Access to the EnOS service APIs and portal require authentication. EnOS provides integration with customers’ user registries that supports LDAP, such as the Windows Directory Server. EnOS uses several types of credentials for authentication. These include 1) passwords, 2) cryptographic keys, 3) digital signatures, and 4) certificates. EnOS also provides the option of requiring 5) multi-factor authentication (MFA) to log in to the portal.
Passwords are required to access the EnOS portal. If the customer’s organizational user registry is not used for authentication, customers may specify the password when they first create the account, and they can change it at any time. Password complexity policy may be applied to force users to create strong passwords that cannot be easily guessed.
Multi-Factor Authentication (MFA)¶
MFA is an additional layer of security for accessing the EnOS portal. When this optional feature is enabled, users will be prompted to provide a six-digit single-use code in addition to the user name and password credentials before access is granted. The user will receive this single-use code via SMS or email.
EnOS requires that all API requests be signed — that is, they must include a digital signature that the platform can use to verify the identity of the requestor. Application developers calculate the digital signature using a cryptographic hash function. The input to the hash function in this case includes the text of the request and the secret access key.
Not only does the signing process help protect message integrity by preventing tampering with the request while it is in transit, it also helps protect against potential replay attacks. A request must reach the EnOS services within 15 minutes of the time stamp in the request. Otherwise, the platform denies the request.
Virtual machine instances are created with a public/private key pair rather than a password for signing in via Secure Shell (SSH). The public key is embedded in the virtual machine instance, and users use the private key to sign in securely without a password.
X.509 certificates are used to sign SOAP-based requests. X.509 certificates contain a public key and additional metadata (an expiration date that EnOS verifies when applications upload the certificate, for example), and is associated with a private key. When an application creates a request, it creates a digital signature with the private key and then include that signature in the request, along with the certificate. The EnOS verifies the sender by decrypting the signature with the public key that is in the certificate. The platform also verifies that the certificate the application sent matches the certificate that is uploaded.