makes public Wi-Fi networks an ideal target for cybercriminals**. Although there have undoubtedly been reports of ill-wishers leveraging the appeal of free internet, given the fact that millions of people still use public networks, it's a **valid question to ask how likely it is to become a victim**.

This article examines whether public Wi-Fi is as dangerous as it is increasingly portrayed.

![](/blog/2022-09-05-public-wifi-01-01.png)

## The Dangers of Public Wi-Fi

Before we can reasonably determine how much of a threat public Wi-Fi poses, we must first consider the attacks that have been commonly reported in this context. The following paragraph lists **the most common cybercrimes committed by attackers exploiting public networks**.

 

### Snooping

As the name suggests, snooping describes the phenomenon of **a person eavesdropping on your online activity via a public network**. Evidently, snoops these days have appropriated sneakier tactics than simply catching a glimpse of your screen from the other side of the café: Attackers on the network **use special software on their own devices to monitor your private browsing** while using public Wi-Fi.

While letting a snoop know you were reading up on the latest gossip on Taylor Swift might not seem like a huge deal, a genuine issue arises as soon as you **enter any login credentials to a page requesting you to sign in**. By doing so, the attacker doing the snooping can **get a hold of your passwords** and use them to access a multitude of your virtual identities, potentially leading to [Identity Theft](https://zitadel.com/blog/smishing#:~:text=2.%20Identity%20Theft,to%20other%20criminals.). 

### Man-in-the-middle Attacks

The possibility of a Man-in-the-Middle Attack happening is another systematic risk associated with utilizing public Wi-Fi. This term describes the phenomenon of a **third party**, also known as a man-in-the-middle, **intercepting the communication between two systems**.

Picture this scenario as an example: You are sitting in the airport waiting room, patiently waiting for the boarding you begin. While scrolling through Zalando, you find a pair of sneakers that catch your attention and are ready to make a purchase. You sign in and fill out the delivery and payment information as usual. However, little do you know that **a hacker has secretly positioned themselves between you and the online store**, sneakily taking notes of the data only Zalando was meant to receive. Simply as that, not only has the **man-in-the-middle learned about your login credentials**, but also your **address and credit card information**. 

### Evil Twin Attacks

As with man-in-the-middle attacks, "evil twin" attacks occur when **malicious parties create fake access points with names that sound safe or familiar** in the hopes that you would connect to them without batting an eye. For example, the hacker might name their created network “Burger King Free Wifi” to **trick their victims into thinking they are connected to a seemingly trusted entity’s access point**. Unlike the genuine counterpart, however, this “evil twin” is usually designed to **monitor and collect users’ data**, such as their login and banking information.

### Malware and Viruses

One of the most well-known risks generally associated with accessing the internet is the **potential for malware to be downloaded without your knowledge and consent**. Sadly, this vulnerability persists while utilizing public Wi-Fi, much more so than when using a private network.

But how does using a free network result in the installation of a virus? Unfortunately, there are multiple typical methods hackers use to infect your device. In some cases, hackers **exploit vulnerabilities in an operating system or software** within the local network by writing codes specifically targeting these shortcomings. Alternatively, cunning attackers can hack the connection point itself, resulting in a **pop-up window suggesting an update to a well-known software** during the connection process (a.k.a Trojan Virus). Whichever method the criminal chooses, the victim will ultimately suffer the same repercussions: **sensitive data theft, file deletion, and occasionally even device incapacitation**.

### How likely are such attacks?

Although public Wi-Fi networks certainly carry some frightening risks with a lot on the line, it is evident that such attacks aren't guaranteed occurrence. So how likely is it really that one will fall victim to a malicious network?

According to a study by [Kaspersky Security Network](https://securelist.com/research-on-unsecured-wi-fi-networks-across-the-world/76733/), a **quarter of the world's Wi-Fi networks lack encryption or password protection**. This means that any individual near an access point **can easily intercept and store all user traffic and then examine it** for data of interest, making these networks the **easiest target for hackers**.

The remaining three-quarters of the analyzed networks use encryption based on the Wi-Fi Protected Access (WPA) protocol family, which is currently labeled the most secure. However, as we have repeatedly witnessed, nothing in the digital age is ever wholly safe:  As per recent research by [Gao et al.](https://www-users.cse.umn.edu/~fengqian/paper/wifisec_mobicom21.pdf), **standard practices for enhancing Wi-Fi security are not that effective** when confronting today’s sophisticated, mature cybercrime market. According to the study, the majority (55%) of the detected attacks on public networks remain ad injections, which **interestingly were more common on better protected Access Points (AP)**. Furthermore, even if the encryption keys guarding the network seem reliable, there is no assurance that a determined attacker will still not manage to find their way into the system.

To sum it up, while it is unlikely that every public Wi-Fi you will ever connect to will harvest your information, **an attack on the network can happen anywhere and anytime**. So, does this mean you should never use a public network again? Not necessarily. However, it is advised to **follow some simple safety guidelines** to ensure that the criminal does not have the last laugh in the case of an attack.

### Minimizing the Chance of an Attack

If you would like to drastically minimize the likelihood of being hacked while using public Wi-Fi, we recommend taking the following few precautions for your safety.

![](/blog/2022-09-05-public-wifi-02.png)

### Make sure you are on an SSL-certified Website

Another simple practice that can help minimize attacks is ensuring the websites you visit (especially on public WiFi) are SSL-certified. Typically, a **URL beginning with "HTTPS://" and a lock symbol to the left of it will indicate this certification**. While the visible difference between an HTTP and an HTTPS domain is just a single added letter, this slight change has a huge impact when it comes to the safety of a site: In contrast to HTTP, **HTTPS protects your communication by encrypting it between browser and server and utilizing TLS to validate the other end of the transaction**.

