Identity Services
Identity services are authentication methods that allow users to verify their identity in the Specops Cloud. Resources and products within the Specops Cloud, such as uReset, Secure Service Desk, and the Specops Authentication admin pages, use authentication policies to define which identity services are required.
Most identity services require users to have a mobile phone, for example to receive a text message or use biometrics in an app to verify their identity. To authenticate with an identity service, users must first enroll in it through Specops Authentication. This applies to all user types, including end users, service desk agents, and tenant admins.
Enrollment
Identity services vary in both functionality and enrollment methods. An identity service can support one or more of the following enrollment types:
- Auto: The identity service becomes available automatically (pre-enrollment) when the required attributes or configuration are in place, without any action from the user or administrator. For example, if a user in Active Directory has a manager defined, they are automatically enrolled in Manager Verification.
- Admin: The identity service can be enrolled or provisioned by an administrator, which can reduce the burden on end users. Mobile Code is an example of an identity service that can be used without requiring user enrollment.
- User: The user must complete an enrollment step before the identity service can be used. Standard TOTP authenticators are an example.
Identity Services package types
Identity services are grouped into the following package types:
- Standard Identity Services: Built into Specops Authentication.
- Identity Verification Services: Built into Specops Authentication.
- 3rd Party Identity Services: External authentication providers that integrate with Specops Authentication.
- Federation Identity Services: Authentication handled by an external identity provider.
Standard Identity Services
The following identity services are available in the Standard package:
| Identity Service | Description | Auto | Admin | User |
|---|---|---|---|---|
| Specops:ID | Specops mobile authenticator app used for push and biometric authentication. | x | ||
| Specops Authenticator | Authentication using one-time codes generated in the Specops Authenticator mobile app. Note: This identity service is being phased out and will reach end of life in a future release. It is recommended to use Specops:ID. | x | ||
| Specops Fingerprint | Biometric authentication using the Specops mobile app (fingerprint or Face ID). Note: This identity service is being phased out and will reach end of life in a future release. It is recommended to use Specops:ID. | x | ||
| Verification code sent to the user’s corporate email address. | x | |||
| Manager Identification | The user’s manager approves the authentication request via email or SMS. | x | ||
| Mobile Code (SMS) | One-time verification code sent to the user's mobile phone via SMS. | x | x | x |
| Personal Email | Verification code sent to an alternate personal email address. | x | x | |
| Secret Questions | User answers pre-configured security questions. | x | x | |
| Trusted Network Location | Authentication based on whether the request originates from a trusted network. | x | ||
| Windows Identity | Authenticates using the user’s Windows session identity. | x |
Identity Verification Services
The following identity services are available in the Identity Verification package:
| Identity Service | Description | Auto | Admin | User |
|---|---|---|---|---|
| Specops Verified ID | Verifies user identity with government-issued ID & biometric liveness checks. Note: If Date of birth matching is configured, users must be pre-enrolled by an administrator. | x | x |
3rd Party Identity Services
The following identity services are available in the 3rd Party package:
| Identity Service | Description | Auto | Admin | User |
|---|---|---|---|---|
| Duo | Multi-factor authentication using Duo Security. | x | x | |
| Freja | Mobile electronic identification used for authentication in the Freja app. | x | x | |
| Google Authenticator | Authentication using one-time codes generated in the Google Authenticator app. | x | ||
| Microsoft Entra ID | Authentication via Microsoft Entra ID (Azure AD). | x | ||
| Microsoft Authenticator | Authentication using one-time codes generated in the Microsoft Authenticator app. | x | ||
| Mobile BankID | Swedish electronic identification used for authentication in the Mobile BankID app. | x | x | |
| Okta | Authentication via Okta identity provider. | x | x | |
| Passkeys | Passwordless authentication using FIDO passkeys. | x | ||
| PingID | Multi-factor authentication using Ping Identity. | x | x | |
| RSA SecurID | Authentication using RSA SecurID tokens. | x | x | |
| SITHS eID | Swedish electronic identification used in healthcare environments. | x | ||
| Symantec VIP | Authentication using Symantec VIP credentials. | x | x | |
| YubiKey | Hardware security key used for authentication. | x | x |
Federation Identity Services
The following identity services are available in the Federation package:
| Identity Service | Description | Auto | Admin | User |
|---|---|---|---|---|
| Amazon | Authentication via Amazon identity provider. | x | ||
| Box | Authentication via Box identity provider. | x | ||
| Authentication via Facebook identity provider. | x | |||
| Flickr | Authentication via Flickr identity provider. | x | ||
| Authentication via Google identity provider. | x | |||
| Authentication via Instagram identity provider. | x | |||
| Authentication via LinkedIn identity provider. | x | |||
| Live | Authentication via Microsoft Live identity provider. | x | ||
| Salesforce | Authentication via Salesforce identity provider. | x | ||
| Tumblr | Authentication via Tumblr identity provider. | x | ||
| Authentication via Twitter identity provider. | x |
Identity Services weight assignment
Once you know what identity services to use, you need to assign it a star-value. The number of stars assigned to an identity service should reflect how secure it is deemed. Here are some considerations when assigning a star value:
- Specops/Google/Microsoft Authenticator: These identity services are based on the TOTP standard (RFC 6238) and considered high-security authentication methods because they use a possession factor. To access the generated verification code, the user must have access to the registered device and open the authenticator application.
- Social identity services: As secure as the password policy complexity requirement of the identity service.
- Mobile Code (SMS): Uses a possession factor. Depending on device and notification settings, SMS messages may be visible on the lock screen. Organizations should evaluate whether SMS-based verification aligns with their security requirements and policies.
Also refer to Dynamic Multi-factor Authentication Policies.