Authentication

Last updated: 2026-04-11 • ← Security program

Backbuild supports enterprise authentication through single sign-on, mandatory multi-factor authentication (passkeys, TOTP, and email OTP), and configurable session and lockout policies. All authentication events are recorded in a tamper-evident audit log with user attribution.

Single sign-on

• SAML 2.0: supported for enterprise identity providers with signed assertions, audience validation, and replay protection.
• OpenID Connect: supported via standards-compliant OIDC with PKCE for authorization code flows, nonce and state validation, and ID token signature verification.
• Identity providers: any IdP that supports SAML 2.0 or OIDC can be configured. Common providers include Okta, Microsoft Entra ID, Google Workspace, and JumpCloud.
• Just-in-time provisioning: users are provisioned on first successful SSO authentication and mapped to organization-scoped roles per the customer's configuration.
• Identity unlinking: when an IdP link is removed, all active sessions belonging to that identity are revoked immediately.

Multi-factor authentication

• Mandatory MFA: all accounts are required to enroll in multi-factor authentication. Three methods are supported: passkeys (WebAuthn/FIDO2), time-based one-time passwords (TOTP), and email one-time passwords.
• IdP-asserted MFA: for SSO-authenticated users, Backbuild also asserts that MFA was used via the OIDC amr claim or the SAML AuthnContextClassRef element.
• Per-organization policy: each organization can enable a require_mfa policy that rejects any authentication assertion that does not indicate MFA was performed.
• Enforcement point: MFA verification is enforced at login and for step-up authentication on sensitive operations.
• Audit: MFA method and assertion context are captured in the authentication audit log for later review.

Session management

• Inactivity timeout: configurable per organization, with a default of 30 minutes of inactivity before the session must be re-authenticated.
• Absolute lifetime: sessions have a configurable absolute maximum lifetime after which re-authentication is required regardless of activity.
• Concurrent session limits: per-user concurrent session limits are planned. Organizations that require session limits today can enforce them through their IdP's session policies.
• Revocation: sessions can be revoked by administrators, by the user, or automatically when the underlying SSO identity is unlinked or disabled.
• Tokens: session tokens are JWTs with server-side validation. Tokens are transmitted only over TLS and are short-lived; refresh tokens are bound to server-side state so that revocation is immediate.

Account lockout

Ten consecutive failed SSO authentication attempts trigger a 30-minute account lockout for the affected user. This threshold is aligned with PCI DSS v4.0 requirement 8.3.4. Administrators can review lockout events and, where appropriate, unlock accounts through a documented process that is itself audit logged.

Authentication audit logging

• Every successful and failed authentication event is recorded with user identifier, source IP, user agent, timestamp, outcome, and MFA assertion context.
• Session creation, refresh, and revocation events are recorded.
• Administrative actions on authentication (policy changes, lockouts, unlocks, identity unlinks) are recorded with the administrator's identity.
• Authentication logs are written to a tamper-evident, hash-chained audit store.