While the exclusive usage of sites with properly enforced HTTPS is undoubtedly a step in the right direction, it is worth noting that its protection measure is **not free from exploitable vulnerabilities**. For example, you could still find pictures or scripts from websites not secured by HTTPS, even if you visit an SSL-certified site.

### Use a VPN

Generally, the best course of action when utilizing a public network is to avoid logging onto any platform that stores sensitive information. If you must, however, it is strongly **advised to use a virtual private network (VPN)** to encrypt the traffic, regardless of the type of device you are using.

Virtual Private Network (VPN) software provides **privacy by encrypting all your incoming and outgoing traffic, no matter where you are located and which network you use**. This protection is achieved by the VPN hiding your internet protocol (IP) address from the public. Accordingly, with the help of additional encryption of all data traffic, a VPN router is an optimal way to **prevent third parties from unwantedly accessing private information** shared via a public network.

### Enable MFA or Passwordless Authentication

Even if a hacker manages to obtain your login credentials, **having [Multi-Factor-Authentication (MFA)](https://zitadel.com/features#multifactor) activated on your profile should thwart their attempt to access your account**. By requiring one or more additional login factors (for example, biometrics or a code sent via text message), MFA makes it harder to access a profile with a password only. As a result, you will immediately get notified if someone has attempted to log into one of your virtual identities.

An **even safer alternative to MFA would be enabling [Passwordless Authentication](https://zitadel.com/blog/passwordless)** on any platform that offers this option. Although both methods undoubtedly surpass traditional password-based logins in terms of security, **passwordless systems are even less susceptible to phishing and cyber-attacks** due to their complete waiver of passwords. 

### Further Protection Measures

While using technological safety precautions created to assure the highest level of device security is crucial, we shouldn't undervalue the effectiveness of seemingly obvious but strong alternative solutions. Here are some other measures you can take to protect yourself from the risks of public Wi-Fi:

* **Avoid using networks that are not password-protected** – Even though Wi-Fi codes are generally easy to obtain, unprotected networks are generally an easier target for hackers.
* **When not in use, turn off your WiFi** – Keep your WiFi connection off unless you are actively on your device using the internet.  
* **Refrain from using sites that require you to log in** – Especially ones storing sensitive information, such as your credit card information.
* **Complete renunciation** – While it might sound cliché, it truly is the only method guaranteeing 100% safety from the risks of public networks.  



## In conclusion

While you might not fall over every time you go rollerblading, it is always helpful to wear protection-gear just in case. The same logic is applicable to using public Wi-Fi: **Protection measures such as using VPNs, MFA or passwordless and exclusively visiting SLL-certified websites are designed to minimize the chance of cyberattacks** while using public networks. Considering the evolving techniques of today’s mature cybercrime market, it is better to be safe than sorry.

Although public Wi-Fi networks certainly carry some frightening risks with a lot on the line, it is evident that such attacks aren't guaranteed occurrence. So how likely is it really that one will fall victim to a malicious network?

Security Threats of Public Wi-Fi - Is It Just Fearmongering?

As a result of partaking in a society, we humans are indirectly **confronted with the phenomenon of trust every day**: We trust teachers with educating our children, cooks with making our food, and banks with handling our money. Furthermore, trust is also a fundamental practice in our work lives. When our colleague, Joe, is sitting next to us in the office, we can safely assume that he is indeed himself and a member of our team. Can we, however, **still be this confident in his identity when all we see is his displayed name**? 

Given the ever-growing prevalence of **remote jobs, bring your own device (BYOD), as well as SaaS and cloud-based assets**, the importance of secure and trustworthy authorization and authentication processes has significantly increased. As a new alternative to traditional perimeter security, Zero Trust was developed with this modern digital environment in mind: Instead of defending network segments, it focuses on **safeguarding resources** (assets, services, processes, network accounts, etc.), as the location of the network is no longer considered to be the primary factor in its security posture. Thus, by utilizing a **reliable, verifiable source of identification**, Zero Trust aims to assure that a person is who they say they are.

This article explains the functionality of Zero Trust and its benefits over older security perimeters.

## What is Zero Trust?

Zero Trust describes a **strategic security framework** developed to reorient defenses away from network-based, static perimeters and toward users, assets, and resources. Its core functionality is to **eliminate fraudulent access to network systems by removing implicit trust** granted to accounts based on **superficial user traits such as location or asset ownership**. Simply put, Zero Trust is determined to take security measures **as though hackers have already gained unsolicited access to a network**: Accordingly, there is no such thing as a trusted insider within a specified perimeter anymore, and everyone is potentially guilty until proven innocent. Although this approach might sound harsh in theory, it only means that an AI is **discretely authenticating, authorizing and continuously validating users** or machine accounts before granting access to digital resources in order to eliminate the chance of an impostor on the network.

In addition to its core principle and functionality, Zero Trust's highly advanced security architecture is also attributed to its **numerous supporting technologies**. These include:

* **Multi-Factor Authentication (MFA)**: Ensures with the help of a second login factor (f.e. One-time-password, Biometrics, etc.) that the device is in possession of the intended user.
* **Privilege Access Management (PAM)**: Allows an access restriction to implement "least-access privilege" for every user.
* **Principle of least privilege (PLP)**: Requires secure authentication at every transaction instead of just at the "perimeter," thereby improving login security and preventing lateral movements.

## A passing trend or worth the hype?

As remote and hybrid work is becoming increasingly common, it is unsurprising that **products supporting zero trust are rising in popularity**. While this new security framework was initially considered a luxury feature, it has gradually evolved into a **necessity for businesses of all sizes**. According to [Statista](https://www.statista.com/statistics/1228254/zero-trust-it-model-adoption/), 72% of organizations participating in their 2021 survey **plan to adopt Zero Trust in the future or have already implemented it**. Naturally, this newfound supply originates from a **growing demand for higher security and trust earned through entity verification**: Given the drastic rise in cyberattacks in the 2020s, SME IT professionals ranked "adding layered security so work-from-anywhere is truly secure" as their [top priority for 2021 and 2022](https://jumpcloud.com/blog/zero-trust-benefits-smes). 

Fortunately, implementing Zero Trust has proven to be a valuable decision for countless enterprises: [IBM](https://www.ibm.com/security/data-breach) finds that the **average data breach cost** for organizations without zero trust deployment was USD 1 million higher. Not only is Zero Trust helpful for damage control, but it also significantly decreases the possibility of an attack: With the help of its security automation, breaches could be detected and contained [27% faster](https://www.teramind.co/blog/cost-saving-effect-of-zero-trust/). 

## Enabling Zero Trust with Identity Aware Proxies 

Now that the concept and benefits of Zero Trust have been established, it is essential to mention its core component that makes all the running: The **key element of enabling zero-trust** access is the help of an **Identity-Aware Reverse-Proxy (IARP)**. Not to be confused with IARP are forward Identity-Aware-Proxies (IAP); While the latter sits in front of a client and ensures that no origin server ever connects directly with that specific client, a reverse proxy sits in front of an origin server and makes sure that no client ever communicates directly with that server. 

Identity-Aware Reverse Proxy is a modern, context-aware, and identity-aware authentication and authorization mechanism that replaces the traditional VPN-based access control mechanism: While VPNs use session-based access, IARP permits only per-request application access. Furthermore, in contrast to a VPN, which often grants users access to a large portion of an internal network, a zero trust architecture frequently calls for **creating much smaller network segments** and protecting these with IAPs.Through the **mapping of identities registered with each resource**, IARP **centralized the definition of access policies** and access control for servers as well as applications. Therefore, it **facilitates the implementation of Zero Trust security** and makes gaining **widespread access to several resources considerably more difficult.**

## Zero Trust and ZITADEL

As in Identity and Access Management Platform, ZITADEL's highest priority and most significant promise is to **keep its user's data secure**. To ensure this promised level of protection, the **application has enabled the deployment of Zero Trust access through its support for [Identity Aware Reverse-Proxy](https://zitadel.com/docs/examples/identity-proxy/oauth2-proxy)**. This new architecture was implemented according to the NIST standard: An official guide by the *Computer Security Resource Center*, describing processes for safely migrating to a Zero Trust framework. Accordingly, ZITADEL **regulates access to all applications** and delivers **per-request application access**, regardless of where the users are located, how they are authorized, and what device they use.

To learn more about ZITADEL, visit our [Website](https://zitadel.com/contact). Should you have any questions, feel free to contact us anytime on our [Discord Server](https://zitadel.com/chat). Alternatively, you can reach us on our [Twitter](https://twitter.com/zitadel), [Linkedin](https://www.linkedin.com/company/zitadel/), or [Github](https://github.com/zitadel/zitadel) pages.

Given the ever-growing prevalence of remote jobs, bring your own device (BYOD), as well as SaaS and cloud-based assets, the importance of secure and trustworthy authentication processes has significantly increased. This article explains the functionality of Zero Trust and its benefits over older security perimeters. 

Why Zero Trust is Important


Millions of kids today already possess a digital identity, whether in an online game, social media, or various other platforms and apps. While it might bring them lots of joy to share their thoughts with the world and make friends, **shared information can be misused**. Although younger generations are increasingly taught about online safety, given a child's natural innocence and subsequent naiveté, they might not adequately apply this theoretical knowledge in practice; thus, making them an **interesting target for ill-wishers** intending to **take advantage of their wide-eyed nature**.

![](/blog/2022-07-14-children-01.gif)

As the world is becoming increasingly digital, cybersecurity measures are constantly evolving to provide the highest possible safety to users online. Unfortunately, **it is not only people with good intentions adapting to technological innovations**: Given the numerous tactics of contemporary cybercriminals, such as advanced hacking methods and phishing attempts, an approach to simply limiting a child's digital information for viewing may not be the single best method. Therefore, it is crucial for parents, guardians, and caregivers to **be aware of the risks of possessing a digital identity** and the measures they can take to **protect children's data** without having to give up on the cyber world entirely.

## New digital threats kids are subjected to 

To understand what measures we can take to protect our youngsters, it is essential to be **able to recognize a threat coming their way**. As the number of children owning smartphones and other digital devices gradually increases, it is only consequential that most have at least created one digital identity. Sadly, however, doing so inevitably places a target on their backs: According to the [FBI Internet Crime Center Report](https://www.fbi.gov/news/press-releases/press-releases/fbi-releases-the-internet-crime-complaint-center-2020-internet-crime-report-including-covid-19-scam-statistics), in 2020, the crime against children increased by 144% compared to the previous year. The data show that **eight children per day are facing online exploitation**. Similarly to the US, [Europe’s cybercrime](https://www.europol.europa.eu/media-press/newsroom/news/covid-19-sparks-upward-trend-in-cybercrime) also undewent a significant increase in recent years, including a sharp spike in detection of online child sexual abuse material.

The following chapter lists some of the most prevalent online threats children face today.

### Phishing

The ever-evolving phishing phenomenon has established itself as one of the **most notorious cybercrimes in the last 20 years**. While it takes on various forms (for example, **[Smishing](https://zitadel.com/blog/smishing)**), phishing is generally characterized by an attacker masquerading as a trusted entity to **trick random people into giving away valuable private information**, such as login credentials or credit card information. The criminal usually aims to deceive the victim by sending a message or mail **depicting a situation that is known to grab their attention**, such as a package delivery notification, a purchase confirmation, or a credit card suspension notice; these are mostly tied to an URL the recipient is requested to click on, to follow up on the situation at hand. In some cases, **clicking the provided link can initiate a download process of viruses** or malware, which the cybercriminal can use to access all data and information stored on the victim's device.

While phishing poses a significant threat to people of all ages, due to most children's more minor experience with online scams, they are **far less likely to spot a perpetrator posing as a legitimate institution** or person compared to their older counterparts. Knowing this behavior, numerous **cybercriminals are present on websites, apps, and games with a high percentage of young users**.

**Some of their most common phishing tactics targeting children include:**

- Spreading malware disguised as free games
- Claiming to give away in-game currency of popular games for free (f.e. V-Bucks Generators)
- Assuming the identity of a person or service the child trusts
- Small games designed to collect personal information (f.e. Enter your full name and birth date to find out which Disney princess you are)

### Identity Theft

In the digital age, it is not just material items that can be stolen but also someone's entire identity. Some scammers use the accessed data to **claim the essence of their victim** for various diverging causes apart from stealing money, such as filing phony health insurance claims, committing tax fraud, or even reselling data to other criminals.

The perniciousness of juvenile identity theft is heightened by the fact that **kids often don't receive financial records**, credit card statements, and other correspondences that can alert adults to questionable economic activity. Consequently, the crime may continue for a long time before being discovered.

### Registration and Access Requests

While many people believe that users of digital platforms are only subject to cyber threats once an account is already created and in use, this assumption might not prove entirely true, it is significant to **weed out as many potential risks as possible** during the first stage of a person's online presence: Registration.

Should the child in your care wish to join a platform with a base of registered users, you might want to **read the Terms and Conditions carefully**; not only do they include what user data they will request and utilize, but also what they will be used for. If, for example, a platform entirely unrelated to activities involving your address makes it mandatory for it to be entered, it might be eye-opening to read up on the reason for this request. Furthermore, scammers and predators can **exploit the information entered upon registration** to target unsuspecting children. Accordingly, it is advised to be aware of the site the child is joining and what information and data it aims to gather.

## How can I protect the children in my care?

With the previous chapters explaining the most common digital risks kids (and people in general) are subjected to, this chapter aims to aid guardians in minimizing the chance of their children falling victim to such cybercrimes with the help of some **useful technical measures**.

### Enable Passwordless or MFA

As an enthusiastic six-year-old in the mid-2000s registering to an online platform for the first time, my father advised me to choose a password I could remember effortlessly. Thus I went with “marzipan”; the knowledge factor I would go on to use for each of my accounts for the following three years. However, as the years passed, **password requirements have become increasingly strict**, and accounts merely protected by a simple word such as “marzipan” could be hacked within less than a second. Whereas the normalization of “stronger” passwords has helped safeguard countless user profiles, their usage simultaneously **contradicts the original purpose of knowledge factors being easily recallable**: With this being said, how many six-year-olds would be able to flawlessly remember a password with 18 characters, including numbers, symbols, and majuscules?

To sum up, while the usage of passwords has been the industry standard for decades, the evolution of technical knowledge amongst the public also opened the door for more and more cybercriminals who **take advantage of the simplicity of this authentication method**. As a result, more and more platforms are turning to more secure login alternatives, such as **[Multi-Factor Authentication (MFA)](https://zitadel.com/features#multifactor)** or **[Passwordless](https://zitadel.com/blog/passwordless)**. The former commonly utilizes a passwordless factor (such as Fingerprint, Face ID, or physical tokens) in addition to the regular username-password login method, while the latter provides a single-factor approach that completely substitutes passwords with a passwordless factor. Enabling either of these two methods make it **significantly harder for criminals to hack into the user’s account**, even if they manage to get ahold of the password. Therefore, we strongly recommend people of all ages consider switching to the usage of MFA or passwordless whenever possible.

### Checking the operating system

Since such a number of phishing attacks and digital scams have the motive to install malware on the victim’s devices, it is strongly recommended to double-check the viability and security of your operating system. Optimally, **the system should be updated to its newest version/patch, and the security recommendations** (f.e. Windows Defender) **enabled**. Alterantively, independent antivirus programs serve to **automatically detect malicious applications, websites, and files** that could pose a threat to your device's security.

### Use a VPN

To ensure a safer registration process, make sure the platform the child submits their private information to uses a **verified SSL certificate**: It serves as a confirmation that communication between the browser and the server is encrypted. The possession of this certificate by a website is typically indicated by a **closed lock symbol and a URL prefixed with HTTPS**. Since some platforms are still not equipped with this feature, a trusted VPN service can help hide some information.

**Virtual Private Network (VPN)** software provides **privacy by encrypting all your incoming and outgoing traffic**, no matter where you are located and which network you use. This protection is achieved by the VPN **hiding your internet protocol (IP)** **address**, thus making it nearly impossible for others to track your online activities (including file downloads), so that cybercriminals and other unwanted parties cannot see them.\
\
Using a VPN is especially important when browsing via a **public Internet Connection (WiFi)**. If the person connected to an unsafe network logs into an unencrypted site, other connected users will be able to see what they send and view. With the help of manual encryption of all data traffic, a VPN-router is an optimal way to **prevent third-parties from unwantendly accessing private information** shared via a public network.

### Enable Adblocker and Content Blocker

Anyone who has used the internet before has most likely encountered online advertisements. Unfortunately, some of them have been **designed with a purpose beyond their traditional functionality**: These malicious ads can **gather precious information from the individual viewing them**. To prevent the creators of such advertisements from spying on your children, you have the option to add **ad-blocking extensions** to their browser. Doing so also dramatically reduces the risk of them seeing commercials for highly unsuitable services for minors.

In the unclearly regulated world of the internet, it is not only ads and popups that can lead to involuntary exposure of kids to malicious, unsafe, or inappropriate content. You can ensure that the child in your care is kept safe from such threats by using **content blockers**: expansions designed to **filter out specific types of websites and platforms**. However it is worth noting that this measure comes with the tradeoff of potentially “overblocking” innocent content that has been mistakenly or unnecessarily flagged as inappropriate.

### More privacy best-practices measures that are also still relevant

While it is of great importance that we use programs, apps, and extensions designed to ensure the highest possible protection of our devices, we must **not underestimate the power of teaching privacy and online-safety best practices** either. Those practices seem traditional, as they have been around since the dawn of the digital age, but are still valid to raise awareness regarding issues that can (not yet) be solved technologically. **These include, for example:**

- Advising the child to utilize a username that does not contain personal information (such as real name or birth year) to hinder attempts of identity theft. Alternatively, using “throwaway” email addresses is also an option.
- Teaching them to cover or unplug their webcams when they are not in use
- Show them how to keep their digital profiles limited for viewing and messaging to decrease phishing attempts
- Tell them to share only minimal information online and never to share their phone number  or address with anyone that does not have a valid reason to obtain this information.
- Explain to your children the value of using different passwords (if required) for each account to reduce the impact, if a certain account was breached.

## Knowledge is power

While it is essential that we, as “wise” and responsible adults, do our best to keep the children safe, admittedly, we do not possess the superpower of having our eyes everywhere: Therefore, it is equally important to **show the youngsters how they can look out for themselves** and use the internet safely without supervision. The first step in achieving this goal is to **talk to kids honestly about the risks** that the possession of an online presence can contain - of course, using age-appropriate language. The intention behind this conversation is, therefore, **not to scare them but instead, to teach them that they have the power to protect themselves** by knowing how to recognize suspicious situations. With this skill acquired, children can continue enjoying their favorite online activities and exploring their independence while simultaneously keeping the learned safety measures in the back of their minds.


Given a child's natural innocence, they might not expect an ill-wisher on their favourite online platform. This article discusses the new digital threats kids are subjected to and what adults can do to keep them safe.

Children and Online Security: Protecting the Most Vulnerable


Perhaps no other emerging technological advancements have shaped our society as rapidly as the phenomenon of digitalization. With the possibility of reaching people from around the globe, it is evident that the cyber-world also functions as a globalized melting pot of businesses: Practicing e-commerce allows companies to **heavily expand their customer base, thus going from a local organization to a worldwide supplier**.

A common misconception about digitalization and cloud storage services is that the saved information is just floating around in the cyber-world, independently of physical borders. In reality, however, **the storage, security, and managing of your data is the responsibility of so-called data centers**, housing businesses’ data at nearly 8000 worldwide locations.

Unfortunately, having your crucial data stored at a specific location alone does not automatically equal guaranteed protection: Due to such a large number of data centers, it is no surprise that not all of them are equally capable of fulfilling your organization-specific data-management needs. Therefore, when choosing a region of residency, you must make sure your location of choice **provides an optimal web environment based on your business's requirements and circumstances** and has the potential to **reach your entire audience**. This article will explain the role of data residency and centers in greater detail and list the factors you might want to consider when choosing a center region.

## All about data regionality and centers

AAs the name suggests, data residency describes **in which country or region an organization's data is stored and processed**. With the help of infrastructure providers offering various data regions, organizations using Software as a Service (SaaS) or other cloud deployment services can **store their data in multiple locations**, thus benefiting their teams with **seamless collaboration and their global users with high performance in any country**. Once you have chosen a region (for example, Switzerland), **all your data traffic is sent to a dedicated data center** to ensure it is managed in the selected location.

Since the ability to select data regionality has not been a deciding factor when choosing a service provider for many organizations, numerous contracts are signed for a pre-determined term. Unfortunately, this decision is often made unknowingly of the fact that the selected data regionality can have a significant impact on the fate of businesses: As the lifeblood of the modern global economy, data must be **handled by the right hands to avoid potential breaches, legal and data protection issues, or their complete loss**.

But what is precisely the problem with keeping the default regionality if universally trusted? Absolutely nothing, provided you have reviewed the region and found it fits your organization's needs and circumstances. However, **when it comes to data processing, there is no "one size fits all"**; different businesses tend to have their main customer base, offices, and headquarters at distinct locations. Accordingly, should the default data region be in Australia, whereas the majority of your platform's users are located in the US, they might struggle with high latency, making the quality of service suffer in the process.

**To sum it up, the benefits of choosing the fitting data residency include:**

- Improving the performance and flexibility of your cloud-deployed application/site wherever your customers are located
- Compliance with ever more stringent global and regional data protection regulations
- Seamless collaboration with employees working abroad and enhanced workforce mobility
- Better availability and disaster recovery options
- Facilitated access to public cloud operators

## Choosing the right data region for your company

Now that it has been elaborated upon why choosing the right data region is crucial, it is worth discussing what factors should be considered when making the decision in question. In addition to location and security, the compliance and availabilty of a future technology partner should be carefully evaluated.

### 1. Location

One of the most significant elements to consider when picking a data region is the physical location. Since the geographical position of a data center directly impacts **several other vital factors in the colocation process**, it is worth carefully looking into the attributes of the available regionalities. If your service provider offers a variety of possibilities covering several continents, the key is to **look at traffic patterns on your network to determine high-demand areas** that could benefit from more coverage. For example, if most of your customers or users reside in western Europe, choosing that data region would ensure low latency for your primary audience when using your platform. This proximity to your platform's users, alias the most common locations from which it is accessed, can be retrieved from various analytical tools, such as Google Analytics.

Another location-related attribute you might want to consider is your **business's residence(es)**; should your IT team need to examine the center or perform maintenance or updates in person, it is advised that it is located within an easily reachable distance.
Obviously this depends on your business's delivery model and the increasingly rare occasions, e.g. in highly regulated or sensitive industries, where businesses operate their own infrastructure.  
Furthermore, **your staff will benefit from low latency** if their data is stored and processed close to their office.

### 2. Security

Another crucial factor when choosing data residency is the **strength of the center's security system**. For an institution responsible for handling all your company's data and apps, a **breach might prove disastrous**. This fact is especially noteworthy since data centers are still a prime target for cybercriminals. For example, in 2019, six of [CyrusOne's](https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/) managed service clients, primarily located in their New York data center, have **suffered availability concerns due to a ransomware program encrypting specific devices** in their network. Therefore, it is strongly advised that the centers of choice use the latest security features and protection software.

Furthermore, besides using high-profile Software and technology to safeguard your assets, data centers should have **robust overall security**. Adequate protective equipment of both virtual and physical nature will not only keep your data safe from cybercriminals but also real-life ones.

### 3. Availability

Within the field of data centers, **availability is measured by the host's uptime**: The percentage of time your platform is up and running, alias functional. According to [Hostingadvice](<https://www.hostingadvice.com/how-to/uptime-guarantees/#:~:text=It's%20generally%20understood%20that%2099.9,and%20up)%20is%20the%20ideal.>), **99.9% uptime is a hosting industry standard**, whereas five nines or better (99.999% and up) is the ideal.
The required redundancy to guarantee the availability of a single location is typically achieved by running three physically separated data centers within the same region.

In the case of a **multi-region** application, such as ZITADEL, your data is **automatically protected against a region-failure**, regardless of the specific residency you have chosen. Accordingly, should your region of choice suffer from complications, traffic will be redirected to other locations (if permitted by the user's data location preference). This degree of redundancy is however not available within single region and single availability zone applications.

### 4. Compliance

Data compliance refers to the process of adhering to numerous requirements and standards to **ensure the integrity and availability of regulated data and sensitive data**, thus protecting them from unauthorized use. There are a plethora of industry-specific and location-specific standards governing data security and privacy; one of the most well-known ones is the European Union's General Data Protection Regulation (GDPR), which **specifies how businesses should handle the personal data of any of their customers** who reside in the European Union. Accordingly, every organization with customers in the European Union is subject to GDPR, with severe consequences of non-compliance that can put your company's long-term viability in peril.
Moreover, not only the location of the data center, but also the residency of the infrastructure provider needs to be considered for data compliance.

### 5. Cost

The **cost for storage and compute can vary greatly between different regions** and countries.
Some regions for cloud storage might be up to 75% more costly than other regions due to various factors that drive the cost to operate and maintain the required level of service and security within that that region.
Balancing the previous mentioned factors with the cost of operating in a specific region is a key challenge for companies.

## New: Data redirection based on your customers' locations

At ZITADEL, we firmly believe that **a fitting data residence should be an asset and not a liability**. The SaaS (public cloud service) solution of our identity and access management platform pledges provides the highest possible protection of our user's data; this includes supplying housing options that are true to our security and performance standards.

As of Version 2, ZITADEL will start by offering **three data regionality options** to choose from:

- Switzerland
- Global
- GDPR-compliant regions

These options, however, include more than what meets the eye. To facilitate our customers' decision in choosing the right data center, our "Global" and "GDPR-compliant" options **automatically select three housing regions based on the locality of end-users**. In the case of the former option, this can include any country that fulfills ZITADEL's privacy requirements, while the latter works in a near-identical fashion, with the region pool only including [GDPR-compliant regions](https://reciprocity.com/resources/what-countries-are-covered-by-gdpr/#:~:text=The%20GDPR%20covers%20all%20the,Slovenia%2C%20Spain%2C%20and%20Sweden.).

Not only does the automatic redirection of your data save you a tremendous amount of time and effort by not having to research the residence of your customers and the attributes of various regions, but it also **ensures that your data is housed by centers that fulfill all the location, security, availability, scalability, and compliance requirements** of your organization: With the help of ZITADEL's highly distributed and **redundant system** spanning across **multiple regions** (multi-regional), as well as the use of serverless containers, we can guarantee **fast and easy scaling** to accommodate even the highest burst traffic with a short scaling time.


This article explains the role of data residency and centers in greater detail and list the factors you might want to consider when choosing a center region.

The Ultimate Guide to Choosing the Right Data Residency


Even if you have not heard of magic links, the chances are that you have already encountered them when signing up for third-party applications or websites. Simple yet effective, this **passwordless method** is convenient for end-users to confirm their identity and easy for developers to implement: Instead of having to enter a password, **a simple click is all it takes to log you in**.

Given its foolproof infrastructure and widespread use, one might think it would be unnecessary to change a winning team. Scratching beneath the surface, however, it soon becomes evident that **this method also has limitations**. While **we strongly recommend implementing password-free authentication** for every organization, as a relatively old passwordless method among ever-changing digital innovations, **magic links might no longer be the most secure alternative** for this purpose.

With this article, we aim to determine whether magic links are still viable as an authentication method or if you are better off using newer passwordless alternatives.

![](/blog/2022-06-22-magic-links-01.gif)

## What are magic links? – The Origins

"Magic Links" describe a **passwordless authentication method** that allows users to log in by **clicking a one-time link mailed or messaged to them rather than using their password**. This link is automatically sent to the provided email address upon toggling a login request on the platform. This simple but innovative process of users authenticating themselves by merely clicking a button may seem magical to some, thus the name.

Though no official record of the first use of this method seems to exist, research suggests that their **concept dates to [the early 2010s](https://lea.verou.me/2010/08/automatic-login-via-notification-emails/).** In the following years, as the problem with passwords started to arise slowly, various platforms started implementing two-factor authentication: In addition to entering a password, **2FA provides a secondary layer of security** by requiring the user to verify their identity via a second (passwordless) factor. One of the most used secondary factors at the time was a code sent via SMS or email. [In 2014](https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/) however, a revolutionary new method started gaining traction that promises the same **high-end security features like 2FA,** **but by only relying on a single factor: Passwordless**. Since biometric characteristics were not yet as widespread as they are now (partially due to the older smartphone models), the most straightforward and low-tech solution proved to be the implementation of one-time links – or, as we call them today, magic links. Thus, in the mid-2010s, various platforms started to experiment with passwordless, one of the most notable examples being [Medium](https://blog.medium.com/signing-in-to-medium-by-email-aacc21134fcd), which sparked a debate regarding the legitimacy of this newly discovered login method.

## How do they work?

Contrary to what the name implies, magic links are only seemingly magical – in reality, they **operate using code, tokens and hash functions**. Akin to any other login process, it starts with the user visiting the respective platform or application with the desire to access it through their profile. The platform requests the user's email address upon navigating to the login page. Immediately **following the email submission, a token is generated and the magic link is formed**, which is automatically sent to the address in question. By clicking on the link, the user enables the application to **receive the query at its endpoint**, and thus the authentication process is completed.

## The advantages

Considering their widespread use, it is no surprise that **magic links have significant advantages for developers and end-users alike**. While the strengths of passwordless over password usage have already been discussed in greater detail, this list will merely focus on the pros of magic links over alternative passwordless methods.

- **Easy and affordable implementation**: Due to magic links' near-identical functionality to password resets, implementing them is merely a matter of making a few slight modifications in code. Thus, you do not have to worry about extra costs either.
- **Not device-dependent**: Unlike biometrics, which generally require devices capable of scanning the users' physical characteristics (f.e. fingerprint or face), or hardware tokens that must be plugged into a specific port, sign-ups via magic links have no such resource demands. They are therefore viable on any device with an internet connection.
- **Familiarity**: Since this technology has been used for password resets for a long time, end-users are likely already familiar with the functionality of magic links. This familiarity makes for an easy and transparent sign-up and login process.

## The disadvantages

While they have many advantages, **magic links are also not without their shortcomings compared to other passwordless options**.

- **Email Security**: If you frequently use magic links to log in, it is vital to also keep an eye on the security system surrounding your email account: Should someone gain access to another user's inbox, they simultaneously receive the keys to logging into profiles that run on magic links. Therefore, a single cyber-attack on your email could lead to unwanted activity on many of your utilized virtual services.
- **Email Provider**: Apart from the measures you take to protect your email account from unwanted access, the reliability of your used service is also worth evaluating. Since logins via magic links are heavily reliant on the user receiving the link, it is essential that the provider actually manages to deliver the awaited email.
- **Less convenient than other alternatives:** Apart from security, magic links also fall short compared to other passwordless methods in terms of login convenience. While the process is faster than MFA, magic links still require the user to leave the login screen instead of alternatives like biometrics or physical tokens.

## In conclusion

To answer the notorious question this article has posed regarding the viability of magic links; the answer is unfortunately not black-and-white. While magic links might still be considered a **safer authentication method than using plain passwords**, they ultimately seem to pose **more security risks than other passwordless options**.

Most of this method's disadvantages correlate to the fact that magic links **rely on a third-party service to handle a significant part of the authentication process**. Accordingly, even if the developer has made no mistakes in implementing a magic link-based login system, complications could still arise on the email provider's end. Additionally, while authentication processes via biometrics or physical tokens are dependent on specific device resources, they still have the **advantage of being either non-replicable or more challenging for other people to access**.

To sum it up: If you have a device capable of **authentication via a biometric factor or a physical token**, you might want to gravitate towards those options for maximum login convenience and account security. Alternatively, magic links are **still a relatively safe option for a familiar and facile login process**. In that case, however, it is strongly advised to protect your email account via highly secure authentication factors, to avoid unwanted activity on a multitude of your utilized virtual services.

Join the [GitHub Discussion](https://github.com/zitadel/zitadel/discussions/2075) if you are interested about the state of magic links in ZITADEL. Today ZITADEL supports Passwordless with FIDO2/WebAuthN and support of the upcoming Passkeys, this should give your users a secure and convenient alternative to classic magic links. You can send an email with a link to pair and onboard a FIDO2 compatible device or request a QR code to pair and onboard a FIDO2 compatible device.


Are magic links are still viable as an authentication method or are you better off using newer passwordless alternatives?

Magic Links – Are they Actually Outdated?


In 2010, only two years after Facebook's social login launch, 250 million users and two million third-party websites started using this new login alternative. With the introduction of many contemporary social identities over the years, it is no surprise that more and more platforms are continuously expanding their supply of available authentication options. The popularity of the social-login method is evident, given its convenient and user-friendly nature: It saves its users valuable time by not requiring the completion of a registration form and also spares them the effort of remembering yet another password.

As an authentication platform with the goal of the best possible user experience, ZITADEL strives to eliminate login inconveniences by **heavily expanding the number of its Identity Providers**: Very soon, every user will be assured a comfortable login via their preferred social identity. Whereas, thus far, ZITADEL has exclusively supported OIDC-compliant providers, it will soon remove this restriction to provide a **broader range of options, such as Apple ID, Microsoft Live, Github, Gitlab, and Microsoft Tenants (AzureAD).**

Besides the obvious advantage of increased login convenience, social logins were also proven superior in **enhancing business growth**. To adequately explain this unexpected correlation, it is essential to know how social logins work and how they benefit end-users and companies alike.

## How do social logins work?

Though there are many different providers for social logins (such as Facebook, Google, or Twitter), they all provide authentication in a near-identical fashion.

For them to work, the user must follow these simple steps:

- Upon entering the application or website, the user can **choose his preferred social network provider** (for example, Facebook).
- The website or app sends a **login request to the selected provider** directly, or ZITADEL relais this request to the chosen identity provider.
- Once the social provider confirms the user's identity, the user will **get access to the application**, and the registration process is completed. The selected method can now be used to log in at any time.

![](/blog/2022-06-15-social-logins-01.png)

## The benefits of social logins 

Implementing social logins can heavily enhance the user experience of an application. Some of the most notable **benefits for end-users** include:

- **Easy sign-up and sign-in:** Logins via Apple ID, Microsoft Live, or other identity providers are simple and only involve clicking a few buttons. This method is more convenient for the user than filling out a long registration form and manually logging in.
- **Less password reliant:** We all must remember an overwhelming number of passwords. Using a social login means users don't have to create and keep track of even more credentials. Thus, failed login attempts will be heavily reduced, and users will be less hesitant to sign up.
- **Raise trust:** A social login on your page provides a recognizable and uniform login method. Users will feel more comfortable sharing their data with unknown pages via identity providers they already trust.
- **Better mobile experience:** Dealing with passwords and usernames on your smartphone can be frustrating. Social logins help to make the mobile experience more enjoyable.

Due to its many perks, it is no surprise that countless end-users prefer to confirm their identity via a social login option: According to a study by ["loginradius,"](https://www.loginradius.com/blog/identity/social-login-infographic/) 70.69% of people aged 18-25 prefer social login over the traditional registration form. Accordingly, this simplified login method **can significantly enhance business growth by helping companies increase the number of customers creating accounts, thus** expanding their potential customer base. Not only are Social Logins effective in gaining new users, but also in retaining the existing ones: As claimed by ["Janrain" and "Blue."](https://paperform.co/ebook/Industry-Research-Value-of-Social-Login-2013.pdf), **65% of consumers are more likely to return to a website that automatically welcomes them through social login**.

Apart from higher conversion rates, **social logins further help your company by:**

- **Reducing stress on Support Teams:** The support team will spend less time dealing with security alerts or password requests from failed login attempts by switching to passwordless with social login.
- **Increasing login verification:** Social Logins add a layer of verification to login attempts by requiring confirmation from the chosen identity provider. Accordingly, it is more resilient to spam or harmful logins.
- **Reducing bounce rates:** Customers are more likely to abandon a site if they must fill out the traditional long registration form. The bounce rate can be reduced by making social login a possibility.
- **Simplifying Checkout:** For e-commerce applications, the simplicity of social logins can heavily increase the checkout experience. Thus, enabling them can lead to fewer abandoned carts and more purchases.

## Social logins via ZITADEL

Since every user has a preference for social networks, it is crucial for authentication solutions, such as ZITADEL, to provide a **broad selection of social identity providers**. By introducing a heavily expanded selection of social login templates, ZITADEL allows your application's users to sign in or up with just a few clicks, using their preferred identity.

It is advised to integrate your applications with an identity management platform like ZITADEL, which **can broker to many different identity providers out-of-the-box** instead of integrating providers individually in your apps. When using a central identity broker, you don't need to worry about maintaining your code across different technology stacks, as well as you get the added benefit of a central audit log and user repository.

ZITADEL will support **seven identity providers** (Google, Apple ID, Microsoft Live, Github, Gitlab, and AzureAD) that users can **individually configure and enable**. To maximize the previously mentioned benefits of social logins, it is advised to set up more than just one sign-up option on your platform.

These formerly mentioned social login methods are included in ZITADEL's basic plan and are therefore **entirely free for all users**.

Furthermore, the software doesn't require you to fully integrate every login provider separately: As an **[identity broker](https://zitadel.com/features#brokering)**, ZITADEL acts as a **trusted intermediary service** c**onnecting your projects with different identity providers** so that you only have to link the external identity providers to it. This feature is especially beneficial since embedding numerous Identity Providers directly into your apps is complex to maintain, time-consuming to set up, and hinders single-sign-on of users.

## The Takeaway

Social logins provide benefits to both your organization and your users. It boosts conversions, reduces the stress on your support teams, and simplifies the checkout for e-commerce brands. By expanding the number of supported identity providers, ZITADEL will ensure that all your users can effortlessly sign up for your platform with their preferred social identity.

We would love to hear your input on [which social logins](https://github.com/zitadel/zitadel/issues/2998) we should integrate first.

Should you have questions regarding social logins or any related (or unrelated) topics, please contact us anytime on our ZITADEL Discord Server. Alternatively, you can reach us on our Twitter, Linkedin, Github pages, or our website.

Don't forget to give us a star over on GitHub if you like the project. Thank you for the support.


Besides their obvious advantage of increased login convenience, social logins were also proven superior in enhancing business growth. To explain this correlation, it is essential to know how social logins work and how they benefit end-users and companies alike.

All posts/ #security